IridiumXOR / boavision_exploit

Boavision aka Hankvision watchall exploit

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

boavision_exploit

Boavision aka Hankvision watchall exploit

The watchall executable is responsable to start all the main binaries of the camera. Furthermore, it open the "maintainance" (a.k.a. backdoor) port tcp/20203 which permits to obtain information from the camera, restore the factory configuration, reboot the camera or upgrade the firmware. All these operations require to login into the camera using the hardcoded credentials "admin","admin" using the same "maintenance" port.

Watchall exists in different versions (at least 3): in two of them is very easy to have a root shell using only gadgets present in the binary itself. The last one require gadgets from uClibc.

The exploit is based on a buffer overflow on TransAndUpdateHandle() (0xabec) in the watchall binary. The buffer overflow is due to the unchecked length on the received update package at 0xae78.

The watchall binary is compiled with NX protection, to bypass it, call system() and open a remote shell, it is possible to use the gadget at 0xce20:

  cpy r0,sp  
  bl system

!!!WARNING!!!

  • I deny any responsibility in problems related to the malfunctioning of this software and its use on your hardware, be careful!
  • The shell opened on port tcp/6666 could crash, please use passwd command to tempoarly change the root password and login through telnet port to have a stable shell.
  • The exploit crashes watchall daemon, so when you have finished to explore the camera please restart it through the web interface.
  • Using the wrong exploit version crashes watchall without open a shell and require a camera reboot before retry with another one.

Watchall versions

Watchall sha1sum Version Notes
ca4a38bf7c1e49cd12c125ac3d730cfea897c2b0 1 Binary from my camera
4d70b63a956347a4c39fb43889de4d29005a8bab 2 Other version easy exploitable
5959ead28bb0aa7134a3763512331871ddd704b2 3 Require gadgets from uClibc (not implemented at the moment)

About

Boavision aka Hankvision watchall exploit

License:GNU General Public License v2.0


Languages

Language:Python 100.0%