Verify the remote target is flagged as vulnerable.Do: use exploit/linux/http/hikvision_cve_2021_36260_blind.Either way, if you haveĪ device, you can determine if you have an affected device/firmware by referencing the Hikvision cameras are physical devices and aren't known to have been successfully emulated.Īctually, they are fairly well known for having encrypted firmware. Squeezing the extra bytes will also allow printf stager to do more than 1 byte The extra space from the "random" file name and compress ' > ' to '>'. Stager has a minimum of 26 bytes but we obviously don't have that much space. We need 3 bytes to invoke our injection: $(). Snprintf will let us reclaim '.tar.gz' so in reality, there are 26 bytes for our payload. Which accounts for 12 bytes, leaving only 19 bytes for our payload. The entire snprintf is 0x1f bytes and the format Please see the Hikvision advisory for a full list of affected products. Was also tested against an unaffected DS-2CD2142FWD-I using firmware V5.5.0 build 170725. Was successfully tested against an HWI-B120-D/W using firmware V5.5.101 build 200408. This module specifically attempts to exploit the blind variant of the attack. HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution The module inserts a command into an XML payload used with an This module exploits an unauthenticated command injection in a variety of Hikvision IPĬameras (CVE-2021-36260). artifacts-on-disk: Modules leaves a payload or a dropper on the target machine.ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).crash-safe: Module should not crash the service.repeatable-session: The module is expected to get a shell every time it runs.More information about ranking can be found here. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. This is the case for SQL Injection, CMD execution, RFI, LFI, etc.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |