لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...
so our subsequent speak is gonna be Tremendous amazing seeking ahead to this and we've got A further Reside demo we're gonna understand ways to mess with all your Smart Television set method and i am guessing probably enable it to be do things that it was not meant to originally is always that correct that is superb superb very well ideally it does everything that it was intended for these days right yeah all appropriate all ideal able to go all ideal well let us give a major major party keep track of welcome to Felix and let's get this issue began alright um is it on are we however gotta obtain the video clip set up up since I wish to explain to you Dwell how to use the process and the like so I brought a box but we must swap to your online video projector between so we remain focusing on it alright lit up listed here we go okay there isn't any sound commences very effectively This can be how my story begins who essentially appreciates what it's sorry that's Tata that is a German Tv set collection it's against the law sequence It truly is Pretty much as aged as Columbo the sole change is they remain manufacturing exhibits and it's nevertheless jogging so when some German people it's a custom that following the weekend is about on Sunday evening quarter previous eight you sit back you turn on the first Tv set channel which was ever there and that is however there so you watched the show new episode and as it's a tradition it's also a thing that my spouse and I like to do and we moved to a special region a few years back again and unfortunately we had been unable to see this clearly show anymore and It is sort of unfortunate and that is the start on the story so in which my my identify is Felix Lida and my enthusiasm would be to get points apart and to put other issues alongside one another that enable to just take points apart besides that I'd wish to be out from the snow or during the water and to explain you a little bit extra what I necessarily mean by taking matters apart I prefer to hunt bugs and malware and accumulate them I also like to analysis partner takeovers and countermeasures and i am intensely involved in the unaired job all through my working day task I work around mobile danger study at a very great business called Blue Coat but this study I am presenting is not merely my very own get the job done you realize every research has some supporters and In such a case It really is a bunch of folks from enterprise termed enzymes plus they helped me using this Hence the history from the Tale is the fact that we had this box a Western Electronic TV lifetime hub I actually have one on phase listed here and It can be It truly is an exceptionally fantastic piece of hardware basing can make your dumb Tv set wise and In case you have a wise TV you can get all the more providers plus much more choices to do things the thing is below as HDMI output In addition there are two USB ports it supports Wi-Fi then and device TV attach a keyboard and things like this but what is actually additional interesting is because the moment it appears a lot more like an Apple Tv set or a little something like this Furthermore, it contains a one particular terabyte harddrive in there and that is type of neat simply because You'll be able to add all of your flicks It is all on a single system you don't want an extra storage like an ass or a thing to ensure that's pretty practical the processor in There's quite of slower to MIPS processor but It is also not to blame for participating in the video clip in fact the codecs are all and hardware over the technique they usually Be sure that it is possible to Enjoy the videos fast sufficient again towards the Tale so this box presently has all sorts of companies on there which can be rather good like YouTube and Spotify and Visit website stuff like this and immediately after we didn't have this Tv set demonstrate you are not tada laughter for a while my wife basically claimed you are aware of you might be normally breaking things The entire time why You should not you for at the time do something handy using this and set my beloved display on this box and you are aware of Once your spouse asks you one thing like this you better be sure to make sure you her actually I hope my spouse is not really listed here due to the fact she would possibly remark nicely what Are you aware about how to make sure you me effectively that's a special Tale alright alright so let us get started now prior to we start off we may also be intending to launch the modifications that We now have carried out for the firmware so we'd like a disclaimer This is certainly for academic or investigation functions only if you do what We now have performed right here and you simply break your box it's actually not our fault and we won't have people are unable to assist In addition, you if you employ any kind of DRM keys and the like about the Box it isn't really our fault alright a great deal for the disclaimer um starting point to start with endeavor was we did in offline in analysis of the disk that's in there essentially taken it out plugging it into computer see what's on there and it started quite pretty Blessed we found a private partition on there but immediately after a couple of minutes we located on the market's essentially absolutely nothing very little of relevance on that partition just a few offline storage for Spotify and hope htb and Moreover that there's just the partition that holds all the info every one of the films that we add and swap so that was nothing unfortunately negative try finding some force currently from my spouse for throwing away time next step this box has an update mechanism it immediately reaches out to Western Digital to examine if there's a new firmware and if there is it asks if you want to put in it and it does all of that instantly you can also down load the firmware manually for those who go for their help page and see what's within the update so after we obtain all of this we saw that there is a zip file and from the zip file We have now 5 unique other files and two that appear to be extremely appealing one can be a bin file and a person is named bi – They may be 150 megabytes roughly and we wish to find out if we find a thing that we will understand in there and fortune we did there's a squash FS filesystem in there but it's at offset 32 so I however have to have a number of people drinking with me tonight so you receive a beer if you can solution what the first 32 byte may very well be when you guess suitable any Concepts what the first 32 byte prior to the further file system image our signature very good who said it initially all proper return afterwards to me out bio bio beer best yeah it turns out It is really an md5 signature of The full image and so we started exploring this a little bit more closely how the images appear like and actually That which you see is you've got two diverse images that compose The entire functioning program within the product it is a Linux process by which one is the foundation filesystem fundamentally for anything from root downwards it has an end signature such as the dimensions and within the very commencing just like the gentleman just pointed out you can find the md5 of the whole image this md5 is then also appended to the second image which is frequently mounted at /choose and this yet again has A further signature from the quite front to be certain all of them fit collectively and absolutely nothing's broken and those two jointly fundamentally make up the picture now let us check into the material which is somewhat little bit little I know that so I will clarify it to the still left facet you see the key impression the foundation picture and it's got the standard init system which initializes The full device it has a config file with some static config and it's got One more file with md5sum d5s On this presentation looks as if Western Electronic likes md5 on the appropriate facet there is certainly the OP folder and there was just one fascinating folder known as World wide web server which essentially appeared very intriguing so with this there was sufficient info to truly modify the box but we were a little hesitant about no matter if we should just modify the firmware and add a new one for The key reason why that we were not confident if they did not have much more md5 checks there and it seemed like they'd a whole lot so we ended up a tiny bit hesitant to change the firmware and maybe just crack that single device that we had the other option was let's go hunt for some vulnerabilities might take far more time but it's also extra pleasurable correct Alright so a vulnerability getting very first thing was to look at the webserver um this detail provides a webserver allow me to also swiftly switch to exactly where We now have Firefox right here We've Firefox and this is lifestyle to the box now so you see that is the obtain should you when you log in you and the password is admin Incidentally after you log in you will get a handheld remote control but You may as well alter the password and so on to make sure that seem style of promising and Thankfully the PHP that's made use of to alter all of the configuration will not be encoded encrypted or everything It can be just They're in simple to make sure that's normally a superb get started you know ranging from the online server SQL injection that was the initial endeavor and as you can see there's a very wonderful SQL statement at The underside and that is composed of parameters ideal within the get requests like entry ID language ID excellent and that's employing SQLite so This is the assertion that may truly make an SQLite database that is at the same time an SQLite and a sound PHP file does any have anybody right here have encounter Along with the PDO database driver any individual about in this article what is actually the situation Never see it PDO only will allow just one statement at a time and we desired to inject five statements below so regrettable did not do the job and also if it had labored we discovered afterwards that this part of the file programs really browse only so no prospect in any way bummer okay past the webserver observe up coming point to try was remote file inclusion and what we found out is there's an distant file inclusion or maybe a file inclusion probability determined by the language which happens to be saved from the cookie so let me change again to the internet server and you'll see you there you have to enter a password and down below you have to can decide on the language alright I have a cookie editor up listed here and when we refresh it you are able to see there is a language ID of a few in listed here so we had been wanting to know all right can we just modify this including a handful of dots introducing several slashes they push the correct button screens a tiny bit distant yeah I did In order you could see now we get an mistake message stating oh it did not discover the file open up or PHP and after that we imagined okay um why not merely add a file identified as household dot PHP to the folder that we can entry through SMB and afterwards modify the cookie to stage to that and really can determine the path just by looking at the firmware all right I press the wrong button sorry the cookie editor is absolutely little and It can be hard to see the screen truly from below ok Wow good now we got a PHP shell so those of you which have labored with PHP shells know that they are agony in the ass suitable so the first thing you should do is try to determine if there is telling it on there and actually convey to it was on there so we want to activate it and obtain on on the box and I have to confess my track record is generally not an excessive amount of the embedded gadgets but extra similar to the Computer system environment and typically whenever you own the internet server another matter you need to do is give thought to privilege escalation all correct so um identical point right here let's go and switch it to the box and in order to know like from which it depend to him escaped or to get the privileges 1st you figure out which account that you are and oh hey We have now Ruud by now this was significantly simpler than I anticipated but You can even see my stupidity over the display screen due to the fact in fact the PHP shell already tells you that you are route ok wonderful so this was only the start because we had been capable of get route but a lesson that I had to learn throughout the encounter is You should not begin with SQL injection Really don't get started with a remote file inclusion Will not get started with SQLite privilege a privilege escalation stuff such as this look for the seriously minimal hanging fruits so investigating the image label additional I discovered that actually the blokes from Western Digital experienced set up a symlink in the Internet support root Listing ideal to the disk so it wasn't even important to upload or to test to take advantage of the process and i am not pretty positive if they have got just neglected it or whether they needed to make it uncomplicated for people today since if I just say person hold or PHP and that's priya authentication no authentication at this stage I also have the shell just in a distinct directory ah which is nice so but I thought nicely if it's that uncomplicated we probably come across far more stuff so hum Should you have found the main converse this morning hacking 22 things in forty five minutes it was a wonderful talk the blokes have taken a component the Google Television set in past times and they went for UART so we tried the exact same we also experienced a glance over the board and tried to determine exactly where our pins or where our soloing points in which we could include some pins and we uncovered there are two pins that really are candidates the thing is them both in the picture here and a small amount of measuring around and things such as this we learned that the just one during the entrance which is closer to the chasis that is actually an ordinary u artwork which might be X you can find tx2 ground along with a three.
three volt pin and This is the warning if you'd like to Do that in your own home it is a 3.
3 volts along with your Personal computer is 5 volts you could burn off both your PC you can burn the box or you could burn off there for instance USB to UART converter I have burned a few there was there was my lesson discovered of not obtaining low-cost things from Taiwan so what do you can get When you connect a serial console so when you put up you can get all kinds of information about the system exactly where the picture is stored what else is the place configurations precisely what is at this time loaded which drivers are loaded and truly when you have the method up and functioning and find out the display screen of your program and you simply drive a button over the remote control or a little something it informs you accurately which button you happen to be pressed and which steps are taken to be able to get there so this is perfect debugging excellent when it had been completed umm you see a little something such as this I informed you they like md5 so you see an md5 and the thing is login what is the password that is a chance for profitable another beard tonight male it's actually not that effortless it's not as easy as hacker as admin as OAM root or a thing these guys like md5 let us take a look sorry md5 half which at yeah It can be shut but it's not quite It really is a little more subtle essentially I talked to another man a few minutes previously he said in fact a minimum of I did something correct but let us have a better glance so um the shadow file that actually exists in TMP shadow and et Cie shadow is just a hyperlink to that and we uncovered the hash in there and started to over the Ripper clearly since we would like to determine what it is actually but that doesn't failed to get us extremely significantly quickly so we began investigating a bit nearer And that i explained to you the serial line is rather helpful for debugging there was truly a person line saying password for root adjusted as you can see within the screenshot there also like other data but like which modules are commenced ahead of which modules are begun and loaded just after many things similar to this so this was really practical to track triage which module which application was truly accountable for this there is a Instrument identified as G bus read through serial range and that is located in a folder that is not inside of the original firmware picture It is really truly an encrypted addition to the file procedure using AES encryption which is later quantity to utilize an area s pin and here you find some safety by obscurity because it's located in slash home slash file and that's containing plenty of interesting facts I've also place the knowledge here how you can actually extract the AES vital but I'm not likely to enter the small print that is far more for reference so This is how it seems visually Now we have in the house folder a file code file we provide the AES important in ROM and Later on things is extracted to some folder or mounted right into a comprehensive a user regional s bin and We've got this application and there is also A further system in there which happens to be thirteen megabytes in measurement termed DMA OSD due to the fact This is certainly an encrypted folder we already considered this is probably extremely pursuits point let's have a better glimpse but let's get back to what's the password so when We've This system we were being actually capable of reverse engineer the cheapest beats arena and we learned It is executing a procedure phone some system purpose phone not a method phone where by the serial figures employed the md5 of that is definitely created and it is the password how do you have the serial amount Possess a look at the box yeah there is basically A simpler way Have a very look at the login display since the serial variety could be the md5 right before login I didn't provide the serial cable or I actually brought a co a cable but given that I blue display screen my Home windows a few times Along with the serial cable I don't want to try it out in this article we could consider it out with Linux afterwards simply because that works significantly better but I continue to desire to demo to you guys how this truly looks like alright login Here is the password will be the password prompt we wish to login as root we need to duplicate and paste see but you understand so I am gonna kind it right here so You do not see that monitor and It can