Full Disclosure mailing list archives
Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based)
From: Henri Salo <henri () nerv fi>
Date: Mon, 25 Mar 2013 14:56:50 +0200
On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote:
I have been hacking on a Rosewill RSVA11001 for a while now, something to suck up my free time. I had pulled apart the firmware previously but did not succeed in finding a way to get a shell on the device. The box is Hi3515 based, I found an exploit for another similar box (Ray Sharp) but it did not work. The Rosewill firmware seems to use an executable that listens on two ports rather one when communicating with the Windows-based control software. Port 8000 is now the command port rather 9000, 9000 is used for video only. After playing with the included Windows application I eventually did a strings on the 'hi_dvr' exectuable that is the user space program that controls the interface to thing. I found this gem: /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp So I used the windows software to set the NTP host to a;/usr/bin/nc -l -p 5555 -e /bin/sh&
Did you report this to the vendor? -- Henri Salo
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Eric Urban (Mar 25)
- Re: Fwd: Remote command injection vulnerability in Rosewill RSVA11001 (Hi3515 based) Henri Salo (Mar 25)