Personal View site logo

User Tools

Site Tools


sony-hack:server

Server related

Note: This research was done on a HDR-AS15 but due to the similarities in features and other parts of firmware i believe it will be relevant for the NEX-5R and NEX-6

The camera provides Web servers in 2 modes.

  • Viewfinder Mode
  • Send Mode

Viewfinder Mode

The Web server in the Viewfinder mode runs on port 10000

http://10.0.0.1:10000/

It is mainly controlled by POST and GET of json but also provides a javascript file called orb-client.min.js Due to it providing this file it is possible to use '../' for Web Server Directory Traversal Arbitrary File Access

http://10.0.0.1:10000/sony/../../../../ is the root of the filesystem

Note: Due to the file always being provided as text/plain it is not possible to read binary files that contain 0x00 bytes, If you try to read a ELF binary you will only receive 7 bytes which are the header of the elf file before a NULL byte.

It is possible to test for files/folders/symlinks that exist as they will return a empty response, if the file does not exist a json 404 error will be returned.

Filesystem

From using this i have found the following filesystem features

  /
   bin/
       busybox
   etc/
       dhcpd.conf
   lib/
   log/
   root/
   sbin/
   tmp/
   usr/
       bin
       sbin
   var/
   version.txt

dhcpd.conf is the default configuration file provided with isc dhcpd.

Send Mode

There are 2 Webservers in the “Send” mode which are on ports 64321 and 60152

I have been so far unable to use these webservers to any use, However

60152 is used to provide the upnp/dlna xml files 64321 is used to send the thumbnails and video files that are copied from the camera using the playmemories application.

I have uploaded a pcap dump readable in wireshark if anyone is interested in pursuing this further

sony-hack/server.txt · Last modified: 2015/08/10 19:12 by vitaliy_kiselev