Foscam: Reboot
Good day, ladies and gentlemen!
Today we will talk about the IP cameras of Foscam, which were recently told here .
As a curious juzver, having read about the "vulnerability", I merrily ran to watch what was interesting there.
')
Under the cut you will see what is interesting there, and why the post is called “Foscam: Reboot”.
I want everything at once
So, there are so many cameras. How among them to look for interesting?
For this you need to see what each of them shows!
The initial idea is to get one frame from each camera.
For a start, I went to a random channel to see what was happening.
The first thing I saw was two modes: ActiveX (IE) and Server Push.
Played with ActiveX, looked, listened, then turned on Server Push.
You can watch and listen? Is IE needed for this?
It turned out that in the Server Push mode for sound they suggest using the VLC plugin, which plays the link of the following form:
ab1234.myfoscam.org:88/videostream.asf?user=admin&pwd=
Yes, yes, you do not even need to launch the browser, you can open the link in your favorite player and get the content!
And if you can get a video in one request, why not get them all with the same request?
Pump out
By the method of scientific poking, I learned that not all xx1234 subdomains are active, but only those that begin with a, b, and c.
Quickly concocted a list, set up a cURL, and swing forward.
Technical detail
Under the link is not just a file that can be downloaded, but streaming video.
If you just set a cURL on it, the video will swing until tomorrow.
So I had to patch cURL so that it did not download more than 200 KB.
If you just set a cURL on it, the video will swing until tomorrow.
So I had to patch cURL so that it did not download more than 200 KB.
Figures:
Initially there were 780,000 options. / [ac] [az] [0-9] {4} /.
16608 responded to the request.
We gave the video as admin 3409 (20%). Not every 3rd but every 5th!
I gave the video for the name of the operator, but not for the admin - only one!
Download the archive with vidyukhi here (587 MB).
Password - the domain of your favorite site;)
Since the files are cut to 200 KB, Windows Media Player cannot handle them, but VLC shows no problems.
With system sketches, too, Windows has problems, but Linux (at least Mint) shows a bang.
Screenshot
So what's interesting?
Not a lot of interesting things.
Many sleeping children, many empty apartments, apartments with fat men.
I wanted to see at least one pussy, but I was not so lucky as the Goodkat user was lucky (I love it when the nicknames coincide with the situation!).
But not for nothing that I did all this, you need to do something cool.
Besides, having reread the original post, it turned out that:
This article is not written for the delight of fantasy lovers pryYes, and so I could not delight the fantasies.
Reboot
Looking at the comments in the original post, I came across the author's note :
Ideally, leaving the camera to do a factor reset. Firstly, it will erase all traces exactly, and secondly it will attract the owner to a more careful setting.
This is correct, it is necessary to convey to the clumsy users that they have something wrong with privacy!
Well, since I already have a list of all real cameras, why not make a factor reset to ALL?
It turned out to be as simple as downloading a video; one link is enough:
ab1234.myfoscam.org:88/restore_factory.cgi?user=admin&pwd=&next_url=reboot.htm
Again cURL in hand and forward.
Figures:
Launched the process for all 16608 cameras.
Reset safely and now are no longer available, 1919 cameras (11%).
I do not know exactly why the video was given by 20%, and only 11% were reset.
Maybe many have already changed the password, maybe not all support the reset.
In any case, I saved 1919 cameras from prying eyes, and this is also not bad!
Bonus: Country Statistics
Finally, I decided to check how many users from which countries there are.
The winner is the USA, with 10913 users (65%).
The first 10-ka
United States
10913 (65.71%)
United kingdom
660 (3.97%)
Canada
519 (3.12%)
Netherlands
495 (2.98%)
Singapore
403 (2.43%)
Australia
300 (1.81%)
Brazil
296 (1.78%)
Germany
256 (1.54%)
Italy
252 (1.52%)
Israel
160 (0.96%)
10913 (65.71%)
United kingdom
660 (3.97%)
Canada
519 (3.12%)
Netherlands
495 (2.98%)
Singapore
403 (2.43%)
Australia
300 (1.81%)
Brazil
296 (1.78%)
Germany
256 (1.54%)
Italy
252 (1.52%)
Israel
160 (0.96%)
Full details here . The password is the same.
In addition, I would venture to suggest that the domain of the author of the original post ( KarasikovSergey ) is one of the following:
ab6223, ae6533, ah0109, ah1372, ah4256, ai5064, aj0074, aj0161,
ak1084, ap8372, aq1638, aq3870, as4571, as5026, as8634, as9261,
at0128, at0557, at1178, at1196, at1763, at2211, au0366, ax9188,
ba4590, bd4836, be2777, be2787, be2799, bf9466, bh3345, bm2387,
bm2418, bn2295, bn5443, bn5510, bn5520, bn5526, bp5053, bp5222,
by0744, cd6829
Maybe your domain is here,% username%!
the end
Taking this opportunity, I want to say hello to the Foscam support company;)
Source: https://habr.com/ru/post/189674/
All Articles