xiconfjs/h4ck
1
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

mostly minor cleanup changes

Browse Source
This commit is contained in:
Conor Horan-Kates 2017-01-28 16:20:36 -08:00
parent 0d5398dfd1
commit aaeb2d5c55
5 changed files with 130 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -19,6 +19,7 @@ debian-binary
# lg binaries # lg binaries
_ipk-* _ipk-*
_downloaded _downloaded
*extracted*
# temp files # temp files

9
cujo/README.md
View File

@ -9,14 +9,13 @@
## TV ## TV
name | value name | value
----|----- ----------------|-----
model|TODO model | `TODO`
product | `TODO` product | `TODO`
firmware | `TODO` firmware | `TODO`
features | TODO features | TODO
vulnerabilities | all phone-home calls are done over `HTTP` vulnerabilities | all phone-home calls are done over `HTTP`
## digging ## digging
### nmap ### nmap
@ -37,8 +36,8 @@ so.. no open ports. let's try something different
watching the network activity of the device (`192.168.1.108`), noticed it tried to resolve: watching the network activity of the device (`192.168.1.108`), noticed it tried to resolve:
* agent.cujo.io * `agent.cujo.io`
* jenkins.getcujo.com * `jenkins.getcujo.com`
but since the network isn't allowing external traffic, the DNS resolution fails. but since the network isn't allowing external traffic, the DNS resolution fails.

112
lg_webOS/README.md
View File

@ -362,12 +362,120 @@ key | value
since the `update_minor_ver` specified is greater than the existing value (`30.40`), the TV prompts the user that an upgrade is available. since the `update_minor_ver` specified is greater than the existing value (`30.40`), the TV prompts the user that an upgrade is available.
the traffic after the user chooses to upgrade: the traffic after the user chooses to upgrade starts with a `GET` of the `image_url`:
``` ```
GET /fizzbuzz HTTP/1.1
Accept: */*
Host: snu.lge.com
Range: bytes=0-1715
Connection: Closed
``` ```
<TODO finish this writeup and hack> followed by 5 retries, since they all received 404 as we're not sure what the format of the update actually is (yet), but assume it will be an `.ipk` as well.
then some base64 encoded data with a log :
```
POST /SWDownloadStartLog.laf HTTP/1.1
Accept: */*
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: snu.lge.com:80
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Content-Length: 268
PFJFUVVFU1Q+CjxSRVFfSUQ+MDAwMDAwMDAwMDg2MTMyNDQ2NjA8L1JFUV9JRD4KPFBST0RVQ1RfTk0+d2ViT1NUViAzLjA8L1BST0RVQ1RfTk0+CjxNT0RFTF9OTT5IRV9EVFZfVzE2UF9BRkFEQVRBQTwvTU9ERUxfTk0+CjxTV19UWVBFPkZJUk1XQVJFPC9TV19UWVBFPgo8SU1BR0VfTkFNRT5maXp6YnV6ejwvSU1BR0VfTkFNRT4KPC9SRVFVRVNUPgo=
```
decoded:
```xml
<REQUEST>
<REQ_ID>00000000008613244660</REQ_ID>
<PRODUCT_NM>webOSTV 3.0</PRODUCT_NM>
<MODEL_NM>HE_DTV_W16P_AFADATAA</MODEL_NM>
<SW_TYPE>FIRMWARE</SW_TYPE>
<IMAGE_NAME>fizzbuzz</IMAGE_NAME>
</REQUEST>
```
and then some similar data to a different endpoint:
```
POST /DownloadResult.laf HTTP/1.1
Accept: */*
User-Agent: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: snu.lge.com:80
Connection: Keep-Alive
Content-type: application/x-www-form-urlencoded
Content-Length: 308
PFJFUVVFU1Q+CjxSRVFfSUQ+MDAwMDAwMDAwMDg2MTMyNDQ2NjA8L1JFUV9JRD4KPFBST0RVQ1RfTk0+d2ViT1NUViAzLjA8L1BST0RVQ1RfTk0+CjxNT0RFTF9OTT5IRV9EVFZfVzE2UF9BRkFEQVRBQTwvTU9ERUxfTk0+CjxTV19UWVBFPkZJUk1XQVJFPC9TV19UWVBFPgo8VVBEQVRFX1JFU1VMVD43MjI8L1VQREFURV9SRVNVTFQ+CjxSRVRSWV9DT1VOVD4wPC9SRVRSWV9DT1VOVD4KPC9SRVFVRVNUPgo=
```
decoded:
```xml
<REQUEST>
<REQ_ID>00000000008613244660</REQ_ID>
<PRODUCT_NM>webOSTV 3.0</PRODUCT_NM>
<MODEL_NM>HE_DTV_W16P_AFADATAA</MODEL_NM>
<SW_TYPE>FIRMWARE</SW_TYPE>
<UPDATE_RESULT>722</UPDATE_RESULT>
<RETRY_COUNT>0</RETRY_COUNT>
</REQUEST>
```
so, now we know what the process is, just need to determine what the format/contents of the OS update is.
after shutting down `impersonate-lge.com.rb`, the real `snu.lge.com` responds to `/CheckSWAutoUpdate.laf` with:
```
GET /GlobalSWDownloadCdn.laf?IMG=/<redacted>-prodkey_nsu_V3_SECURED.epk HTTP/1.1
Accept: */*
Host: su.lge.com:80
Range: bytes=0-1715
Connection: Closed
```
taking a look at the (850mb) file:
```
$ binwalk -v --dd='.*' <redacted>-prodkey_nsu_V3_SECURED.epk
Scan Time: 2016-12-28 22:41:37
Target File: <redacted>-prodkey_nsu_V3_SECURED.epk
MD5 Checksum: eadf4625c8033f286f7459766558d43b
Signatures: 344
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
1437257 0x15EE49 HPACK archive data
88501492 0x5466CF4 StuffIt Deluxe Segment (data): f
116751487 0x6F57C7F VMware4 disk image
151796947 0x90C3CD3 LANCOM OEM file
184522619 0xAFF977B MySQL ISAM compressed data file Version 4
188949815 0xB432537 QEMU QCOW Image
202964337 0xC18FD71 MySQL ISAM compressed data file Version 8
360991579 0x15844B5B MySQL ISAM compressed data file Version 9
403720767 0x18104A3F MySQL ISAM compressed data file Version 5
438498638 0x1A22F54E Cisco IOS experimental microcode, for ""
558916980 0x21506574 QEMU QCOW Image
652690023 0x26E74267 COBALT boot rom data (Flat boot rom or file system)
673373671 0x2822DDE7 StuffIt Deluxe Segment (data): f
752461107 0x2CD9A533 MySQL ISAM index file Version 11
798709823 0x2F9B583F LANCOM OEM file
828143551 0x315C77BF MySQL ISAM index file Version 11
828353910 0x315FAD76 MySQL ISAM compressed data file Version 4
```
however, given the 'encrypted' portion of the filename and the fact that none of the files are actually usable as the type indicated here
- the encryption is throwing off `binwalk` file type detection
attempting to find an unencrypted version of the file by fuzzing the original URL has, so far, proved unsuccessful.
# TODO how would we determine the type of encryption in order to start attacking it?
## channel guide ## channel guide

10
lg_webOS/impersonate-lge.com.rb
View File

@ -28,9 +28,15 @@ get '/fts/:file' do |file|
hash = params['hash'] # 6Vsai7Ky71UPgetV hash = params['hash'] # 6Vsai7Ky71UPgetV
mtime = params['mtime'] # 1479098823000 mtime = params['mtime'] # 1479098823000
fake_ipk_name = '16881482.ipk' fake_ipk_name = sprintf('%s.ipk', key)
real_ipk_file = File.join(settings.public_folder, '/gfts/base-files.ipk') real_ipk_file = File.join(settings.public_folder, '/gfts/base-files.ipk')
if mtime
mtime_int = Time.at(mtime.to_i / 1000).to_i
mtime_args = Time.at(mtime_int).strftime('%Y%m%d%H%M')
`touch -t #{mtime_args} #{real_ipk_file}`
end
headers( headers(
'Content-Disposition' => sprintf('attachment; filename="%s"', fake_ipk_name), 'Content-Disposition' => sprintf('attachment; filename="%s"', fake_ipk_name),
'Content-Transfer-Encoding' => 'binary', 'Content-Transfer-Encoding' => 'binary',
@ -38,7 +44,7 @@ get '/fts/:file' do |file|
'Server' => 'Apache', 'Server' => 'Apache',
) )
send_file real_ipk_file send_file(real_ipk_file)
elsif target_host.match(/ngfts/) elsif target_host.match(/ngfts/)
## channel searching -- images / thumbnails ## channel searching -- images / thumbnails

6
mifi/reverse-adpassword.rb
View File

@ -35,7 +35,5 @@ end
# TODO first we mimic the encoding, then we can decode # TODO first we mimic the encoding, then we can decode
encoded = rstr2hex(rstr_sha1(str2rstr_utf8(password))) encoded = rstr2hex(rstr_sha1(str2rstr_utf8(password)))
puts sprintf('%s %s', decoded, "\n") puts sprintf('%s', encoded)
puts sprintf('%s', decoded)