لدينا أنظمة آلية للعملاء ، من أجل إنشاء حساب تقييم وفواتير ، يمكن للعملاء التجديد عن طريق الدفع عبر الإنترنت على الموقع الإلكتروني. - لدينا أكثر من 9000 قناة HD و ...

 

so our up coming communicate is gonna be super great hunting ahead to this and We have got Yet another live demo we're gonna find out about ways to mess with your Sensible Tv set system and i am guessing almost certainly help it become do things which it wasn't intended to originally is suitable which is exceptional great effectively ideally it does everything that it was intended for now proper yeah all appropriate all appropriate prepared to go all ideal properly let's provide a huge massive celebration track welcome to Felix and let's get this thing commenced alright um is it on are we however gotta obtain the video clip arrange up simply because I would like to demonstrate Dwell how to use the method and so on so I introduced a box but we have to switch to some online video projector in between so we are still working on it ok lit up below we go alright there's no audio commences incredibly properly this is how my Tale starts who truly knows what it is sorry which is Tata that's a German Television set sequence it's a crime collection it's Just about as old as Columbo the only distinction is that they remain generating shows and It is nevertheless jogging so when some German households it is a tradition that following the weekend is above on Sunday evening quarter past 8 you sit down you switch on the first Television channel which was at any time there and that is still there and you simply watched the present new episode and since it's a tradition it's also something which my spouse and I love to do and we moved to a different country a number of years back and unfortunately we had been unable to see this exhibit any more and it's kind of unfortunate and that's the beginning with the Tale so the place my my title is Felix Lida and my enthusiasm will be to get issues aside also to place other points alongside one another that assist to acquire matters apart Aside from that I'd wish to be out in the snow or in the h2o and to elucidate you somewhat far more what I suggest by taking issues aside I like to hunt bugs and malware and obtain them I also like to investigate companion takeovers and countermeasures and i am intensely linked to the unaired venture for the duration of my day career I perform all-around cell risk investigation at an exceptionally awesome enterprise identified as Blue Coat but this investigation I am presenting is don't just my own get the job done you are aware of just about every research has some supporters and in this case It is a group of people from corporation termed enzymes plus they aided me using this type of so the background of the story is the fact that we experienced this box a Western Digital TV lifetime hub I even have one on stage here and It can be it's a really good piece of hardware basing makes your dumb Television sensible and Should you have a sensible Television set you get much more solutions plus much more opportunities to carry out stuff the thing is below as HDMI output In addition there are two USB ports it supports Wi-Fi then and device Television set attach a keyboard and stuff like this but what is actually much more attention-grabbing is as the minute it appears to be more like an Apple Tv set or something similar to this Furthermore, it includes a a single terabyte harddrive in there and that's sort of neat since then you can add all your films It is really all on one particular device You do not have to have an extra storage like an ass or one thing so that's extremely hassle-free the processor in You can find fairly of slower to MIPS processor but It is also not responsible for taking part in the movie essentially the codecs are all and hardware over the system plus they make sure that you may Participate in the video clips rapid enough back to the story so this box by now has a myriad of products and services on there which happen to be quite pleasant like YouTube and Spotify and things like this and immediately after we did not have this Tv set present you are not tada laughter for quite a while my spouse actually claimed you understand you're normally breaking things The full time why Really don't you for as soon as do anything handy using this and put my preferred display on this box and you understand when your wife asks you a little something similar to this you much better be sure you you should her actually I hope my wife will not be below mainly because she would almost certainly comment nicely what do you know about how to make sure you me effectively which is a unique story okay alright so let us get started now right before we start out we may also be likely to release the modifications that We have now performed for the firmware so we need a disclaimer That is for educational or investigate needs only if you are doing what we have completed below and you break your box it's not our fault and we won't have people today can not support Additionally you if you utilize any sort of DRM keys and so forth to the Box it's not our fault all right a lot with the disclaimer um initial step 1st try was we did in offline in Investigation in the disk that's in there mainly taken it out plugging it into Pc see what's on there and it commenced pretty really Blessed we uncovered A personal partition on there but just after a few minutes we discovered in existence's in fact very little almost nothing of relevance on that partition just a few offline storage for Spotify and hope htb and besides that there's just the partition that retains all the info all the movies that we add and swap so that was practically nothing sad to say bad attempt receiving some force presently from my wife for wasting time next step this box has an update mechanism it instantly reaches out to Western Digital to examine if there is a new firmware and if there is it asks in order to set up it and it does all of that mechanically you can even down load the firmware manually for those who go for their guidance webpage and see what is within the update so once we download all this we saw that there's a zip file and during the zip file Now we have 5 distinct other information and two that appear like pretty attention-grabbing a single is a bin file and just one is named bi – They can be one hundred fifty megabytes roughly and we want to check if we discover a thing that we can easily understand in there and fortune we did there is a squash FS filesystem in there but it really's at offset 32 so I nevertheless want some individuals consuming with me tonight so you obtain a beer If you're able to answer what the primary 32 byte might be in the event you guess appropriate any Tips what the primary 32 byte ahead of the more file system graphic our signature Great who said it initial all ideal return later to me out bio bio beer great yeah it turns out It really is an md5 signature of the whole picture and so we started out looking into this a little more carefully how the images look like and truly what you see is you have two distinctive pictures that compose the whole working program about the gadget it is a Linux method through which one is the root filesystem in essence for all the things from root downwards it has an finish signature such as the size and on the very starting like the gentleman just pointed out there is certainly the md5 of The complete picture this md5 is then also appended to the second image which is generally mounted at /opt which once again has One more signature during the very entrance to verify all of them suit with each other and nothing's damaged and those two jointly basically make up the image now let us look into the written content that's a tad bit small I recognize that so I will reveal it over the remaining aspect you see the key graphic the foundation graphic and it has the same old init method which initializes The full machine it's a config file with some static config and it's One more file with md5sum d5s in this presentation looks as if Western Electronic likes md5 on the ideal aspect there is certainly the OP folder and there was just one appealing folder called Internet server which actually appeared really intriguing so using this there was adequate info to really modify the box but we were a tad hesitant about whether we must always just modify the firmware and upload a new a single for The rationale that we were not absolutely sure should they didn't have a lot more md5 checks there and it appeared like that they had a whole lot so we were being a bit hesitant to switch the firmware and perhaps just break that single product that we experienced another solution was let us go hunt for some vulnerabilities may possibly get additional time but it's also additional enjoyment correct Alright so a vulnerability obtaining first thing was to think about the webserver um this matter incorporates a webserver allow me to also immediately swap to wherever We have now Firefox in this article We've Firefox which is life within the box now so the thing is that is the access should you after you log in you as well as password is admin Incidentally if you log in you will get a remote control but You may also change the password and so on to make sure that seem sort of promising and The good news is the PHP that is definitely used to vary the many configuration isn't encoded encrypted or anything It really is just They may be in plain to make sure that's generally a superb start out you recognize starting from the world wide web server SQL injection which was the very first endeavor and as you'll be able to see there's a extremely nice SQL assertion at The underside that is composed of parameters correct with the get requests like entry ID language ID fantastic and that is utilizing SQLite so here's the statement that might essentially create an SQLite databases that is simultaneously an SQLite and a sound PHP file does any have any one below have experience While using the PDO database driver any person about in this article what is the issue Really don't see it PDO only will allow one statement at a time and we needed to inject five statements here so regrettable failed to work and in many cases if it had labored we discovered later on that this part of the file programs truly study only so no prospect whatsoever bummer Learn here ok over and above the webserver observe next detail to test was distant file inclusion and what we learned is there is certainly an remote file inclusion or maybe a file inclusion possibility depending on the language which is stored in the cookie so allow me to switch back again to the net server and you will see you there It's important to enter a password and down right here You need to can select the language ok I've a cookie editor up right here and when we refresh it you are able to see there's a language ID of a few in in this article so we ended up asking yourself ok can we just modify this introducing a handful of dots adding a number of slashes they press the right button screens a tad distant yeah I did In order you could see now we get an error message saying oh it failed to locate the file open or PHP and afterwards we imagined alright um why not merely upload a file known as home dot PHP for the folder that we can easily accessibility by using SMB and after that modify the cookie to stage to that and really can calculate The trail just by checking out the firmware ok I press the incorrect button sorry the cookie editor is really compact and it's challenging to see the monitor in fact from right here ok Wow great now we received a PHP shell so All those of you that have labored with PHP shells know that they are soreness in the ass appropriate so the very first thing you need to do is check out to determine if you will find telling it on there and actually tell it had been on there so we want to activate it and have on to your box and I have to confess my track record is often not too much the embedded gadgets but extra such as the Laptop environment and usually any time you individual the online server the subsequent thing you do is give thought to privilege escalation all appropriate so um identical issue below let's go and turn it into your box and so that you can know like from which it rely to him escaped or to get the privileges to start with you determine which account you will be and oh hey We have now Ruud by now this was drastically less difficult than I predicted but It's also possible to see my stupidity around the display since truly the PHP shell already lets you know that you are route alright pleasant so this was just the beginning for the reason that we were able to get route but a lesson which i had to discover through the experience is Will not begin with SQL injection Never get started with a remote file inclusion You should not get started with SQLite privilege a privilege escalation things similar to this look for the actually low hanging fruits so investigating the picture label more I discovered that actually the guys from Western Electronic had put up a symlink through the Internet support root Listing right into the disk so it was not even important to add or to test to exploit the method and I'm not really guaranteed if they have just overlooked it or whether they needed to make it uncomplicated for folks since if I just say consumer keep or PHP and that is priya authentication no authentication at this stage I also obtain the shell just in a special Listing ah which is awesome so but I thought effectively if It really is that simple we most likely uncover all the more stuff so hum For those who have viewed the 1st speak this early morning hacking 22 things in forty five minutes it absolutely was an excellent converse the fellows have taken a component the Google Television in past times and so they went for UART so we tried the exact same we also experienced a glance within the board and tried to figure out the place our pins or where our soloing details in which we may insert some pins and we found there are two pins that truly are candidates the thing is them both equally in the picture in this article and a little bit of measuring all over and stuff such as this we learned which the a person from the front which is closer on the chasis that is actually a typical u art which can be X you can find tx2 ground in addition to a 3.

3 volt pin and This is the warning if you wish to Do this at home it's a three.

3 volts and your Computer is five volts you are able to melt away either your Computer it is possible to burn the box or you could burn off there for instance USB to UART converter I've burned three there was there was my lesson discovered of not acquiring low-priced things from Taiwan What exactly do you obtain after you attach a serial console so after you place up you receive all types of specifics of the procedure where the image is saved what else is wherever configurations what is at the moment loaded which drivers are loaded and truly When you've got the method up and managing and find out the monitor of your method therefore you thrust a button to the remote control or a little something it lets you know just which button you happen to be pressed and which steps are taken in an effort to get there so this is perfect debugging fantastic when it had been completed umm you see a little something like this I informed you they like md5 so you see an md5 and you see login what's the password that's an opportunity for winning A different beard tonight male it's actually not that easy it is not as simple as hacker as admin as OAM root or a thing these fellas like md5 let's have a look sorry md5 half which at yeah It is really near but it is not quite It really is a bit more innovative really I talked to another person a couple of minutes before he stated really at the very least I did one thing proper but let us have a more in-depth look so um the shadow file that really exists in TMP shadow and et Cie shadow is simply a url to that and we identified the hash in there and started to over the Ripper certainly because we would like to see what it really is but that does not did not get us extremely much swiftly so we started off investigating a bit closer and I advised you the serial line may be very valuable for debugging there was actually a person line indicating password for root modified as you could see in the screenshot there also like other data but like which modules are began prior to which modules are started off and loaded after a lot of stuff similar to this so this was really practical to track triage which module which program was truly answerable for this there's a Device termed G bus study serial selection and that is situated in a folder that isn't inside the initial firmware picture It truly is in fact an encrypted addition towards the file program making use of AES encryption which is later on sum to employ a local s pin and listed here you find some stability by obscurity since it's situated in slash residence slash file and that's made up of plenty of exciting information and facts I've also place the information listed here how you can in fact extract the AES essential but I'm not going to go into the details which is a lot more for reference so Here is the way it appears to be visually We now have in the house folder a file code file we contain the AES vital in ROM and Later on things is extracted into a folder or mounted right into a total a user area s bin and we have this software and there's also A different application in there and that is thirteen megabytes in measurement known as DMA OSD considering the fact that This is often an encrypted folder we currently imagined this is most likely really passions detail let's have a more in-depth seem but let us get back to what's the password so at the time Now we have This system we ended up really capable of reverse engineer The most cost effective beats arena and we found out It is doing a process get in touch with some technique purpose get in touch with not a method connect with where by the serial quantities utilised the md5 of that is definitely generated and it is the password How can you have the serial quantity have a think about the box yeah there is certainly basically A simpler way Have got a look at the login screen since the serial selection will be the md5 ideal in front of login I didn't deliver the serial cable or I essentially introduced a co a cable but because I blue display screen my Home windows a handful of periods With all the serial cable I don't want to try it out below we can try out it out with Linux later on simply because that works much better but I continue to want to demo for you guys how this essentially appears like ok login This is the password may be the password prompt we want