mvpower_exec Metasploit module

Wed 01 February 2017 by kroche in Programs and Tools

Pentest Partners, a UK-based security firm, published several vulnerabilites found in ARM-based MVPower brand DVRs last year, most notably an unauthenticated root shell exposed through the DVR's web interface. It appears that this is not a bug, but rather an intended feature, and that no firmware updates will be issued to disable it or allow users the option to do so.

This glaring security hole is part of a larger phenomenon of poor IoT security. Backdoors such as these make DVRs and other embedded devices popular targets and create pathways into larger networks for hackers.

A Shodan query returns over 35,000 DVRs exposing this shell:

Shodan query

The shell is accessible by submitting a command in the format:

http://vulnerable.dvr/shell?COMMAND

Commands need to be URL encoded to be properly interpreted.

The shell is non-interactive. Pentest Partners outlined this process to escalate to an interactive shell:

  1. Compile or script a reverse shell. Since we're dealing with devices which are usually situated behind NATs, 80 is the only exposed (forwarded) port, making bind shells unfeasible.
  2. Use wget (included in the DVR's busybox) to fetch the payload and write it to /root/rec/a1, the directory where recorded video is stored and one of the few writable locations on the filesystem.
  3. Execute the payload.

I've written a Metasploit module (mvpower_exec) which automates the above process. Though it inherits from the Msf::Exploit::Remote class, it's not actually an exploit since it doesn't abuse a vulnerability to execute code (but I suppose that depends on whether an intended feature can be considered a vulnerability).

mvpower_exec delivers and executes payloads in a single HTTP request. It has been successfully tested with all Metasploit armle payloads except meterpreter (mettle). It also supports check.

mvpower_exec in action

Interacting with session

The module is available here.


Tags: None