I have forgotten the password to my dlink DCS-930L IP camera. After searching online, I came across an authentication bypass vulnerability as detailed here.
I was able to obtain the encoded configuration while (which contains the admin password).
However, I am having issues getting the python script (which decodes the configuration file) to work. This is what I have so far :
#!/usr/bin/python
# 'data' holds the content of the obfuscated configuration file
data1 = open('/root/Desktop/data', 'r')
data = data1.readlines()
def deobfuscate(data):
r = []
for c in data:
c = ord(c)
c = (c + ord('y')) & 0xff
c = (c ^ ord('Z')) & 0xff
c = (c - ord('e')) & 0xff
r.append(c)
tmp = None
i = len(r) - 1
while i >= 0:
if i == len(r) - 1:
x = r[i]
tmp = ((x & 7) << 5) & 0xff
if i == 0:
assert tmp is not None
x = r[0]
x = (x >> 3) & 0xff
x = (x + tmp) & 0xff
r[0] = x
else:
c1 = r[i-1]
c2 = r[i]
c1 = c1 & 0x7
c2 = (c2 >> 3) & 0xff
c1 = (c1 << 5) & 0xff
c2 = (c2 + c1) & 0xff
r[i] = c2
i = i - 1
r = "".join([chr(x) for x in r])
s = ""
assert (len(r) % 2) == 0
for i in range(len(r)/2):
s += r[i+(len(r)/2)] + r[i]
return s
print s
deobfuscate(data)
Every time I run the script, there is no output. At this point, I am not sure if the script is running properly, and I just have a printing issue, or if the script had larger issues.
Any assistance is greatly appreciated.
Another problem: it looks like you are reading the file as a list of strings (data1.readlines()
), but the deobfuscate function expects a single string.
You code should be
INPUT = '/root/Desktop/data'
def deobfuscate(data):
r = []
for c in data:
c = ord(c)
c = (c + ord('y')) & 0xff
c = (c ^ ord('Z')) & 0xff
c = (c - ord('e')) & 0xff
r.append(c)
tmp = None
i = len(r) - 1
while i >= 0:
if i == len(r) - 1:
x = r[i]
tmp = ((x & 7) << 5) & 0xff
if i == 0:
assert tmp is not None
x = r[0]
x = (x >> 3) & 0xff
x = (x + tmp) & 0xff
r[0] = x
else:
c1 = r[i-1]
c2 = r[i]
c1 = c1 & 0x7
c2 = (c2 >> 3) & 0xff
c1 = (c1 << 5) & 0xff
c2 = (c2 + c1) & 0xff
r[i] = c2
i = i - 1
r = "".join([chr(x) for x in r])
s = ""
assert (len(r) % 2) == 0
for i in range(len(r)/2):
s += r[i+(len(r)/2)] + r[i]
return s
def main():
with open(INPUT) as inf:
data = inf.read()
print(deobfuscate(data))
if __name__=="__main__":
main()
... actually, some of the code in deobfuscate
should be cleaned up, but without data to test against, I don't want to poke at it too much.