## https://sploitus.com/exploit?id=3B5B332F-A17E-565E-9616-9E8B8E4E8E45
# ABYSS C2 โ HiSilicon DVR Exploit Framework
> **โ ๏ธ EDUCATIONAL / DEMONSTRATION PURPOSES ONLY**
>
> This software is provided **exclusively for educational and authorized security research purposes**. It is designed to demonstrate common IoT vulnerabilities and post-exploitation techniques in a controlled, authorized environment.
>
> **You MUST NOT use this software on:**
> - Any system or device you do not own
> - Any system or device you do not have explicit written authorization to test
> - Any production infrastructure without prior approval
>
> **The creator assumes NO responsibility or liability** for any misuse, damage, or illegal activity conducted with this software. By using this software, you acknowledge that you are solely responsible for ensuring compliance with all applicable laws and regulations in your jurisdiction. Unauthorized access to computer systems is illegal under laws such as the Computer Fraud and Abuse Act (CFAA) and similar statutes worldwide.
>
> This project exists to demonstrate:
> - How CVE-2020-25078 (HiSilicon DVR information disclosure) works
> - IoT device security weaknesses and why firmware updates matter
> - Post-exploitation techniques so defenders understand attacker TTPs
> - The importance of network segmentation and credential hygiene
>
> **If you don't own it, don't touch it.**
---
## Overview
ABYSS C2 is a full-stack Command & Control framework built in Python/Flask with a real-time dark-themed web panel. It demonstrates the full attack chain against IoT devices (specifically HiSilicon-based DVRs and IP cameras affected by CVE-2020-25078) โ from reconnaissance and target acquisition to exploitation, post-exploitation, persistence, lateral movement, and data exfiltration.
**CVE-2020-25078** is a path traversal / information disclosure vulnerability in HiSilicon Hi3516/Hi3518/Hi3519-based DVR/NVR devices. Unauthenticated attackers can access configuration files (`/mnt/mtd/Config/Account*`) containing plaintext admin credentials via directory traversal in the HTTP server.
### Features
- **Real-time Web Dashboard** โ Dark-themed single-page UI with WebSocket live updates, 8 operational tabs, built-in terminal
- **Target Acquisition** โ Fetch vulnerable devices via Shodan, FOFA, ZoomEye APIs, plus free scraping (Censys, Onyphe, Shodan free facet, InternetDB)
- **Vulnerability Scanner** โ Multi-threaded TCP/HTTP scanner with CIDR support, DVR fingerprinting, credential extraction
- **Post-Exploitation** โ Interactive telnet shell, mass command execution across all owned devices, file upload
- **Web Vulnerability Scanning** โ CVE detection (Log4Shell, Spring4Shell, Confluence, Ghostcat, Struts2, Jenkins, GitLab, Exchange, F5 BIG-IP, Citrix, MOVEit, Ivanti, vCenter, PHPUnit, GeoServer, Solr, WordPress) and bug class testing (SQLi, LFI, SSRF, XXE, Command Injection, JWT attacks, Subdomain Takeover, HTTP Smuggling, GraphQL, CORS)
- **Network Exploitation** โ SMB/EternalBlue, RDP/BlueKeep, VNC, FTP, SNMP, Redis, MongoDB, Elasticsearch, CouchDB, MySQL/MSSQL/PostgreSQL, Memcached, IPMI, Mirai-IoT
- **Credential Attacks** โ Multi-protocol brute force (Telnet, SSH, FTP, HTTP Basic, WordPress, SMB, Redis, MySQL, MongoDB, VNC), credential spraying, credential vault
- **Reconnaissance** โ ASN lookup/import, full DNS reconnaissance (A/AAAA/MX/NS/TXT/SOA + subdomain brute + AXFR), JARM TLS fingerprinting, WAF detection, GeoIP lookup, multi-preset port scanning
- **Persistence** โ SSH public key injection, cron backdoors, init.d/systemd persistence, full automated deployment
- **Reverse Shells** โ Payload generator (bash, python, perl, php, nc, ruby, node, lua, etc.), multi-session listener with interaction
- **Pivoting** โ Multi-hop chain execution, TCP relay, SOCKS5 proxy through compromised hosts, automatic pivot scanning of local networks
- **Botnet Orchestration** โ Bot tagging/grouping, fan-out commands, health checks, payload deployment
- **Intel & Notifications** โ Telegram/Discord webhook notifications, AbuseIPDB integration, camera screenshot capture
- **Scheduler** โ Automated recurring tasks (scans, recon, health checks)
---
## Architecture
```
panel/
โโโ server.py # Flask + SocketIO C2 web panel (~1200 lines, 50+ API routes)
โโโ database.py # SQLite ORM โ 11 tables (cameras, vulns, creds, shells, DNS, ASN, etc.)
โโโ scanner.py # Multi-threaded TCP/HTTP vulnerability scanner
โโโ exploit.py # CVE-2020-25078 exploit โ 37 vulnerable paths, 14 credential parsers
โโโ telnet_client.py # Raw telnet command execution against owned devices
โโโ brute.py # Multi-threaded brute force engine
โโโ web_exploit.py # Full website vulnerability scanner (CMS detection, exposed files, SQLi)
โโโ web_cves.py # CVE scanner โ Log4Shell, Spring4Shell, Confluence, Ghostcat, etc.
โโโ web_bugs.py # Bug class scanner โ SQLi, LFI, SSRF, XXE, CmdI, JWT, etc.
โโโ web_brute.py # Web brute force โ forms, WordPress xmlrpc, Basic Auth, cred stuffing
โโโ network_exploit.py # Network service exploit scanner โ SMB, RDP, VNC, databases, etc.
โโโ cred_spray.py # Multi-service credential spraying
โโโ recon_asn.py # ASN import, organization search, IP-to-ASN lookup
โโโ recon_dns.py # DNS recon โ all record types, subdomain brute, zone transfer
โโโ recon_jarm.py # JARM TLS server fingerprinting
โโโ recon_waf.py # WAF detection and identification
โโโ recon_geoip.py # GeoIP lookup and bulk IP geolocation
โโโ portscan.py # TCP port scanner with banner grabbing, SYN option, multiple presets
โโโ persistence.py # SSH key injection, cron backdoors, full deployment
โโโ reverse_shell.py # Payload generator + multi-session listener
โโโ pivot_chain.py # Multi-hop command execution and TCP relay
โโโ socks_pivot.py # SOCKS5 proxy through compromised hosts
โโโ botnet.py # Bot grouping, fan-out commands, health checks, payload deployment
โโโ intel.py # Telegram/Discord webhooks, AbuseIPDB, screenshot capture
โโโ scheduler.py # APScheduler-based job scheduling
โโโ proxy_rotation.py # Proxy list rotation for stealth
โโโ stealth.py # Traffic obfuscation utilities
โโโ inject_key.py # SSH key injection variants
โโโ inject_ssh.py # SSH-based injection
โโโ launch.py # Simple launcher wrapper
โโโ auto_exploit.py # Automated exploitation routines
โโโ templates/
โ โโโ index.html # Dark-themed SPA โ 8 tabs, real-time updates, terminal
โโโ requirements.txt # Python dependencies
```
### Database Schema
The SQLite database (`cameras.db`, auto-created on first run) contains 11 tables:
| Table | Purpose |
|-------|---------|
| `cameras` | Compromised devices โ IP, credentials, model, firmware, serial, status |
| `command_log` | Full audit trail of every command executed and its output |
| `scan_results` | Scan history โ which IPs were scanned and whether they were vulnerable |
| `web_vulns` | Discovered web vulnerabilities (CVE, severity, evidence) |
| `network_vulns` | Discovered network service vulnerabilities |
| `shells` | Active reverse shell sessions |
| `dns_records` | DNS reconnaissance results |
| `cred_vault` | Harvested credentials organized by service |
| `asn_targets` | ASN prefixes and imported IP ranges |
| `web_targets` | Web targets with metadata (status, server, CMS, JARM, WAF) |
| `scan_jobs` | Job tracking โ scan type, target, duration, results count |
| `scan_log` | Module-level activity log for auditing |
---
## Installation
### Prerequisites
- Python 3.10 or newer
- pip
- Git (optional)
### Step 1 โ Clone or download
```bash
git clone https://github.com/YOUR_USERNAME/abyss-c2.git
cd abyss-c2
```
### Step 2 โ Create virtual environment (recommended)
```bash
python -m venv venv
# Windows
venv\Scripts\activate
# Linux / macOS
source venv/bin/activate
```
### Step 3 โ Install dependencies
```bash
pip install -r requirements.txt
```
### Step 4 โ (Optional) Download wordlist
The brute force modules expect a `rockyou.txt` wordlist in the project root. Due to GitHub file size limits (100MB), it is NOT included in this repository.
```bash
# On Kali Linux, rockyou.txt is typically at:
cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz
# Or download from SecLists:
# https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou.txt.tar.gz
```
If you don't need brute forcing, the other modules work without a wordlist.
### Step 5 โ Launch
```bash
python server.py
```
Open **http://localhost:5000** in your browser.
The database auto-creates on first run โ no setup needed.
---
## Usage Guide
### The Dashboard
When you first open the panel, you'll see:
- **Stats Bar** โ Live counters: Scanned, Vulnerable, Compromised, Online
- **8 Tab panels** โ Devices, Recon, Web CVEs, Network, Persistence, Rev Shells, Botnet, Settings
- **Built-in Terminal** โ Interactive shell to any selected device
- **Side Panel** โ Scan controls, target info, mass command, pivot/upload/brute toolkit
### Tab 1 โ Devices (Main Operations)
This is your command center. Here you can:
**Fetch targets from search engines:**
- Select source: Shodan, FOFA, ZoomEye, or FREE (scraping โ no API key needed)
- Enter API key if using Shodan/FOFA/ZoomEye
- Custom query or leave blank for default DVR/camera queries
- Click **FETCH & SCAN** โ targets are automatically scanned on arrival
**Manual scanning:**
- Enter a CIDR range (e.g., `192.168.1.0/24`)
- Or a single IP and port
- Set thread count (default 50)
- Click **SCAN**
**Once devices are compromised (appear in the table):**
- Click any row to select it โ details appear in the side panel
- The bottom terminal activates for that device
- Use quick-command buttons (CPU, UNAME, PS, IFCFG, NETSTAT, CREDS, PASSWD, LS)
- Type custom commands in the terminal and press Enter
**Mass operations:**
- **Mass Command** โ execute the same command on ALL owned devices simultaneously
- **Pivot Scan** โ use a compromised device to scan its local network for more targets
- **Upload File** โ upload a file to the remote device via base64 encoding
- **Brute** โ brute force telnet credentials on the selected device
**Web scanning mode** (toggle with WEB button):
- Enter a URL or IP for full web vulnerability scan
- CMS detection, exposed config files, SQL injection parameters
- **FETCH & SCAN** grabs web targets from Shodan free and scans them
### Tab 2 โ Recon
Six reconnaissance modules:
| Module | What it does |
|--------|-------------|
| **ASN Lookup** | Import all prefixes from an ASN, search organizations, lookup which ASN an IP belongs to |
| **DNS Recon** | Full DNS enumeration โ A, AAAA, MX, NS, TXT, SOA, CNAME records + subdomain brute-force + AXFR zone transfer attempts |
| **JARM Fingerprint** | TLS server fingerprinting โ identifies the TLS implementation even behind load balancers |
| **WAF Detection** | Identifies which WAF (Cloudflare, CloudFront, Imperva, Akamai, etc.) sits in front of a target |
| **GeoIP** | Geolocation and ISP lookup for any IP |
| **Port Scan** | TCP port scanning with 6 presets โ Web, Top 100, Top 1000, Full, IoT, Databases โ with banner grabbing |
### Tab 3 โ Web CVEs
**CVE Scanner** โ Checks for 20+ known CVEs:
Log4Shell (CVE-2021-44228), Spring4Shell (CVE-2022-22965), Confluence (CVE-2022-26134), Ghostcat (CVE-2020-1938), Struts2 (CVE-2017-5638), Jenkins (CVE-2018-1000861), GitLab (CVE-2021-22205), Exchange ProxyShell/ProxyLogon, F5 BIG-IP (CVE-2022-1388), Citrix (CVE-2019-19781), MOVEit (CVE-2023-34362), Ivanti (CVE-2024-21887), vCenter (CVE-2021-21972), PHPUnit (CVE-2017-9841), GeoServer (CVE-2024-36401), Apache Solr (CVE-2019-17558), and WordPress plugin vulnerabilities.
**Bug Class Scanner** โ Tests for:
Blind SQL Injection, Command Injection, Local File Inclusion, Server-Side Request Forgery, XML External Entity, JWT attacks, Subdomain Takeover, HTTP Request Smuggling, GraphQL introspection, CORS misconfiguration.
**Web Brute Force** โ Four modes:
- Form brute (auto-detects login forms and parameters)
- WordPress xmlrpc brute
- HTTP Basic Auth brute
- Credential stuffing (uses previously harvested credentials)
Results appear in the **Discovered Vulnerabilities** table below.
### Tab 4 โ Network
**Network Exploit Scanner** โ Checks common network services for known vulnerabilities:
SMB (EternalBlue, SMBGhost), RDP (BlueKeep), VNC (auth bypass), FTP (anonymous access), SNMP (default communities), Redis (unauth), MongoDB (unauth), Elasticsearch (unauth), CouchDB (unauth), MySQL/MSSQL/PostgreSQL (default creds), Memcached (unauth), IPMI (auth bypass), Mirai-IoT defaults.
**Credential Spray** โ Spray harvested or custom credentials across multiple services:
Telnet, SSH, FTP, HTTP Basic, WordPress, SMB, Redis, MySQL, MongoDB, VNC, or ALL at once.
Results populate the **Network Vulnerabilities** table and **Credential Vault**.
### Tab 5 โ Persistence
Three deployment actions for compromised hosts:
- **SSH Key Injection** โ Adds your public key to `/root/.ssh/authorized_keys` (or multiple paths)
- **Cron Backdoor** โ Installs a cron job that calls back to your C2 server
- **Full Deploy** โ All techniques combined: SSH key + cron + init.d/systemd persistence
**Pivot Chain** โ Execute commands through multiple intermediate hosts:
```
hop1 โ hop2 โ hop3 โ command
```
**SOCKS Pivot** โ Start a local SOCKS5 proxy that routes traffic through a compromised device, allowing you to use proxychains or any SOCKS-compatible tool to reach the internal network.
### Tab 6 โ Reverse Shells
- **Payload Generator** โ Select shell type (bash, python, perl, php, nc, ruby, node, lua, etc.), set LHOST/LPORT, click GENERATE โ payload appears, click to copy
- **Listener** โ Start a listener on any port, it auto-manages multiple simultaneous connections
- **Active Sessions** โ Click any session to interact, type commands and click SEND
- **All Shells** table shows every reverse shell callback received, with status
### Tab 7 โ Botnet
For managing large groups of compromised devices:
- **Fan-Out Command** โ Execute a command across all bots (optionally filtered by tag)
- **Health Check** โ Ping all bots and report online/offline status
- **Tag Bot** โ Assign tags to bots for grouping (e.g., `eu`, `cameras`, `high-value`)
- **Deploy Payload** โ Push a payload to all bots in a tag group
- **Bot Summary** โ Shows total count, online count, and per-tag breakdown
### Tab 8 โ Settings
- **Telegram/Discord** โ Configure webhook notifications for events (new compromise, scan complete, etc.)
- **AbuseIPDB** โ Check IP reputation
- **Screenshot** โ Grab an HTTP screenshot from a camera's web interface
- **Scheduler** โ Set up recurring jobs (e.g., health check every 3600 seconds)
- **Scan Log** โ Full audit trail of all module operations, filterable by module type
---
## API Reference
The full REST API is available at `http://localhost:5000/api/`. Key endpoints:
| Endpoint | Method | Description |
|----------|--------|-------------|
| `/api/cameras` | GET | List all compromised devices |
| `/api/cameras/` | GET | Get device details |
| `/api/stats` | GET | Dashboard statistics |
| `/api/scan/start` | POST | Start scanner (CIDRs, targets, threads) |
| `/api/scan/stop` | POST | Stop scanner |
| `/api/scan/status` | GET | Scanner running state + stats |
| `/api/exploit/check` | POST | Check single IP for CVE-2020-25078 |
| `/api/fetch_targets` | POST | Fetch from Shodan/FOFA/ZoomEye/Free |
| `/api/web_scan` | POST | Full website vulnerability scan |
| `/api/web_cves/scan` | POST | CVE scan against target |
| `/api/web_bugs/scan` | POST | Bug class scan against target |
| `/api/web_brute` | POST | Web brute force |
| `/api/network/scan` | POST | Network exploit scan |
| `/api/cred_spray` | POST | Credential spraying |
| `/api/portscan` | POST | TCP port scan |
| `/api/recon/asn` | POST | ASN import/lookup/search |
| `/api/recon/dns` | POST | DNS recon |
| `/api/recon/jarm` | POST | JARM fingerprint |
| `/api/recon/waf` | POST | WAF detection |
| `/api/recon/geoip` | POST | GeoIP lookup |
| `/api/persistence/deploy` | POST | Deploy persistence (ssh_key/cron/full) |
| `/api/revshell/generate` | POST | Generate reverse shell payload |
| `/api/revshell/listen` | POST | Start reverse shell listener |
| `/api/revshell/stop` | POST | Stop listener |
| `/api/botnet/bots` | GET | Bot list + group summary |
| `/api/botnet/fanout` | POST | Execute command across bots |
| `/api/botnet/health` | POST | Bot health check |
| `/api/botnet/deploy` | POST | Deploy payload to bots |
| `/api/socks/start` | POST | Start SOCKS5 proxy |
| `/api/socks/stop` | POST | Stop SOCKS5 proxy |
| `/api/intel/config` | GET/POST | Get/set notification config |
| `/api/intel/screenshot` | POST | Grab camera screenshot |
| `/api/intel/notify` | POST | Send test notification |
| `/api/scheduler/jobs` | GET | List scheduled jobs |
| `/api/scheduler/add` | POST | Add scheduled job |
| `/api/scheduler/remove` | POST | Remove scheduled job |
| `/api/credentials` | GET | Credential vault |
| `/api/web_vulns` | GET | Web vulnerability list |
| `/api/network_vulns` | GET | Network vulnerability list |
| `/api/shells` | GET | All reverse shell sessions |
| `/api/scan_log` | GET | Audit log with module/target filters |
| `/api/scan_jobs` | GET | Scan job history |
WebSocket events (SocketIO):
- `scanner_event` โ Real-time scan progress (alive, vulnerable, owned, status)
- `stats_update` โ Dashboard stats change
- `cameras_list` โ Camera table refresh
- `new_camera` โ New device compromised
- `command_result` โ Telnet command output
- `mass_result` / `mass_result_item` โ Mass command results
- `brute_event` โ Brute force progress
- `web_cve_event` / `web_cves_done` โ CVE scan progress
- `web_bug_event` / `web_bugs_done` โ Bug scan progress
- `network_event` / `network_done` โ Network scan progress
- `spray_event` / `spray_done` โ Credential spray progress
- `portscan_event` / `portscan_done` โ Port scan progress
- `persistence_result` โ Persistence deployment result
- `revshell_event` โ Reverse shell data/connections
- `botnet_event` / `botnet_fanout_done` โ Botnet operations
---
## Technical Details
### CVE-2020-25078 Exploit Chain
1. **Alive check** โ TCP connect to port 80
2. **HTTP fingerprint** โ Check response for 15 known DVR signatures (`AppName="Hipcam"`, `hi3516`, `WEB SERVICE`, etc.)
3. **Path traversal** โ Attempt 37 known vulnerable paths (`/../../../../../../../../../mnt/mtd/Config/Account1`, etc.)
4. **Credential extraction** โ Parse response with 14 regex patterns covering INI, XML, JSON, URL-encoded, binary, base64, colon-delimited, and DVR-specific formats
5. **Garbage filtering** โ Aggressive false-positive removal (HTML tags, HTTP headers, common words)
6. **Default fallback** โ If device is vulnerable but no creds extracted, try 22 known default credential pairs
### Scanner Architecture
- Thread pool with configurable worker count (default 50)
- Queue-based target distribution
- Real-time SocketIO event emission to UI
- Thread-safe statistics with mutex locks
- CIDR range expansion with network/broadcast exclusion
- Multi-port scanning (80, 8080, 443, 8443, 554, 8000, 81, 88, 8888, 37777)
---
## Disclaimer
**THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL AND DEMONSTRATION PURPOSES ONLY.**
This project is intended to be used exclusively in authorized security testing engagements, educational environments, or on systems you own. The techniques demonstrated here are well-known in the cybersecurity industry and are documented to help defenders understand attack methodologies.
**By using this software, you agree that:**
1. You will only use it on systems you own or have explicit written authorization to test
2. You are responsible for compliance with all applicable local, state, national, and international laws
3. The creator(s) and contributor(s) of this project assume **absolutely no liability** for any:
- Unauthorized or illegal use of this software
- Damage caused by the use or misuse of this software
- Legal consequences resulting from the use of this software
4. This software makes no warranty of any kind, express or implied
**If you are unsure whether your use case is legal or authorized, DO NOT use this software.**
The existence of this project does not constitute encouragement to engage in illegal activity. It exists because understanding offensive techniques is essential to building effective defenses.
---
## License
This project is provided as-is for educational purposes. No warranty. No liability. Use at your own risk.
---
*Remember: security research exists to make systems safer, not to break them. Use this knowledge to defend, not to attack.*