Monday, August 24, 2020

Open Sesame (Dlink - CVE-2012-4046)

A couple weeks ago a vulnerability was posted for the dlink DCS-9xx series of cameras. The author of the disclosure found that the setup application that comes with the camera is able to send a specifically crafted request to a camera on the same network and receive its password in plaintext. I figured this was a good chance to do some analysis and figure out exactly how the application carried out this functionality and possibly create a script to pull the password out of a camera.

The basic functionality of the application is as follows:

  • Application sends out a UDP broadcast on port 5978
  • Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
  • Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
  • Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)

After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:


super exciting screen shot.
After spending some time documenting the functionality I came up with the following notes (messy wall of text):

CommandComments
.JGE SHORT 0A729D36; stage1
./MOV EDX,DWORD PTR SS:[LOCAL.2]; set EDX to our 1st stage half decoded buffer
.|MOV ECX,DWORD PTR SS:[LOCAL.4]; set ECX to our current count/offset
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our base64 encoded payload
.|MOVSX EAX,BYTE PTR DS:[EAX]; set EAX to the current value in our base64 payload
.|MOV AL,BYTE PTR DS:[EAX+0A841934]; set EAX/AL to a hardcoded offset of its value table is at 0a841934
.|MOV BYTE PTR DS:[ECX+EDX],AL; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there
.|INC DWORD PTR SS:[LOCAL.4]; increment our offset/count
.|INC DWORD PTR SS:[LOCAL.3]; increment our base64 buffer to next value
.|MOV EDX,DWORD PTR SS:[LOCAL.4]; set EDX to our counter
.|CMP EDX,DWORD PTR SS:[ARG.2]; compare EDX (counter) to our total size
.\JL SHORT 0A729D13; jump back if we have not finished half decoding our input value
.MOV ECX,DWORD PTR SS:[ARG.3]; Looks like this will point at our decoded buffer
.MOV DWORD PTR SS:[LOCAL.5],ECX; set Arg5 to our decoded destination
.MOV EAX,DWORD PTR SS:[LOCAL.2]; set EAX to our half-decoded buffer
.MOV DWORD PTR SS:[LOCAL.3],EAX; set arg3 to point at our half-decoded buffer
.MOV EDX,DWORD PTR SS:[ARG.4]; ???? 1500 decimal
.XOR ECX,ECX; clear ECX
.MOV DWORD PTR DS:[EDX],ECX; clear out arg4 value
.XOR EAX,EAX; clear out EAX
.MOV DWORD PTR SS:[LOCAL.6],EAX; clear out local.6
.JMP SHORT 0A729DAE; JUMP
./MOV EDX,DWORD PTR SS:[LOCAL.3]; move our current half-decoded dword position into EDX
.|MOV CL,BYTE PTR DS:[EDX]; move our current byte into ECX (CL) (dword[0])
.|SHL ECX,2; shift left 2 dword[0]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; move our current dword position into EAX
.|MOVSX EDX,BYTE PTR DS:[EAX+1]; move our current dword position + 1 (dword[1]) into EDX
.|SAR EDX,4; shift right 4 dword[1]
.|ADD CL,DL; add (shift left 2 dword[0]) + (shift right 4 dword[1])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our current decoded buffer position
.|MOV BYTE PTR DS:[EAX],CL; write our decoded (dword[0]) value to or decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; increment our position in the decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword position
.|MOV CL,BYTE PTR DS:[EDX+1]; set ECX to dword[1]
.|SHL ECX,4; left shift 4 dword[1]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current dword position
.|MOVSX EDX,BYTE PTR DS:[EAX+2]; set EDX to dword[2]
.|SAR EDX,2; shift right 2 dword[2]
.|ADD CL,DL; add (left shift 4 dword[1]) + (right shift 2 dword[2])
.|MOV EAX,DWORD PTR SS:[LOCAL.5]; set EAX to our next spot in the decoded buffer
.|MOV BYTE PTR DS:[EAX],CL; write our decoded value into our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current half-decoded dword
.|MOV CL,BYTE PTR DS:[EDX+2]; set ECX dword[2]
.|SHL ECX,6; shift left 6 dword[2]
.|MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.|ADD CL,BYTE PTR DS:[EAX+3]; add dword[2] + dword[3]
.|MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our next spot in our decoded buffer
.|MOV BYTE PTR DS:[EDX],CL; write our decoded byte to our decoded buffer
.|INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.|ADD DWORD PTR SS:[LOCAL.3],4; increment our encoded buffer to point at our next dword
.|MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.|ADD DWORD PTR DS:[ECX],3; add 3 to our current offset?
.|ADD DWORD PTR SS:[LOCAL.6],4; add 4 to our byte counter??
.|MOV EAX,DWORD PTR SS:[ARG.2]; move total size into EAX
.|ADD EAX,-4; subtract 4 from total size
.|CMP EAX,DWORD PTR SS:[LOCAL.6]; compare our total bytes to read bytes
.\JG SHORT 0A729D50; jump back if we are not done
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our last DWORD of encoded buffer
.MOVSX ECX,BYTE PTR DS:[EDX+3]; set ECX to dword[3] last byte of our half-decoded dword (dword + 3)
.INC ECX; increment the value of dword[3]
.JE SHORT 0A729E1E
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to our current half-decoded dword
.MOV DL,BYTE PTR DS:[EAX]; set EDX (DL) to dword[0]
.SHL EDX,2; shift left 2 dword[0]
.MOV ECX,DWORD PTR SS:[LOCAL.3]; set ECX to our current encoded dword position
.MOVSX EAX,BYTE PTR DS:[ECX+1]; set EAX to dword[1]
.SAR EAX,4; shift right 4 dword[1]
.ADD DL,AL; add (shifted left 2 dword[0]) + (shifted right 4 dword[1])
.MOV ECX,DWORD PTR SS:[LOCAL.5]; set ECX to point at our next spot in our decoded buffer
.MOV BYTE PTR DS:[ECX],DL; write our decoded value (EDX/DL) to our decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to point at our dword
.MOV AL,BYTE PTR DS:[EDX+1]; set EAX/AL to dword[1]
.SHL EAX,4; shift left 4 dword[1]
.MOV EDX,DWORD PTR SS:[LOCAL.3]; set EDX to our current dword
.MOVSX ECX,BYTE PTR DS:[EDX+2]; set ECX to dword[2]
.SAR ECX,2; shift right 2 dword[2]
.ADD AL,CL; add (shifted left 4 dword[1]) + (shifted right 2 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; set EDX to point at our current spot in our decoded buffer
.MOV BYTE PTR DS:[EDX],AL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; move to the next spot in our decoded buffer
.MOV EAX,DWORD PTR SS:[LOCAL.3]; set EAX to point at our current dword
.MOV CL,BYTE PTR DS:[EAX+2]; set ECX/CL to dword[2]
.SHL ECX,6; shift left 6 dword[2]
.MOV EAX,DWORD PTR SS:[LOCAL.3]; point EAX at our current dword
.ADD CL,BYTE PTR DS:[EAX+3]; add dword[3] + (shifted left 6 dword[2])
.MOV EDX,DWORD PTR SS:[LOCAL.5]; point EDX at our current decoded buffer
.MOV BYTE PTR DS:[EDX],CL; write our decoded value to the decoded buffer
.INC DWORD PTR SS:[LOCAL.5]; increment our deocded buffer
.MOV ECX,DWORD PTR SS:[ARG.4]; set ECX to our current offset?
.ADD DWORD PTR DS:[ECX],3; add 4 for our current byte counter?
.JMP 0A729EA6; jump

Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table.  After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:
(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1 
(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2 
(Dword[2] << 6) + Dword[3] = unencoded byte 3

I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).

Read more


  1. Pentest Tools Website
  2. Hacking Tools Usb
  3. Hack Tools
  4. New Hack Tools
  5. Pentest Tools Apk
  6. Wifi Hacker Tools For Windows
  7. Hacks And Tools
  8. Pentest Tools Open Source
  9. Bluetooth Hacking Tools Kali
  10. Hacking Tools For Games
  11. Hacking Tools For Mac
  12. Hack Rom Tools
  13. Hacker Tools
  14. Best Hacking Tools 2020
  15. Hacker Tools Windows
  16. Tools 4 Hack
  17. Physical Pentest Tools
  18. Hacker Tools Free
  19. Android Hack Tools Github
  20. Pentest Reporting Tools
  21. Pentest Reporting Tools
  22. Hacker Tools Github
  23. Pentest Tools Review
  24. World No 1 Hacker Software
  25. Top Pentest Tools
  26. Pentest Tools For Windows
  27. Hack Tools Download
  28. Hacking Tools Windows
  29. Pentest Automation Tools
  30. Top Pentest Tools
  31. Hacker
  32. Hack Tools Mac
  33. Hack Tools For Ubuntu
  34. Hacker Tools For Mac
  35. Pentest Tools
  36. Pentest Tools Find Subdomains
  37. Hacking Tools Name
  38. Pentest Tools List
  39. Hack Tools Mac
  40. Hacker
  41. How To Make Hacking Tools
  42. What Are Hacking Tools
  43. Hacking Tools Software
  44. Hack Apps
  45. Hack Tools Github
  46. Hack Tools 2019
  47. Hacking Tools Free Download
  48. Hacking Tools Pc
  49. How To Install Pentest Tools In Ubuntu
  50. Hacking Tools Windows 10
  51. Hacking Tools Hardware
  52. Hacking Tools Free Download
  53. Nsa Hacker Tools
  54. Nsa Hack Tools
  55. Hacking Tools
  56. Pentest Reporting Tools
  57. Pentest Automation Tools
  58. Pentest Tools For Windows
  59. Pentest Automation Tools
  60. Pentest Tools Nmap
  61. Pentest Tools Nmap
  62. Hacker Tools For Pc
  63. Hacking Tools Online
  64. Hak5 Tools
  65. Pentest Tools Windows
  66. Hacking Tools
  67. Hack Tools
  68. How To Hack
  69. Pentest Tools Free
  70. Pentest Tools For Mac
  71. Hacking Tools 2020
  72. World No 1 Hacker Software
  73. Hacking Tools For Pc
  74. Hacker Tools Software
  75. Hacking Tools Software
  76. Black Hat Hacker Tools
  77. Hacker Tools Online
  78. Tools 4 Hack
  79. Hacking Tools For Windows Free Download
  80. World No 1 Hacker Software
  81. Hacking Tools For Windows Free Download
  82. Best Hacking Tools 2020
  83. Hack And Tools
  84. Tools 4 Hack
  85. Hacking Tools For Mac
  86. Hacker Tools 2020
  87. Hack Tools For Pc
  88. Hacking Tools For Windows Free Download
  89. World No 1 Hacker Software
  90. Pentest Tools Subdomain
  91. Hacking Tools For Kali Linux
  92. Best Hacking Tools 2020
  93. Termux Hacking Tools 2019
  94. Install Pentest Tools Ubuntu
  95. Hacking Tools Pc
  96. Android Hack Tools Github
  97. Pentest Tools Open Source
  98. Easy Hack Tools
  99. Hacker Security Tools
  100. Nsa Hacker Tools
  101. Bluetooth Hacking Tools Kali
  102. Hacker Tools Free Download
  103. Hacker Hardware Tools
  104. Kik Hack Tools
  105. Hack Tools 2019
  106. Best Hacking Tools 2020
  107. Hacker Tools Apk Download
  108. Pentest Tools Url Fuzzer
  109. Hacker Tools 2020
  110. Pentest Tools Android
  111. Pentest Tools For Windows
  112. Pentest Tools Subdomain
  113. Wifi Hacker Tools For Windows
  114. Hacking Tools Free Download
  115. Hacking Tools Windows 10
  116. Hack Tools 2019
  117. Hacking Tools For Windows
  118. Tools 4 Hack
  119. Growth Hacker Tools
  120. Tools 4 Hack
  121. Hacker Tools Linux
  122. Hack And Tools
  123. Hack Tools Pc
  124. Pentest Tools Linux
  125. Pentest Tools Download
  126. Pentest Tools Bluekeep
  127. Hack Tool Apk No Root
  128. Hacker Techniques Tools And Incident Handling
  129. Hacks And Tools
  130. Pentest Tools Review
  131. Pentest Tools List
  132. Hacking Tools Hardware
  133. Pentest Tools Find Subdomains
  134. Nsa Hack Tools Download
  135. New Hacker Tools
  136. Pentest Tools For Ubuntu
  137. Hacker Tools 2019
  138. Hacker Tools 2020
  139. Pentest Tools Bluekeep
  140. Hacker Tools Free Download
  141. Physical Pentest Tools
  142. Hack Tools
  143. Pentest Tools Open Source
  144. Hacker Search Tools
  145. Hacker Tools Free
  146. Hacker Tools 2020
  147. Hacks And Tools
  148. Pentest Tools Github
  149. Github Hacking Tools
  150. Best Pentesting Tools 2018
  151. Pentest Tools Free
  152. Hacking Apps
  153. Pentest Tools Kali Linux
  154. Kik Hack Tools
  155. Tools 4 Hack
  156. Hack Tools Online
  157. Hacker Tools Mac
  158. Tools Used For Hacking
  159. Hacker Tools For Windows
  160. Pentest Tools Online
  161. Pentest Tools Review
  162. Hack Tools 2019
  163. New Hacker Tools
  164. Hacker Tools 2019
  165. Hacking Tools For Windows
  166. Hacking Tools Online
  167. Hacker Tools
  168. New Hack Tools
  169. Pentest Tools Nmap
  170. Nsa Hacker Tools
  171. Hacker Techniques Tools And Incident Handling
  172. Pentest Tools List
  173. What Is Hacking Tools
  174. Pentest Tools Android
  175. Hacker Search Tools
  176. Pentest Tools Find Subdomains
  177. Install Pentest Tools Ubuntu
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)