Embedded Files
SOOOooo the plan was to get this IP camera (super cheap 31$ landed at my door) and possibly replace the firmware with something better or to hack in to it and modify it manually. But, TLDR; I didnt end up modifying it, this is to give others the info I had to find for myself. but I do give the software needed to make it work.
--check out this site some of the information here was gathered from or inspired by silverhawks website--
But when I placed the order, it was 5 days before I went to Defcon. While at defcon I watched a presentation where this guy showed how he could replace the firmware inside this exact camera and use it to attack the host network, all he needed was it to have http from this camera published on the internet. In his example, someone had directed port 1999 from the internet to http 80 internally. and he owned the camera in 2 minutes.
So what I learned... NEVER put these cameras on the internet!!! at least not directly. run it through a good DVR like http://www.milesight.com/ VMS lite is fantastic!
Anyhow, onward and upward.
My thoughts about learning this device were to first start with identifying it, because I cant find anything about Make: OWSOO Model: FY-W612MP/IR
There is some info, but its mostly complaining about it. I did further digging and found out that this is a re-branded Hosafe (or Goke) ONVIF GK7102
(more information: https://www.hkvstar.com/product-news/introduction-to-goke-hd-ip-camera-solution-gk7101-gk7102.html)
This information was provided because of tearing the thing apart and getting telnet access, here are a list of passwords I found for this device, thankfully mine is on the list. (noted by bold)
Access to this showed a lot. First off its busybox 1.21 (see output bellow) and the file structure I have attached to this at the bottom. I have also attached as many pictures as I could for further information.
# uname -or
3.4.43-gk GNU/Linux
# busybox | head -1
BusyBox v1.21.0 (2015-06-01 04:57:58 CST) multi-call binary.
When I attempted to access the admin interface, I was greeted with a login. IT security guy in me is happy.
This I typed un: Idontknow and pw: Idontcare and poof I was logged in oO I dont know why I tried anything other than admin and blank, but I did, I tested several other random un and pw and they all work.
NOTE: until you set a pw anything works...
When you log in, you are greeted to this:
Couple things here:
It will ask to install quicktime, until you install the one from the manufacturer it wont work.
It will ask to install a unsigned active x (if you allow it) again have to install it from the manufacturer first or wont work
and oh yeah, I am a firefox, and china is not... It must be easier to hide vulnerabilities in IE :P
you need to use IE to access this.
Manufacturer website: www.dvripcam.com
and I have attached the plug in and quick time to this, just in case they take them down. password is password and I had to break it in to 5mg chunks to keep google happy.
In the end, I have decided to keep the camera as is. I have not modified it. if you find alternate firmware, please leave comments. This website is here to provide others the information I learned to help them. Best of luck and if you have more info I will post it.
Bellow is a scan showing the OWSOO supports RTSP and more. have a look.
Notes:Check out the files bellow, they will be helpful. A full file and folder list is also attached, just in case you need to hunt for something. progs.7z is a copy of all the files in the /progs folder. This is everything to do with the web interface that I can find.
http://192.168.103.56/cgi-bin/getsnapshot.cgi this will generate a snapshot of what the camera is currently seeing without needing to authenticate.this file is located in: /progs/html/cgi-bin
http://192.168.103.56/cgi-bin/jvsweb.cgi?username=admin&password=[PASSWORD]&cmd=yst&action=get_videothis will list the video streams available on the camera:status"ok"data
0
id1stream0"rtsp://192.168.103.56/live0.264"stream1"rtsp://192.168.103.56/live1.264"
http://192.168.103.56/cgi-bin/jvsweb.cgi?username=admin&password=[PASSWORD]&cmd=webdevinfo&action=list%20:Dumps webserver info
snapshot.sh has this in it:#!/bin/sh./wagent websnapshot $1 `pwd`/snapshot/temp.jpg#echo `pwd`/snapshot/temp.jpg
Busybox is a command line tool to let you run the following commands:Currently defined functions: [, [[, addgroup, adduser, ar, arping, ash, awk, basename, bash, blkid, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold, free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt, passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts, runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tee, telnet, telnetd, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcatAs an example, I used: busybox tftp -l [FILENAME] -p 192.168.103.20to upload all the files that I found.
http://192.168.103.56/cgi-bin/getsnapshot.cgi this will generate a snapshot of what the camera is currently seeing without needing to authenticate.this file is located in: /progs/html/cgi-bin
http://192.168.103.56/cgi-bin/jvsweb.cgi?username=admin&password=[PASSWORD]&cmd=yst&action=get_videothis will list the video streams available on the camera:status"ok"data
0
id1stream0"rtsp://192.168.103.56/live0.264"stream1"rtsp://192.168.103.56/live1.264"
http://192.168.103.56/cgi-bin/jvsweb.cgi?username=admin&password=[PASSWORD]&cmd=webdevinfo&action=list%20:Dumps webserver info
snapshot.sh has this in it:#!/bin/sh./wagent websnapshot $1 `pwd`/snapshot/temp.jpg#echo `pwd`/snapshot/temp.jpg
Busybox is a command line tool to let you run the following commands:Currently defined functions: [, [[, addgroup, adduser, ar, arping, ash, awk, basename, bash, blkid, bunzip2, bzcat, cat, catv, chattr, chgrp, chmod, chown, chroot, chrt, chvt, cksum, clear, cmp, cp, cpio, crond, crontab, cut, date, dc, dd, deallocvt, delgroup, deluser, devmem, df, diff, dirname, dmesg, dnsd, dnsdomainname, dos2unix, du, dumpkmap, echo, egrep, eject, env, ether-wake, expr, false, fdflush, fdformat, fgrep, find, fold, free, freeramdisk, fsck, fuser, getopt, getty, grep, gunzip, gzip, halt, hdparm, head, hexdump, hostid, hostname, hwclock, id, ifconfig, ifdown, ifup, inetd, init, insmod, install, ip, ipaddr, ipcrm, ipcs, iplink, iproute, iprule, iptunnel, kill, killall, killall5, klogd, last, less, linux32, linux64, linuxrc, ln, loadfont, loadkmap, logger, login, logname, losetup, ls, lsattr, lsmod, lsof, lspci, lsusb, lzcat, lzma, makedevs, md5sum, mdev, mesg, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modprobe, more, mount, mountpoint, mt, mv, nameif, netstat, nice, nohup, nslookup, od, openvt, passwd, patch, pidof, ping, pipe_progress, pivot_root, poweroff, printenv, printf, ps, pwd, rdate, readlink, readprofile, realpath, reboot, renice, reset, resize, rm, rmdir, rmmod, route, run-parts, runlevel, sed, seq, setarch, setconsole, setkeycodes, setlogcons, setserial, setsid, sh, sha1sum, sha256sum, sha3sum, sha512sum, sleep, sort, start-stop-daemon, strings, stty, su, sulogin, swapoff, swapon, switch_root, sync, sysctl, syslogd, tail, tar, tee, telnet, telnetd, test, tftp, time, top, touch, tr, traceroute, true, tty, udhcpc, umount, uname, uniq, unix2dos, unlzma, unxz, unzip, uptime, usleep, uudecode, uuencode, vconfig, vi, vlock, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat, yes, zcatAs an example, I used: busybox tftp -l [FILENAME] -p 192.168.103.20to upload all the files that I found.
Report abuse