Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

First, they needed to figure out how the UUID's for the cameras were generated. From simply just evaluating the numbers, they discovered that the account UUID is simply incremental. This allows for easy user enumeration for later.

To make matters worse, this request to view a users data included their email and password. At this point, their account is completely taken over.

After taking over the account, the stream can be shared and other malicious things can be done.

From there, one of the binary functions has a out of bounds write that can be accessed remotely. The article claims that RCE is possible because of this, but does not make any mention of ever trying.

Finally, the remote update command passing input directly to tar. This leads to an easy command injection on the device. However, to make things more complicated, the payload has to be an actual URL.