compile

Question

compile

xcypher78 opened this issue a year ago · comments

xcypher78 commented a year ago

Hello, how i can compile ?

xcypher78 commented a year ago

thank you

archandanime · Answer 1 · Tue Nov 07 2023 12:49:35 GMT+0800 (China Standard Time)

You need Linux/WSL2 with make and run:

> git clone https://github.com/blasty/unwyze
> cd unwyze/exploit/
> make
> ./exploit

      $$$ WYZECAM v4.36.x.x RCE exploit $$$
         -- by blasty <peter@haxx.in> --

       ... lights, camera, action!

  usage: ./exploit <target_id> <camera_ip> <attacker_ip> [cmd]

  targets:
    > 0: v4.36.10.4054
    > 1: v4.36.11.4679
    > 2: v4.36.11.5859

endertable · Answer 2 · Mon Nov 27 2023 03:01:52 GMT+0800 (China Standard Time)

Hi @archandanime Is that Linux/WSL2 you referring to Linux on Windows? Have you built this on any standard Linux platform. I have tried and it gives me errors that I posted on a new issues post. Also have you tried the hack with any positive results. Trying to see if can penetrate some of the new cams for wz_mini.

Thanks

archandanime · Answer 3 · Fri Dec 01 2023 21:21:11 GMT+0800 (China Standard Time)

@endertable Sorry for late reply.
I compiled the exploit using Arch Linux:

> gcc -v
...
gcc version 13.2.1 20230801 (GCC) 

> make
gcc -g -o exploit-debug -DDEBUG=1 -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)
gcc -o exploit -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)
> ls
Makefile  exploit  exploit-debug  include  src
> ./exploit

      $$$ WYZECAM v4.36.x.x RCE exploit $$$
         -- by blasty <peter@haxx.in> --

       ... lights, camera, action!

  usage: ./exploit <target_id> <camera_ip> <attacker_ip> [cmd]

  targets:
    > 0: v4.36.10.4054
    > 1: v4.36.11.4679
    > 2: v4.36.11.5859

My camera version is 4.36.3.19 for rootfs and 4.36.9.139 for app and the exploit failed with all 3 targets.

archandanime · Answer 4 · Sat Dec 02 2023 00:51:56 GMT+0800 (China Standard Time)

I flashed older firmware versions but:

v4.36.10.4054: Can't connect to Wi-Fi, the device keeps being deauthenticated:

[   18.782717] [atbm_log]:authen:(5c:02:14:XX:YY:ZZ),ssid(My Wiifi SSID)
[   18.812675] [atbm_log]:wlan0: authenticated
[   18.829313] [atbm_log]:wlan0:free authen bss ++
[   18.872655] [atbm_log]:wlan0:free authen bss --
[   18.880656] [atbm_log]:wlan0: associated
[   18.888513] [atbm_log]:[5c:02:14:XX:YY:ZZ]:20M channel
[   18.898949] [atbm_log]:ieee80211_recalc_ps:work busy
[   21.402682] [atbm_log]:ieee80211_wk_connecting: time out
[   22.886389] [atbm_log]:rx deauthen bssid[5c:02:14:XX:YY:ZZ],join_bssid[5c:02:14:XX:YY:ZZ]]
[   22.895406] [atbm_log]:wlan0: deauthenticated from 5c:02:14:XX:YY:ZZ] (Reason: 15)

v4.36.11.4679: Same result
v4.36.11.5859: Same result

Because it can't connect to Wi-Fi, I can't test if the exploit works on those firmware versions :(

Edit: I switched back to 4.36.9.139, Wi-Fi works but the exploit didn't as mentioned above.