Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Uniview is a popular security camera. There is a proprietary protocol listening on UDP port 7788.

The vulnerability is a buffer overflow in string parsing from using sscanf without validating that the size of the buffer is big enough. This allows for stack smashing to run a ROP chain to pop a shell.

The shell is restricted though. Good job on the part of the development team for doing this! Even though it is restricted to writing to the /tmp directory, the script killwatchdog.sh can be overwritten. Then, upon rebooting the device, the script gets executed, escalating the privileges of the user.

Two simple bugs lead to a compromise of the system. Defense-in-depth is crucial!