Chrome extension that uses vulnerabilities CVE-2021-33044 and CVE-2021-33045 to log in to Dahua cameras without authentication.

Last update: Nov 26, 2022

Related tags

Overview

DahuaLoginBypass

Chrome extension that uses vulnerability CVE-2021-33044 to log in to Dahua IP cameras and VTH/VTO (video intercom) devices without authentication.

For other device types (NVR/DVR/XVR, etc), there exists CVE-2021-33045 which cannot be exploited with an ordinary web browser.

These vulnerabilities are likely to be fixed in firmware released after Sept 2021.

Credit for discovering the vulnerabilities: bashis

Installation

Download the .zip file from the releases section.

Extract the folder from this zip somewhere.
Go to chrome's extensions page ( chrome://extensions ).
Enable the Developer mode option at the top right.
Click Load unpacked and choose the DahuaLoginBypass folder you extracted.

Usage Instructions

Go to the login page of a Dahua IP camera and click the extension's icon ( ) to the right of your address bar. This should add a panel with a new button for you to use:

Eth-explorers-extension - Chrome extension to open Ethereum addresses & transaction hash from any page on popular explorers + dashboards

eth-explorers-extension(s) This repository contains two folders with two extensions that work for address and transactions respectively. 1. eth-addres

Jan 6, 2023

Discord Like Tokens for Authentication for Everyone. Uses HMAC with SHA-256

DC Tokens About DCTokens are the discord like tokens that can be used for authentiction in your website, api, or anything you want (you can even trick

Oct 31, 2022

Twitter RSS (.xml) Feed Scraper Without Developer Authentication

Twitter RSS Feed Scraper Without Authentication Command-line application using Node.js that scrapes XML feeds from Nitter, the free and open source al

Jun 15, 2022

Youtube Summarizer is a web-based tool that uses ChatGPT to automatically generate summaries of YouTube videos. It lets you learn key points quickly and easily without having to watch entire lengthy videos. It is enough for users to paste the YouTube video URL into the tool and summarize the video.

YOUTUBE SUBTİTLE SUMMARIZER youtubesummarizer.tech Summarizer is a web-based tool that uses ChatGPT to automatically generate summaries of YouTube vid

Aug 12, 2023

CPUSim is an open-source web-based animated x64 CPU simulator for educational purposes. Provided as a folder for easy distribution and without installation on the Google Chrome Browser. Powered by Unicorn.js, Capstone.js, Quasar and NASM.

CPUSim - A Graphical CPU Simulator CPUSim is an open-source web-based animated x64 CPU simulator for educational purposes. Provided as a folder for ea

Oct 26, 2022

Browser extension for generating HOTP passcodes for Duo Security Multi-Factor Authentication

duo-extension Browser extension for generating HOTP passcodes for Duo Security multi-factor authentication. Compatible with Firefox and Chromium-based

Oct 25, 2022

A simple to do list webpage where you can log the daily tasks you have to do, mark them as checked, modify them, reorder them and remove them. Made using HTML, CSS and JavaScript.

To-Do-List This Webpage is for an app called To-Do-List which helps you add, remove or check tasks you have to do. It is a simple web page which conta

Mar 12, 2022

Another logger in JS. This one offers a console.log-like API and formatting, colored lines and timestamps (or not if desired), all that with 0 dependencies.

hellog Your new logger ! hellog is a general-purpose logging library. It offers a console.log-like API and formatting, extensible type-safety colored

Jan 5, 2022

Benefit cards API, create and store card data and log transactions

Valex 💳 Benefit cards for companies and employees! 💻 Tech used Overview An API to store benefit cards from companies to employees and log transactio

Apr 25, 2022

Comments

modern chrome does not support Npapi plugin

the NpApi plugins is not support by modern chrome, and the chrome extension is support only by modern chrome. So how do we suppose to test this POC!!!

opened by GreenEyeAdriana 1

Releases(4)

4(Oct 13, 2021)
Version 4

Removed Method 2 because it doesn't work over HTTP(s).

Revised text shown to the user when they enable the extension.

Source code(tar.gz)
Source code(zip)
DahuaLoginBypass.v4.zip(4.22 KB)
3(Oct 13, 2021)
Version 3

Improved compatibility with Dahua XVR.

Source code(tar.gz)
Source code(zip)
DahuaLoginBypass.v3.zip(4.19 KB)
2(Oct 12, 2021)
Version 2

The extension should now recognize the login page of some NVRs.

The extension should actually be usable un unrecognized pages now.

Clicking the Method 1 or Method 2 buttons now changes the popup text to indicate that one of those methods was enabled.

Source code(tar.gz)
Source code(zip)
DahuaLoginBypass.v2.zip(4.16 KB)
1.0(Oct 11, 2021)
To install

Extract the folder from this zip somewhere.

Go to chrome's extensions page ( chrome://extensions ).

Enable the Developer mode option at the top right.

Click Load unpacked and choose the DahuaLoginBypass folder you extracted.

To use

Go to the login page of a Dahua IP camera and click the extension's icon ( ). This should add new buttons to the page for you to use.

Source code(tar.gz)
Source code(zip)
DahuaLoginBypass.1.0.zip(3.75 KB)

Owner

GitHub

The Raspberry Pi + OpenScan Pi Shield can be used to control two independent stepper motors and a variety of different cameras

OpenScan2 Overview: The Raspberry Pi + OpenScan Pi Shield can be used to control two independent stepper motors and a variety of different cameras (Pi

149 Jan 3, 2023

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns

NodeSecure CI Action @nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and p

7 Jul 29, 2022

Improve the security of your API by detecting common vulnerabilities as defined by OWASP and enforced with Spectral.

Spectral OWASP API Security Scan an OpenAPI document to detect security issues. As OpenAPI is only describing the surface level of the API it cannot s

23 Dec 8, 2022

A cyber-sec tool to be used responsibly in identifying XSS vulnerabilities

Visit the Breach website here Table of Contents About Breach Getting Started Demo Scan URL Results History Settings Looking Ahead Contributors License

39 Apr 14, 2022

Security tool + attack database used to take quick action against newly-discovered vulnerabilities in the blockchain.

SolidGuard Version: v1.0.1 SolidGuard is a Blockchain Security tool catered towards organizations who manages decentralized applications on the Ethere

4 Jan 3, 2023

We are creating a Library that would ensure developers do not reinvent the wheel anymore as far as Authentication is concerned. Developers can easily register and download authentication codes that suits their need at any point.

#AuthWiki Resource Product Documentation Figma Database Schema First Presentation Live Link API Documentation Individual Contributions User Activity U

17 Dec 2, 2022

Chrome extension that uses vulnerabilities CVE-2021-33044 and CVE-2021-33045 to log in to Dahua cameras without authentication.

Related tags

Overview

DahuaLoginBypass

Installation

Usage Instructions

You might also like...

Eth-explorers-extension - Chrome extension to open Ethereum addresses & transaction hash from any page on popular explorers + dashboards

Discord Like Tokens for Authentication for Everyone. Uses HMAC with SHA-256

Twitter RSS (.xml) Feed Scraper Without Developer Authentication

Youtube Summarizer is a web-based tool that uses ChatGPT to automatically generate summaries of YouTube videos. It lets you learn key points quickly and easily without having to watch entire lengthy videos. It is enough for users to paste the YouTube video URL into the tool and summarize the video.

CPUSim is an open-source web-based animated x64 CPU simulator for educational purposes. Provided as a folder for easy distribution and without installation on the Google Chrome Browser. Powered by Unicorn.js, Capstone.js, Quasar and NASM.

Browser extension for generating HOTP passcodes for Duo Security Multi-Factor Authentication

A simple to do list webpage where you can log the daily tasks you have to do, mark them as checked, modify them, reorder them and remove them. Made using HTML, CSS and JavaScript.

Another logger in JS. This one offers a console.log-like API and formatting, colored lines and timestamps (or not if desired), all that with 0 dependencies.

Benefit cards API, create and store card data and log transactions

Comments

modern chrome does not support Npapi plugin

Releases(4)

4(Oct 13, 2021)

Version 4

3(Oct 13, 2021)

Version 3

2(Oct 12, 2021)

Version 2

1.0(Oct 11, 2021)

To install

To use

Owner

The Raspberry Pi + OpenScan Pi Shield can be used to control two independent stepper motors and a variety of different cameras

@nodesecure/ci brings together a set of tools to identify dependencies vulnerabilities and track most common malicious code and patterns

Improve the security of your API by detecting common vulnerabilities as defined by OWASP and enforced with Spectral.

A cyber-sec tool to be used responsibly in identifying XSS vulnerabilities

Security tool + attack database used to take quick action against newly-discovered vulnerabilities in the blockchain.

We are creating a Library that would ensure developers do not reinvent the wheel anymore as far as Authentication is concerned. Developers can easily register and download authentication codes that suits their need at any point.

Browser extension that enables you to Log-in as ANY address on ALL dapps

Challenge for you all to prove that CVE-2022–29622 is not false

CVE-2022-22629 Proof of Concept

POC OF CVE-2022-21970