Access to internal features such as Boa HTTP server or MQTT settings

[teixeluis]

Hello, with this exploit is it possible to activate these features? Will permanent root access (via ssh key or other method by possible) after initial access via this exploit? Thanks

[endertable]

@teixeluis Were you even able to compile this. I keep getting errors:

$ make
gcc -g -o exploit-debug -DDEBUG=1 -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)
src/main.c: In function ‘BIO_sCHL_ctrl’:
src/main.c:328:10: error: ‘BIO_CTRL_GET_KTLS_SEND’ undeclared (first use in this function)
     case BIO_CTRL_GET_KTLS_SEND:
          ^
src/main.c:328:10: note: each undeclared identifier is reported only once for each function it appears in
src/main.c:329:10: error: ‘BIO_CTRL_GET_KTLS_RECV’ undeclared (first use in this function)
     case BIO_CTRL_GET_KTLS_RECV:
          ^
src/main.c: In function ‘httpd_handle_request’:
src/main.c:640:18: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘unsigned int’ [-Wformat=]
                  "HTTP/1.1 200 OK\r\n"
                  ^
src/main.c:640:18: warning: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 4 has type ‘unsigned int’ [-Wformat=]
Makefile:5: recipe for target 'all' failed
make: *** [all] Error 1

Thanks for any help

[teixeluis]

@endertable I haven't yet tried building the project, but I will share feedback once I do it.

[developerakshita]

I am not able to receive data from camera, getting "not a data rx".. skipping..

[endertable]

I am not able to receive data from camera, getting "not a data rx".. skipping..

Hi, very nice you received the stream I’d. what did you build this on. I get errors with my make command

thanks

[blasty]

@endertable have you installed libssl & libcrypto? (and the development headers, typically libssl-dev and libcrypto-dev on debian/ubuntu)

@developerakshita are you sure you are running the vulnerable version on your WYZE cam? can you perhaps add the following line of code at line 196 in iotc_client.c and paste the output?

hexdump(frame, frame_size);

[endertable]

Hi @blasty, in running the make command I get the following errors on almost all my different Linux devices:

gcc -g -o exploit-debug -DDEBUG=1 -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)
src/main.c: In function ‘BIO_sCHL_ctrl’:
src/main.c:328:10: error: ‘BIO_CTRL_GET_KTLS_SEND’ undeclared (first use in this function); did you mean ‘BIO_CTRL_GET_CLOSE’?
     case BIO_CTRL_GET_KTLS_SEND:
          ^~~~~~~~~~~~~~~~~~~~~~
          BIO_CTRL_GET_CLOSE
src/main.c:328:10: note: each undeclared identifier is reported only once for each function it appears in
src/main.c:329:10: error: ‘BIO_CTRL_GET_KTLS_RECV’ undeclared (first use in this function); did you mean ‘BIO_CTRL_GET_KTLS_SEND’?
     case BIO_CTRL_GET_KTLS_RECV:
          ^~~~~~~~~~~~~~~~~~~~~~
          BIO_CTRL_GET_KTLS_SEND
Makefile:5: recipe for target 'all' failed
make: *** [all] Error 1

Tried on Ubuntu, on rPi, Fedora. Does this look familiar or seem like I am missing something?

[gtxaspec]

what version of gcc are you using?

$ make
gcc -g -o exploit-debug -DDEBUG=1 -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)
gcc -o exploit -Wall -I./include $(pkg-config --cflags libssl libcrypto) src/*.c $(pkg-config --libs libssl libcrypto)

works ok here. ubuntu 23.04

[endertable]

$ gcc --version
gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

uname -a
Linux video1 5.4.0-84-generic #94~18.04.1-Ubuntu SMP Thu Aug 26 23:17:46 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

[gtxaspec]

time to update:
gcc version 12.3.0 (Ubuntu 12.3.0-1ubuntu1~23.04)

[endertable]

lol, I am definitely behind. I am guessing you have already attempted to do what I was going to try, exploit into the newer locked cams. Have you had any success? Did it work even on the older cams, e.g. V3?

[gtxaspec]

haven't tried it on the newer cams, will need updates for the code. didn't try the older cam's, i'm assuming it still works.