Finally, we found a rather interesting bug in one of the scripts of the camera. What this script is actually responsible for, we aren't really sure, but its existence got our attention because there are other AXIS vulnerabilities in this file in other cameras. During our fuzzy efforts, we found that the camera would reboot after making the following request more than 129 times. Once we made that final request, the camera would reboot.
http://192.168.1.101/axis-cgi/buffer/command.cgi?do=start&buffername=<unique buffer name>
Figure 2 Crowbar DoS'ing the camera.