Authentication Bypass in Dahua Products

This repository is a real exploit project implemented as a Chrome extension for abusing Dahua authentication bypass flaws. It is not part of a larger exploit framework. The active top-level extension is version 4, consisting primarily of manifest.json and background.js; older iterations are preserved in subdirectories (DahuaLoginBypass 1.0, v2, v3, v4), showing the exploit’s evolution. Supporting material includes README.md, a copied advisory in misc/dahua-bypass.txt, and experimental code in misc/extra.js. Core capability: when the user clicks the extension icon on a Dahua login page, background.js injects the loginBypass() function into the active tab. That function identifies likely Dahua login forms using known selectors, inserts a custom control panel into the page, and on button press monkey-patches jQuery.extend and/or Ext.apply so that the login object generated by the page is modified before submission. In the current v4/top-level code, the exploit changes clientType from "Web3.0" to "NetKeyboard", implementing CVE-2021-33044. It then autofills fake credentials (admin / "Not Used") and triggers the page’s normal login button. This is a browser-assisted exploit against the target web UI rather than a standalone scanner. Older versions broaden functionality. Version 1.0 and v2 include two methods: Method 1 for CVE-2021-33044 and Method 2 for CVE-2021-33045. Method 2 forges loopback/local login attributes (ipAddr 127.0.0.1, loginType Loopback, clientType Local, passwordType Plain, password admin). Version 3 improves compatibility by supporting both jQuery.extend and Ext.apply. Version 4 narrows scope to the browser-viable NetKeyboard bypass and explicitly notes that CVE-2021-33045 cannot be exploited with an ordinary web browser for other device classes. The repository does not contain hardcoded external C2 or exfiltration infrastructure. Fingerprintable targets are mostly local Dahua device endpoints and parameters: RPC2_Login, RPC2, and cgi-bin/userManager.cgi?action=addUser appear in misc/extra.js, which is experimental code for logging in via Dahua RPC and attempting user creation after bypass. That file demonstrates additional post-auth capability ideas: calling global.login, userManager.getGroupInfoAll, userManager.addUser, and userManager.deleteUser. However, this code is not wired into the main extension and appears to be prototype or abandoned functionality. Overall purpose: provide an operator-friendly browser extension to exploit vulnerable Dahua device login flows directly from the victim device’s web interface, primarily to obtain unauthorized authenticated access to cameras/intercom devices affected by CVE-2021-33044, with historical code and notes for CVE-2021-33045.

This repository is a small standalone Python exploit toolkit for Dahua devices, centered on CVE-2021-33044 authentication bypass. It contains three executable scripts and a README. The main exploit logic is in dahua_auth_bypass.py, which implements the Dahua RPC2 challenge-response flow against /RPC2_Login, derives the MD5-based login hash using an empty password field, and attempts to obtain a valid authenticated session as admin. If successful, it can optionally perform post-auth RPC2 enumeration through /RPC2, including device type, software version, system information, and full user list retrieval. The same script also includes a fallback default-credential check using common Dahua usernames/passwords. The second script, dahua_exploit.py, is a multi-CVE wrapper. From the visible code, it reuses the same RPC2 auth-bypass and default-credential logic, and the README plus code comments indicate an additional buffer-overflow/DoS test path for CVE-2025-31700/CVE-2025-31701. Because the file content is truncated, the exact overflow endpoint and packet structure are not fully visible, but the script clearly positions itself as a combined vulnerability tester rather than a pure single-exploit PoC. The third script, dahua_scanner.py, is a network discovery and fingerprinting utility. It scans user-supplied hosts/subnets and ports, performs TCP connect checks, probes HTTP/HTTPS root pages for Dahua-specific strings, tests /RPC2_Login behavior, and attempts CGI-based fingerprinting via /cgi-bin/magicBox.cgi?action=getDeviceType and getSoftwareVersion. It also contains helper logic for the same RPC2 hash generation and login testing, indicating it can identify vulnerable or weakly configured devices at scale. Overall, the repository purpose is offensive security research and validation of Dahua device exposure: discover devices, identify Dahua services, test for CVE-2021-33044/33045 auth bypass, try default credentials, and enumerate device/user information after access. It is not just a detector; it contains working exploit logic that can produce an authenticated session on vulnerable targets.

Repository contains Python PoC tooling targeting Dahua device vulnerabilities, primarily over the Dahua RPC2 HTTP interface and the DVRIP/binary service. Structure (8 files): - README.md / SECURITY.md: usage, legal disclaimers, and CVE overview. - dahua_auth_bypass.py: dedicated exploit for CVE-2021-33044 and CVE-2021-33045. Implements the two-step RPC2 challenge-response flow against /RPC2_Login, but crafts the response hash using an empty password (MD5("admin:realm:")) to obtain an authenticated admin session. Includes fallback default-credential testing and post-exploitation enumeration via /RPC2 methods (magicBox.getDeviceType/getSoftwareVersion/getSystemInfo and userManager.getUserInfoAll). - dahua_rce.py: DoS/vulnerability-probe for CVE-2025-31700 and CVE-2025-31701. Sends oversized JSON fields to /RPC2_Login (HTTP overflow probe) and an oversized DVRIP frame to TCP/37777 (binary overflow probe). Determines likely vulnerability via crash indicators (timeouts, connection resets, 5xx) and by checking HTTP reachability before/after. - dahua_scanner.py: subnet/host scanner and Dahua fingerprinting utility. Checks open ports, fetches / over HTTP/HTTPS for Dahua signatures, probes /RPC2_Login for realm/random behavior, and includes logic for auth-bypass/default-cred style checks (full fingerprinting function is truncated in provided content but intent is clear). - dahua_exploit.py: multi-CVE runner combining auth-bypass test, default-credential checks, and buffer-overflow probe logic; file content is partially truncated, but visible portions show the same /RPC2_Login challenge/login flow and a run_all() summary output. Main exploit capabilities: - Network-based authentication bypass to obtain an admin session token on vulnerable firmware (CVE-2021-33044/33045). - Post-authenticated RPC2 enumeration (device type/version/system info and user list) using the obtained session. - Network-based overflow-style malformed input probes over HTTP and TCP/37777 intended to cause crash/DoS and infer potential RCE conditions (CVE-2025-31700/31701), though the provided code is primarily a DoS/vulnerability confirmation rather than a full RCE chain. - Network discovery/fingerprinting and batch testing across subnets and common Dahua ports. Notable targets/endpoints: - HTTP: /RPC2_Login (challenge + login + overflow probe), /RPC2 (authenticated method calls), / (reachability/fingerprinting). - TCP: 37777 (Dahua DVRIP/binary protocol overflow probe). Overall purpose: a small, standalone (non-framework) toolkit for authorized security testing of Dahua cameras/NVR/XVR devices—covering discovery, auth-bypass exploitation with optional data enumeration, and overflow-based DoS/vulnerability probing.

This repository provides a Chrome extension exploit for authentication bypass vulnerabilities in Dahua IP cameras and related devices, specifically targeting CVE-2021-33044 and CVE-2021-33045. The exploit is implemented as a browser extension, with multiple versions (v1.0 to v4) of the extension present, each with its own background.js and manifest.json. The main exploit logic is in the background.js files, which inject JavaScript into the login page of the target device. The exploit works by overriding JavaScript methods (such as jQuery.extend or Ext.apply) to modify the parameters of the login request, setting values like clientType to 'NetKeyboard' or 'Local', and ipAddr to '127.0.0.1', thereby bypassing authentication checks on vulnerable firmware. The extension provides a user interface to trigger the exploit methods. Additional scripts (misc/extra.js) demonstrate further interaction with the device's API, such as adding users via HTTP endpoints. The repository includes documentation, a detailed README, and a text file (misc/dahua-bypass.txt) with technical details and PoC information. The exploit is a proof-of-concept and requires the attacker to access the device's login page via a browser with the extension installed.

This repository contains a proof-of-concept exploit for CVE-2021-33044, an authentication bypass vulnerability affecting Dahua IPC, VTH, and VTO devices. The main exploit script, 'dahua_bypass.py', is a Python script that sends a crafted JSON payload to the '/RPC2_Login' endpoint of a target device, attempting to bypass authentication as the 'admin' user. If successful, the script prints the response and saves the session token and response data to 'vulnerable.txt'. The repository also includes a README.md with usage instructions. The exploit is network-based and targets Dahua devices accessible over HTTP or HTTPS. No hardcoded IPs or domains are present; the target is supplied as a command-line argument.

This repository contains a proof-of-concept exploit for CVE-2021-33044, an authentication bypass vulnerability affecting Dahua IPC, VTH, and VTO devices. The main file, 'dahua_bypass.py', is a Python script that sends a crafted POST request to the '/RPC2_Login' endpoint of a target device, attempting to bypass authentication by using a default 'admin' username and a placeholder password. If the exploit is successful, the script prints confirmation and saves the session token and response to 'vulnerable.txt'. The repository also includes a README.md with usage instructions and a brief description. The exploit targets network-accessible Dahua devices and requires the attacker to know the device's IP address and port. No hardcoded IPs or credentials are present; the target is supplied as a command-line argument.