لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...
so our following discuss is gonna be Tremendous interesting seeking ahead to this and We have got another Are living demo we are gonna study tips on how to mess with your Sensible TV system and i am guessing most likely ensure it is do things that it was not meant to at first is always that appropriate that's outstanding superb perfectly ideally it does every little thing that it absolutely was supposed for today ideal yeah all ideal all suitable ready to go all proper perfectly let's provide a large big party monitor welcome to Felix and let's get this factor commenced ok um can it be on are we even now gotta get the online video put in place up for the reason that I need to explain to you live how to exploit the system etc so I brought a box but we have to change to the online video projector between so we remain working on it alright lit up listed here we go all right there isn't any seem starts off really very well That is how my story commences who really is aware what it's sorry that is definitely Tata which is a German Tv set series It truly is against the law sequence It truly is almost as old as Columbo the one variance is that they remain making shows and It truly is nevertheless working so when some German households it's a tradition that once the weekend is above on Sunday night quarter previous eight you sit back you turn on the main Tv set channel which was at any time there and that is however there and you simply watched the exhibit new episode and because it's a custom It is also a thing that my spouse And that i love to do and we moved to a different nation a several years back and regrettably we ended up not able to see this exhibit anymore and It can be sort of unfortunate and that's the beginning of the Tale so where by my my identify is Felix Lida and my passion is always to choose points aside and to set other matters jointly that help to acquire points aside Aside from that I'd wish to be out during the snow or within the h2o and to explain you a little much more what I suggest by taking points apart I like to hunt bugs and malware and obtain them I also choose to exploration spouse takeovers and countermeasures and I'm intensely linked to the unaired undertaking throughout my day occupation I operate all around cellular menace investigate at a really nice organization called Blue Coat but this research I am presenting is don't just my own get the job done you are aware of every single investigation has some supporters and In such cases it's a gaggle of people from firm termed enzymes plus they served me with this Hence the qualifications of your Tale is that we experienced this box a Western Digital Tv set lifetime hub I actually have just one on phase right here and It is it's an extremely great piece of hardware basing tends to make your dumb Television sensible and When you have a smart Television you obtain much more providers and much more alternatives to try and do things the thing is in this article as HDMI output There's also two USB ports it supports Wi-Fi then and unit Television attach a keyboard and things like this but what is far more interesting is as the instant it appears to be a lot more like an Apple Television set or anything such as this Furthermore, it contains a just one terabyte harddisk in there and that is kind of neat since You'll be able to upload all of your motion pictures It is really all on a single product you don't have to have an extra storage like an ass or one thing making sure that's incredibly effortless the processor in There exists quite of slower to MIPS processor but It is also not to blame for participating in the movie truly the codecs are all and hardware within the method and so they Be certain that it is possible to Perform the films quick more than enough back again for the story so this box previously has all kinds of companies on there which might be very nice like YouTube and Spotify and stuff such as this and after we did not have this TV show you are not tada laughter for a while my wife essentially claimed you know you happen to be constantly breaking things The full time why You should not you for as soon as do a little something useful using this type of and place my favourite exhibit on this box and you realize when your wife asks you anything such as this you greater be sure to make sure you her actually I hope my spouse isn't below simply because she would in all probability comment effectively what Are you aware of regarding how to please me well that is another Tale all right alright so let's get started now before we commence we also are planning to release the modifications that We have now done for the firmware so we'd like a disclaimer this is for instructional or study reasons provided that you do what We now have finished in this article and also you break your box it is not our fault and we won't have people are not able to assist You furthermore may if you employ any kind of DRM keys and so forth within the Box it isn't our fault ok much to the disclaimer um initial step initial try was we did in offline in Assessment in the disk that is in there in essence taken it out plugging it into Laptop or computer see what's on there and it started incredibly quite Fortunate we located a private partition on there but just after a couple of minutes we observed around's basically nothing at all very little of relevance on that partition just some offline storage for Spotify and hope htb and besides that there is only the partition that holds all the info all the videos that we add and swap so that was almost nothing regretably bad endeavor getting some pressure presently from my spouse for losing time 2nd move this box has an update mechanism it mechanically reaches out to Western Electronic to check if there is a new firmware and if there is it asks in order to set up it and it does all of that routinely you can even obtain the firmware manually for those who go for their support webpage and find out what's within the update so once we down load all of this we noticed that there's a zip file and during the zip file We now have 5 various other data files and two that appear to be extremely attention-grabbing a single is usually a bin file and a person is known as bi – They're one hundred fifty megabytes Continue reading roughly and we wish to find out if we discover something which we can recognize in there and fortune we did there's a squash FS filesystem in there but it really's at offset 32 so I nevertheless will need a lot of people consuming with me tonight so you will get a beer if you can reply what the main 32 byte is likely to be when you guess right any Strategies what the 1st 32 byte before the extra file process impression our signature Excellent who stated it first all right return afterwards to me out bio bio beer perfect yeah it turns out It is really an md5 signature of The complete impression and so we began exploring this a bit more carefully how the photographs appear like and actually Whatever you see is you have two distinct illustrations or photos that compose The entire operating system over the unit it's a Linux procedure during which a single is the root filesystem mainly for everything from root downwards it's got an conclusion signature including the sizing and with the pretty starting just like the gentleman just described there is certainly the md5 of The full impression this md5 is then also appended to the next picture which is often mounted at /decide which yet again has One more signature while in the very entrance to be certain they all fit alongside one another and nothing at all's damaged and those two collectively essentially make up the picture now let's explore the articles which is a little bit little bit smaller I realize that so I will clarify it around the remaining aspect you see the principle graphic the basis graphic and it's the same old init approach which initializes The entire device it has a config file with some static config and it's got A different file with md5sum d5s With this presentation looks like Western Electronic likes md5 on the ideal facet there is the OP folder and there was 1 intriguing folder called Website server which essentially looked quite attention-grabbing so with this there was enough facts to actually modify the box but we were being a little bit hesitant about no matter if we should just modify the firmware and upload a brand new a single for The main reason that we weren't absolutely sure should they didn't have much more md5 checks there and it appeared like that they had a lot so we were a tiny bit hesitant to switch the firmware and maybe just break that solitary device that we experienced the opposite option was let us go hunt for many vulnerabilities may acquire a lot more time but it's also much more enjoyment correct ok so a vulnerability getting very first thing was to look at the webserver um this point incorporates a webserver allow me to also promptly change to in which We have now Firefox below we have Firefox and this is everyday living over the box now so you see that's the accessibility for those who whenever you log in you plus the password is admin Incidentally if you log in you will get a handheld remote control but You can even alter the password and the like to ensure that glance kind of promising and Thankfully the PHP which is utilised to change every one of the configuration will not be encoded encrypted or something It is really just They can be in simple in order that's often a very good commence you already know starting from the net server SQL injection which was the very first endeavor and as you may see there's a very wonderful SQL statement at The underside and that is made up of parameters ideal with the get requests like entry ID language ID fantastic and that's working with SQLite so Here is the statement that could essentially make an SQLite database that is at the same time an SQLite and a legitimate PHP file does any have anyone right here have encounter With all the PDO databases driver anyone around here what is the condition don't see it PDO only allows 1 statement at a time and we needed to inject 5 statements below so regrettable did not do the job and perhaps if it experienced worked we learned later that this Element of the file devices in fact read through only so no probability in any way bummer alright outside of the webserver keep track of subsequent detail to try was distant file inclusion and what we found out is you can find an remote file inclusion or a file inclusion chance determined by the language which can be saved inside the cookie so allow me to swap back again to the world wide web server and you will see you there You will need to enter a password and down listed here You need to can select the language ok I've a cookie editor up below and when we refresh it you'll be able to see there's a language ID of three in right here so we have been thinking ok can we just modify this including some dots adding some slashes they push the proper button screens a bit far-off yeah I did In order you could see now we get an error information stating oh it did not locate the file open up or PHP and then we thought ok um why not simply upload a file named house dot PHP towards the folder that we will access via SMB then modify the cookie to point to that and really can work out the path just by considering the firmware okay I press the wrong button sorry the cookie editor is de facto compact and It truly is tough to begin to see the monitor truly from here alright Wow wonderful now we received a PHP shell so Individuals of you who may have worked with PHP shells know that they are pain during the ass correct so the very first thing you ought to do is try out to determine if there's telling it on there and really tell it had been on there so we wish to activate it and get on into the box and I have to confess my background is normally not an excessive amount the embedded devices but more much like the PC world and typically whenever you own the world wide web server another matter you are doing is give thought to privilege escalation all ideal so um identical detail here let's go and switch it into the box and so as to know like from which it depend to him escaped or to have the privileges initially you figure out which account you are and oh hey We've Ruud already this was considerably less difficult than I expected but you can also see my stupidity over the monitor because actually the PHP shell previously informs you that you're route okay pleasant so this was just the start because we had been ready to get route but a lesson that I experienced to discover over the experience is You should not begin with SQL injection Will not begin with a distant file inclusion Do not begin with SQLite privilege a privilege escalation things such as this look for the really low hanging fruits so investigating the graphic label additional I discovered that truly the fellows from Western Digital experienced put up a symlink in the Net service root directory proper for the disk so it wasn't even essential to add or to try to take advantage of the technique and I'm not quite confident if they have got just overlooked it or whether or not they preferred to really make it basic for people today because if I just say user keep or PHP and that is priya authentication no authentication at this time I also have the shell just in a distinct directory ah that is great so but I assumed effectively if It is really that effortless we almost certainly find far more things so hum In case you have seen the main chat this early morning hacking 22 factors in forty five minutes it absolutely was an excellent talk the guys have taken a part the Google TV up to now plus they went for UART so we experimented with exactly the same we also had a glance to the board and tried using to determine wherever our pins or the place our soloing factors where we may well increase some pins and we discovered there are two pins that really are candidates you see them both equally in the picture here and a little bit of measuring all-around and things such as this we discovered which the just one in the entrance that's nearer towards the chasis which is essentially a regular u art which are X you will find tx2 ground and also a three.
3 volt pin and Here is the warning if you wish to Do this at your house it is a 3.
three volts and also your Computer system is 5 volts you could melt away either your Personal computer it is possible to burn off the box or you can melt away there for example USB to UART converter I have burned three there was there was my lesson realized of not shopping for affordable things from Taiwan so what do you can get Once you attach a serial console so any time you place up you have all types of information about the program in which the graphic is saved what else is where configurations what exactly is presently loaded which motorists are loaded and actually when you have the program up and running and find out the monitor with the process so you drive a button to the handheld remote control or something it informs you precisely which button you might be pressed and which steps are taken so as to get there so this is ideal debugging perfect when it had been finished umm the thing is some thing like this I told you they like md5 so you see an md5 and you see login what is the password that's an opportunity for profitable One more beard tonight gentleman it's not that uncomplicated it isn't as simple as hacker as admin as OAM root or one thing these fellas like md5 let us have a look sorry md5 half which at yeah It is shut but it's actually not quite It really is a little more sophisticated basically I talked to another dude a few minutes earlier he stated really at least I did another thing appropriate but let us have a more in-depth look so um the shadow file that actually exists in TMP shadow and et Cie shadow is simply a link to that and we discovered the hash in there and commenced to to the Ripper certainly due to the fact we wish to learn what it truly is but that doesn't did not get us incredibly significantly speedily so we started off investigating a little bit nearer and I instructed you the serial line is quite beneficial for debugging there was basically one particular line stating password for root improved as it is possible to see from the screenshot there also like other info but like which modules are started off before which modules are started out and loaded following many things similar to this so this was actually beneficial to trace triage which module which method was in fact responsible for this there is a tool identified as G bus examine serial amount and that is situated in a folder that is not within the original firmware picture It really is essentially an encrypted addition to the file method employing AES encryption which can be afterwards amount of money to utilize an area s pin and listed here you find some stability by obscurity because it's situated in slash dwelling slash file and that is containing a great deal of attention-grabbing details I've also place the knowledge below the way you can actually extract the AES essential but I am not heading to go into the details which is extra for reference so This is how it seems to be visually We've got in the house folder a file code file we have the AES critical in ROM and Later on stuff is extracted to some folder or mounted into a entire a person community s bin and We now have this method and there is also A different program in there that is thirteen megabytes in dimension referred to as DMA OSD considering that This can be an encrypted folder we now assumed this is probably pretty pursuits issue let's have a more in-depth glimpse but let's get again to what is the password so when We've got This system we were in fact ready to reverse engineer the cheapest beats arena and we found out it's accomplishing a technique call some method functionality get in touch with not a method phone where the serial figures applied the md5 of that is actually produced and it is the password how do you receive the serial selection Possess a think about the box yeah there's actually A neater way Use a think about the login display screen because the serial amount may be the md5 correct in front of login I did not deliver the serial cable or I in fact brought a co a cable but since I blue display my windows some situations Using the serial cable I don't want to try it out in this article we could check out it out with Linux later since that works significantly better but I even now desire to demo for you men how this basically looks like all right login here's the password