On Sun, Mar 24, 2013 at 05:43:43PM -0400, Eric Urban wrote: > I have been hacking on a Rosewill RSVA11001 for a while now, something to > suck up my free time. I had pulled apart the firmware previously but did > not succeed in finding a way to get a shell on the device. The box is > Hi3515 based, I found an exploit for another similar box (Ray Sharp) but it > did not work. The Rosewill firmware seems to use an executable that listens > on two ports rather one when communicating with the Windows-based control > software. Port 8000 is now the command port rather 9000, 9000 is used for > video only. After playing with the included Windows application I > eventually did a strings on the 'hi_dvr' exectuable that is the user space > program that controls the interface to thing. I found this gem: > > /mnt/ntpdate -q %s > /tmp/tmpfs/ntptmp > > So I used the windows software to set the NTP host to > > a;/usr/bin/nc -l -p 5555 -e /bin/sh& Did you report this to the vendor? -- Henri Salo
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/