https://www.Exploitee.rs/index.php?title=Netgear_NTV200-100NAS%E2%80%8B&feed=atom&action=historyNetgear NTV200-100NAS - Revision history2024-03-29T08:29:00ZRevision history for this page on the wikiMediaWiki 1.37.2https://www.Exploitee.rs/index.php?title=Netgear_NTV200-100NAS%E2%80%8B&diff=2573&oldid=prevResno: Text replacement - "gtvcom-20" to "exploiteers-20"2016-02-07T01:22:40Z<p>Text replacement - "gtvcom-20" to "exploiteers-20"</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 01:22, 7 February 2016</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l7">Line 7:</td>
<td colspan="2" class="diff-lineno">Line 7:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Purchase ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== Purchase ==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>[http://www.amazon.com/gp/product/B007YW4EQ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B007YW4EQ8&linkCode=as2&tag=<del style="font-weight: bold; text-decoration: none;">gtvcom</del>-20&linkId=AIOKVF6HQHOWDCZI Purchase the Netgear NTV200-100NAS at Amazon]</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[http://www.amazon.com/gp/product/B007YW4EQ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B007YW4EQ8&linkCode=as2&tag=<ins style="font-weight: bold; text-decoration: none;">exploiteers</ins>-20&linkId=AIOKVF6HQHOWDCZI Purchase the Netgear NTV200-100NAS at Amazon]</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== UART Pinout ==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>== UART Pinout ==</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2202:rev-2573 -->
</table>Resnohttps://www.Exploitee.rs/index.php?title=Netgear_NTV200-100NAS%E2%80%8B&diff=2202&oldid=prevZenofex: 1 revision: Moving from DC22 to main site.2014-08-17T08:22:53Z<p>1 revision: Moving from DC22 to main site.</p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 08:22, 17 August 2014</td>
</tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2201:rev-2202 -->
</table>Zenofexhttps://www.Exploitee.rs/index.php?title=Netgear_NTV200-100NAS%E2%80%8B&diff=2201&oldid=prevCJ: /* Exploitation */2014-08-07T02:11:00Z<p><span dir="auto"><span class="autocomment">Exploitation</span></span></p>
<p><b>New page</b></p><div>__FORCETOC__<br />
{{Disclaimer}}<br />
[[File:NetgearNeoTV.jpg|200px|left|thumb]]<br />
[[Category:Media Players]]<br />
This page will be dedicated to a general overview, descriptions, and information related to the Netgear NTV200-100NAS media player.<br />
<br />
== Purchase ==<br />
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.<br />
[http://www.amazon.com/gp/product/B007YW4EQ8/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B007YW4EQ8&linkCode=as2&tag=gtvcom-20&linkId=AIOKVF6HQHOWDCZI Purchase the Netgear NTV200-100NAS at Amazon]<br />
<br />
== UART Pinout ==<br />
<gallery><br />
File:Ntv200-uart.jpg<br />
</gallery><br />
<br />
== Exploitation ==<br />
<br />
After analyzing and extracting the firmware by way of dumping the NAND flash, we discovered a flaw that allowed for code executing as root. This is a bit more complex than others, but it is still very straightforward to do.<br />
<br />
Any of the "apps" on the device (flash applets) are downloaded from this url: http://updates1.netgear.com (yes, it's HTTP)<br />
<br />
Using dnsspoof, we can spoof that url to point to a webserver that we control.<br />
<br />
On that webserver, create the directory structure outlined below:<br />
<br />
<pre><br />
/ntv200/us/game/<br />
</pre><br />
<br />
Since we will be using the Texas Hold'em app to gain root, download and place in that folder this file: http://updates1.netgear.com/ntv200/us/game/texas.tar<br />
<br />
This is a two step process:<br />
*Step 1<br />
**Place a symlink labeled "hackme" pointing to /<br />
*Step 2<br />
**Drop the actual payload through the symlink<br />
<br />
So, we first modify texas.tar - Add a symlink of hackme to / <br />
Copy that as texas.tar in the directory above, save it, and click the Texas Hold'em app. It will black screen, hit home a few times. Delete the texas.tar, and replace it with the new texas.tar that is created below:<br />
<br />
Modify the tar, replace the symlink with a a folder structure: <br />
<pre><br />
/hackme/mnt/pstor/ <br />
</pre><br />
Add a file in that directory called rcc.user calling telnet<br />
<br />
<pre><br />
FIX---------<br />
telnetd<br />
</pre><br />
This file is run via bash as root and will persist at every boot. Login using the username root, no password!</div>CJ