لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...
so our following speak is gonna be super interesting wanting ahead to this and We have got An additional Stay demo we're gonna understand how to mess with the Clever Tv set procedure and I'm guessing in all probability enable it to be do things that it wasn't intended to originally is that right which is superb fantastic nicely with any luck , it does all the things that it absolutely was intended for these days ideal yeah all right all appropriate all set to go all appropriate perfectly let's give a huge large social gathering observe welcome to Felix and let's get this issue started off ok um can it be on are we nevertheless gotta receive the movie put in place up since I choose to provide you with Stay how to use the process and the like so I brought a box but we must switch to a online video projector between so we remain focusing on it alright lit up listed here we go okay there's no seem starts off quite well That is how my story starts who in fact knows what it truly is sorry that may be Tata that is a German Television sequence It can be a criminal offense series It is Nearly as outdated as Columbo the only big difference is they remain developing displays and It can be however jogging so when some German households it's a tradition that after the weekend is in excess of on Sunday night quarter previous 8 you sit back you turn on the first Television channel that was at any time there and that's continue to there therefore you viewed the present new episode and as it's a tradition it's also something that my wife and I love to do and we moved to a distinct state a few years back and unfortunately we were being unable to see this clearly show any more and It is sort of sad and that is the start of the Tale so exactly where my my title is Felix Lida and my passion would be to take factors aside and also to put other points with each other that assistance to consider matters apart In addition to which i'd want to be out during the snow or from the h2o and to elucidate you a little bit much more what I indicate by taking matters apart I wish to hunt bugs and malware and accumulate them I also like to analysis lover takeovers and countermeasures and i am heavily involved with the unaired project during my working day job I function close to cell risk investigation at a very wonderful enterprise termed Blue Coat but this study I'm presenting is not only my very own perform you are aware of each investigation has some supporters and In such a case It can be a gaggle of men and women from business known as enzymes plus they aided me using this type of so the qualifications of your Tale is the fact that we experienced this box a Western Electronic Television set existence hub I actually have one on stage below and It truly is It truly is a very fantastic piece of hardware basing will make your dumb Television wise and When you've got a sensible TV you receive a lot more products and services and even more alternatives to complete stuff the thing is below as HDMI output You will also find two USB ports it supports Wi-Fi then and unit TV attach a keyboard and stuff such as this but what's extra attention-grabbing is since the moment it looks more like an Apple Television or one thing such as this In addition it has a 1 terabyte harddisk in there and that's form of neat due to the fact then you can add all your films It is really all on one particular system You do not have to have an additional storage like an ass or a little something to ensure's really convenient the processor in There's quite of slower to MIPS processor but It is also not answerable for enjoying the movie really the codecs are all and components over the system and they Be sure that you could play the videos speedy more than enough back again to the story so this box now has a myriad of products and services on there that are really great like YouTube and Spotify and stuff such as this and following we didn't have this TV demonstrate you are not tada laughter for a while my spouse actually explained you know you might be usually breaking stuff The entire time why Will not you for at the time do some thing beneficial using this and place my beloved clearly show on this box and you are aware of Whenever your spouse asks you a little something like this you greater make sure you remember to her really I hope my wife is not below simply because she would possibly comment properly what Did you know about how to make sure you me well that is a unique Tale all right alright so let's start off now before we start we are also intending to launch the modifications that Now we have performed for the firmware so we'd like a disclaimer That is for educational or investigate reasons only if you are doing what we have performed below and you split your box it's not our fault and we will not have people today are unable to assistance Additionally you if you use any sort of DRM keys etc on the Box it isn't really our fault ok a great deal of to the disclaimer um initial step first try was we did in offline in Examination from the disk that's in there mainly taken it out plugging it into Laptop or computer see what is actually on there and it started out really quite Blessed we found a private partition on there but right after a couple of minutes we uncovered in existence's in fact nothing at all very little of relevance on that partition just some offline storage for Spotify and hope htb and Apart from that there's just the partition that retains all the data many of the movies that we add and swap so that was absolutely nothing unfortunately undesirable endeavor receiving some strain previously from my spouse for squandering time second step this box has an update mechanism it immediately reaches out to Western Digital to check if there is a new firmware and if there is it asks if you want to install it and it does all of that automatically you can also download the firmware manually if you go for their aid page and see what is while in the update so the moment we download all this we observed that there's a zip file and within the zip file Now we have five various other documents and two that appear like extremely interesting a person is really a bin file and just one is referred to as bi – they are one hundred fifty megabytes approximately and we wish to check if we discover something which we could realize in there and fortune we did there's a squash FS filesystem in there but it really's at offset 32 so I still need a number of people ingesting with me tonight so you can get a beer if you can respond to what the first 32 byte may very well be when you guess correct any ideas what the initial 32 byte prior to the extra file program impression our signature Superb who explained it first all suitable return later to me out bio bio beer fantastic yeah it seems It really is an md5 signature of The full image and so we started out researching this a little more closely how the images appear to be and truly Everything you see is you have two diverse photos that compose The complete operating method on the machine it is a Linux program wherein 1 is the basis filesystem essentially for anything from root downwards it's got an end signature including the size and at the incredibly starting like the gentleman just described there is certainly the md5 of The complete impression this md5 is then also appended to the next impression which is usually mounted at /opt and this all over again has A further signature within the pretty front to be certain they all in shape jointly and absolutely nothing's broken and people two collectively fundamentally make up the impression now let's explore the content that's a bit little bit tiny I realize that so I will make clear it over the left side the thing is the leading image the foundation picture and it's the standard init approach which initializes the whole machine it's got a config file with some static config and it's got One more file with md5sum d5s Within this presentation looks like Go to this site Western Electronic likes md5 on the best facet there's the OP folder and there was a single exciting folder called World-wide-web server which actually appeared very exciting so with this particular there was plenty of details to truly modify the box but we have been a tiny bit hesitant about whether we should just modify the firmware and upload a fresh one for the reason that we were not guaranteed should they did not have much more md5 checks there and it seemed like they had a whole lot so we were a tiny bit hesitant to switch the firmware and maybe just crack that single product that we had the opposite selection was let us go hunt for a few vulnerabilities could acquire much more time but it's also far more enjoyable ideal ok so a vulnerability obtaining first thing was to consider the webserver um this thing includes a webserver allow me to also quickly change to the place We now have Firefox right here We've got Firefox which is lifestyle within the box now so you see that is the accessibility in case you once you log in you and the password is admin Incidentally whenever you log in you have a handheld remote control but It's also possible to change the password and so forth to ensure seem style of promising and fortunately the PHP that is definitely used to vary many of the configuration is just not encoded encrypted or just about anything It truly is just they are in plain to ensure that's constantly a great start you know ranging from the internet server SQL injection that was the 1st try and as you are able to see there is a quite awesome SQL assertion at The underside and that is composed of parameters suitable from your get requests like entry ID language ID great and that is applying SQLite so Here is the statement that could basically develop an SQLite databases which is concurrently an SQLite and a sound PHP file does any have any person right here have practical experience Using the PDO database driver any individual about here what is actually the problem You should not see it PDO only allows just one statement at a time and we wanted to inject five statements in this article so regrettable did not get the job done and in some cases if it had worked we learned afterwards this A part of the file devices actually read through only so no prospect in any way bummer alright past the webserver track subsequent factor to test was remote file inclusion and what we discovered is you can find an distant file inclusion or maybe a file inclusion risk based upon the language and that is stored while in the cookie so allow me to switch again to the web server and you may see you there You should enter a password and down in this article you have to can choose the language ok I have a cookie editor up below and when we refresh it you are able to see there is a language ID of 3 in in this article so we have been questioning all right can we just modify this introducing some dots introducing a few slashes they press the proper button screens a tiny bit far away yeah I did so as it is possible to see now we get an mistake information expressing oh it failed to locate the file open up or PHP after which you can we considered alright um why not simply upload a file called dwelling dot PHP on the folder that we are able to entry by using SMB then modify the cookie to place to that and truly can calculate the path just by considering the firmware okay I push the incorrect button sorry the cookie editor is actually modest and It can be hard to see the monitor essentially from below ok Wow wonderful now we bought a PHP shell so All those of you who've labored with PHP shells know that they are discomfort in the ass suitable so the very first thing you should do is check out to figure out if you will find telling it on there and really inform it had been on there so we want to activate it and have on for the box and I have to admit my qualifications will likely be not far too much the embedded products but a lot more such as Computer entire world and typically once you own the online server another detail you do is take into consideration privilege escalation all suitable so um same matter right here let us go and turn it into your box and in order to know like from which it depend to him escaped or to find the privileges first you determine which account you happen to be and oh hey We now have Ruud by now this was considerably simpler than I expected but you can also see my stupidity over the display simply because actually the PHP shell presently informs you that you're route okay great so this was only the start since we were being in the position to get route but a lesson that I had to discover in the practical experience is don't get started with SQL injection Do not start with a distant file inclusion Really don't begin with SQLite privilege a privilege escalation things such as this try to look for the really lower hanging fruits so investigating the graphic label even more I discovered that truly the guys from Western Digital had set up a symlink in the World wide web support root directory proper for the disk so it was not even necessary to upload or to test to take advantage of the procedure and i am not really sure if they have just neglected it or whether or not they desired to really make it basic for men and women since if I just say consumer hold or PHP and that is priya authentication no authentication at this stage I also have the shell just in another directory ah which is awesome so but I thought perfectly if It really is that effortless we almost certainly obtain all the more stuff so hum For those who have observed the initial converse this morning hacking 22 things in forty five minutes it had been an amazing converse the fellows have taken a component the Google Tv set up to now and so they went for UART so we tried out the same we also experienced a look about the board and experimented with to determine where our pins or exactly where our soloing details wherever we may well add some pins and we uncovered that there are two pins that truly are candidates the thing is them each in the image right here and a little bit of measuring about and things like this we learned that the a single within the front that's nearer towards the chasis that's in fact an ordinary u artwork which might be X you will find tx2 floor in addition to a three.
3 volt pin and here's the warning if you want to Do this at your home it is a 3.
3 volts and your Computer system is 5 volts you may burn off either your Personal computer you'll be able to burn off the box or you are able to burn up there for example USB to UART converter I've burned a few there was there was my lesson acquired of not purchasing low-cost stuff from Taiwan What exactly do you get When you attach a serial console so whenever you put up you get all types of specifics of the procedure the place the impression is saved what else is wherever configurations what is currently loaded which drivers are loaded and truly when you have the technique up and managing and see the display of the process and also you thrust a button to the remote control or anything it tells you accurately which button you're pressed and which steps are taken in order to get there so this is perfect debugging ideal when it absolutely was completed umm the thing is a thing like this I informed you they like md5 so you see an md5 and the thing is login what is the password that is an opportunity for winning An additional beard tonight gentleman it's actually not that quick it isn't really as simple as hacker as admin as OAM root or something these fellas like md5 let us have a look sorry md5 50 % which at yeah It truly is close but it isn't fairly It truly is a little bit more complex basically I talked to a different dude a couple of minutes previously he claimed truly no less than I did something right but let us have a more in-depth glimpse so um the shadow file that truly exists in TMP shadow and et Cie shadow is simply a backlink to that and we uncovered the hash in there and began to to the Ripper of course because we wish to understand what it truly is but that doesn't did not get us quite much swiftly so we begun investigating a little nearer And that i informed you the serial line is rather helpful for debugging there was really a single line saying password for root improved as it is possible to see from the screenshot there also like other info but like which modules are started in advance of which modules are started out and loaded right after plenty of things such as this so this was actually useful to trace triage which module which method was essentially chargeable for this there is a tool referred to as G bus browse serial number and that's located in a folder that's not inside the original firmware picture It truly is basically an encrypted addition into the file program employing AES encryption which happens to be afterwards sum to employ an area s pin and in this article you discover some security by obscurity because it's located in slash property slash file and that is that contains many attention-grabbing information I have also set the knowledge here the way you can actually extract the AES critical but I'm not likely to enter the details that is extra for reference so This is how it appears to be like visually We've in the house folder a file code file we hold the AES key in ROM and afterwards things is extracted to a folder or mounted right into a complete a consumer community s bin and We have now this system and there is also An additional system in there which is 13 megabytes in size called DMA OSD given that This really is an encrypted folder we previously considered this is probably very interests thing let us have a closer look but let's get back to exactly what is the password so after We now have the program we were being essentially ready to reverse engineer The most cost effective beats arena and we learned It can be carrying out a program connect with some system function get in touch with not a process phone wherever the serial quantities utilized the md5 of that is really produced and it's the password How does one have the serial quantity Have a very look at the box yeah you can find actually A simpler way Have a very think about the login display screen as the serial variety is the md5 correct in front of login I didn't carry the serial cable or I essentially brought a co a cable but since I blue screen my windows a handful of times Together with the serial cable I don't want to test it out right here we will test it out with Linux later on due to the fact that works far better but I continue to desire to demo for you men how this essentially seems like okay login This is