>>Okay uh so this presentation is called All Your Things Are Belonging To Us. Um, we are the Exploitee.rs, uh the link at the bottom would’ve been where you’d find our slides right now, but it’s not um so yeah, after this presentation, hopefully you’ll find your slides there um, DC25 dot exploitee dot rs. Um, so yeah, next slide. Oo, does it work? Okay let’s find out, is this going to be my day? No, nope, okay cool good. Okay, so [chuckles] I heard you like slides, so we put slides in your slides [laughter] oh man okay, so,uh, my names Zenofex I’m the founder of Exploitee.rs uh I’m a senior research scientist at Cylance and I’m founder of Pastecry.pt. Um, in the back, that you can’t see, uh he’s standing up waving his hands, he is CJ, he works at Draper, he does hardware and software exploitation of things. Um, right over here we have 0x00string, null string, um he is a hacker, recreational bug user, senior research engineer. And then right over here we have Maximus, he is a recent graduate of University of Central Florida and he is a master of a soldering iron and of all things reflow. Um, just a little disclaimer, this presentation and thoughts are ours, and ours alone and they have no relationship to our employers. Next slide, ding, okay cool, that’s going to get annoying I bet, uh [chuckles] so uh the other members, we’re like uh twelve deep group um, that’s why we have four on stage that was the most we could get [laughs]. So we have MBM, he’s the co founder of openWRT, um his twitter handle is at mbmwashere or wash ere, um we have gynophage, he goes by gyno underscore lbd, lbs, he is the Def Con CTF organizer, we have at non stick who is a boring corp sec dude, we have saurik, he’s the creator of Cydia, we have TDweng, he’s our master software developer, and we have Cody Walker who believes that the web platform is the best platform, um expected to hear some laughs, uh okay so and then we have Ian who praises our all mighty internet overlords, ding. So uh, a little about us, um I guess I’m the minority there, uh [laughter] we’re the A team, uh next, ding, okay cool, so we are the Exploitee.rs, we are formerly known as GTVhacker but, we were started, we started to start hacking the Google TV and then Google decided we don’t need the Google TV anymore and our name meant nothing, so we switched to Exploitee.rs, um we’ve presented at Blackhat, Def Con, Bsides, um some of the content that you’ll see today um you could get more out of if you watch our Blackhat presentation, uh the material isn’t the same at all but we talk about EEMC hacking a little bit in this presentation and we did a whole white paper for Blackhat on EEMC uh interfacing, so, um what else, we released root methods for multiple generations of Google TV devices and other embedded systems, um we did televisions, blu ray players, refrigerators, um if you check out our wiki we’ve got a whole bunch of uh stuff that we’ve hacked and data based. Um, we also pushed for DMCA exemptions in uh jailbreaking smart devices, pushed and one, we uh got an exemption for uh jailbreaking set top boxes um that was really kind of a cool accomplishment for us. And we also maintain a network of sites documenting uh just a bunch of vulnerabilities and their immunity and group driven. So, if you’re looking for a safe place to put your research, we’re happy to host it and give you credit for it, so um you can visit our wiki or what not for exploitee dot rs ding. Okay, so um types  of vulnerability and exploits, that you’re gonna hear about today, and maybe not hear about depending on if the slides work, um, we have UART bugs, uh these are pretty simple, it’s a development interface, its universal asynchronous receive transmit, um it’s normally just a 4 pin grouping, maybe 3 pins, maybe even 2, sounds easy to find, um, and it’s pretty much you can consider it a serial port, and some devices will just straight drop you into a root shell on UART so, you’ll see a few of those, I promise not to over do it, we got a whole lot of remote stuff, um. Then we have JTAG, joint test access, um action group, um we don’t have a whole lot of these in our presentation but it is good to know about if you are new to hardware hacking, it’s another debug interface and it allows full CPU access, um it’s often hard to find, you can get something a J, JTAGulator, um you can also get a JTAG enums a sketch for r dueno and be able to map out pinouts pretty easily. We do a pull and program on some of these which is just we pull the flash most of the time it's an EEMC, um that’s to either read, write and chip in dead bug mode which means to flip it onto back and uh interface directly with the chip, or even just pull it off and get an in circuit pinout so that we can uh, um publish something online and make it a little easier for you guys to replicate the work. Um, local file disclosure, that's essentially when we’re just, uh we find a bug that discloses some information that uh you know you shouldn’t have, maybe a, a wifi ps uh, wifi key or a you know just some personal information and whatnot. And then RCE, remote code execution, uh payload execution without physical access. Ding. Okay, so plan of attack, um generally what we do is we go after the hardware attack first, we had one device that we, we uh were attacking, and it got heavily hardened on its first update, um that the device received as soon as it came out and from that point on we decided that going after UART and JTAG was something that we needed to do before we even got the device online just so that we can test the manufacturer firmware, and so if you’re trying to establish a process, I highly recommend you always look for UART first, um in all this you’re always looking for a firmware, you wanna get um, you wanna get a firmware so you can find better bugs, remote bugs, um you know, the not the physical access wire, ten wired bugs, um. We also reversed mobile and desktop apps, a lot of times you’ll find firmware update code, that will just leave you to um firmwares that you can throw in binwalk, um and be able to do a better analysis of the device, it’s way better when you have uh a firmware dump. We also sometimes man in the middle network traffic. Again, we’re just trying to get that firmware update um and then dump flash if we don’t get a firmware update, we don’t have anything, we need code to work off of, doing a blo, back bloc, back, black box approach isn’t always optimal.  So, our goal is always to find more bugs and to find better bugs. Ding. Let the games begin, here’s the good stuff I’m gonna hand this off to qua where he can get us started. 


>> Ok, next slide. So this is the Tenvis T8810 its an IP camera it have um pan, tilt, and zoom function. It’s wireless, and two way audio. Next slide. Uh, oh [laughter] ohhh [applause]. Okay so, uh when, when you open the wire there is a UART port, you can uh wire up to your UART adaptor, and uh it will uh show a linux login prompt. We don’t have the login uh for this device so that’s not gonna work. Uh but this one have a U-boot 3 second timeout so you can interrupt the uh U-boot and drop you straight to a U-boot shell. From there you can uh set the UBAR, uh the boot argument uh to include a bid I mean like init uh slash bin slash sh so it will drop uh you to a root shell when device booted. Next slide. Uh so, while looking at this device uh we found an interesting bug. So, uh if you include a karat return or a new line in the SSID, uh the device will crash and uh even if you rebooted it it will continue to crash. Uh, the only way to recover from it is uh you use a UART and uh clear out the SSID. Next slide. So, okay, so Samsung security DVR. This a 4 channel security DVR. Uh it's based on a HiSilicon chipset, its run linux and it have a 500 gigabyte SS uh HHD, HDD. Uh next slide. Um, so, when you open the file up there’s a 4 pin port, uh, that's a UART port. Uh, you can interrupt to the U-boot shell and then you can uh add to the boot argument. Uh init then console, then that will get you to a rootshell. Well then you can use that to explore the file system. Next. So, while uh looking through the file system we found a startup script, uh it looked for a uh a uh diag uh one six seventy three uh file on the USB file right. So if you put a uh uh script to spawn a telnet shelf and that will get you root. Next. Uh so we did a picture of the diag uh, uh, underscore sixteen seventy three, we found we a, a Samsung uh PDF uh is useful at changing your math and video type. Uh, so you put the diag uh underscore one six seventy three in there and uh with the conflict file and you plug into the DVR and power it on. Uh then uh  the script for the battery will run and set your mac address and video type then this will tell you to reboot the DVR. Uh next. So, this one is a Samsung printer, its have a uh 600 uh megahertz cortex uh with a hundred uh twenty eight megabyte of ram its run via the uh via the VXworks real-time operating system. Uh, next slide. So, first thing we did is uh use a renal and we dump the name flash so we keep a backup so incase of anything go wrong we can set the recall for it. Next. Uh, so we was messing with the uh firmware image and we found a section of it so a section not the firmware image that allow us to that you can modify. So we modify a small piece of code in there to uh make the toner cauti uh at the toner level to always read 100 percent. Next. Okay so, Chromecast, uh, Gen 1, uh we already root this device back in uh two thousand 13, and um also help the second time. Uh, this one is run a marvell eighty eight DE thirty oh five chipset uh next. So the, with the chromecast release it’s uh came with a vulnerable bootloader this uh vulnerable bootloader allow you to uh run any unsigned image so is this one is patched in firmware version twelve uh eighty four zero and uh after that uh, uh failoverflow re released a uh USB boot uh exploit, uh this one also got patched. Um so on the we got around this uh using a uh NAND programmer, we use a NAND programmer, we download the you downgrade the bootloader to the uh vulnerable version uh we use a uh STM32F4 Discovery board uh because it’s cheap and it's also have a NAND controller viewing and this device have a security boot enabled. Next. So, to downgrade the NAND, to downgrade the bootloader you wire up the NAND flash through the STM discovery board uh then calculate the ECC then uh you erase and write the new uh bootloader to the device. So, after this you can uh use the uh, uh our original exploit we release uh in two thousand thirteen to get root on the Chromecast. Next. Okay, the Zmodo smart doorbell, it’s a wifi connected doorbell, it’s used to stream video, uh two way audio and motion detect. We purchased this at a Fry’s two day ago [laughter]. Next. Uh so when you opened it up and you look on the back of the board, there’s a two pin uhhhhhh port so you can wire up you’re UART adaptor, and drop you straight to the root shell, so there is no step three [laughter] [applause]. Next. Uh, well, okay so we look at through the auto binary in this device and we found a uh buffer overflow, so when you feed it a query string of a long query string the device will crash and uh the PC uh you can control the PC uh cal value. Next. Uh okay Zenofex, we will continue.


>>Alright everyone, we’re going to make it a little more personal, this feels a lot better, okay cool so ding let’s move forward. Okay, so the Western Digital My Cloud, this is a device that is pretty personal to me because I originally bought it to use and not to hack, but uh I can’t put anything on my network and feel comfortable without without giving it uh,uh about it without giving a good audit. So, the Western Digital My Cloud is a network attached storage device, there's a bunch of different models, um there's a pro series, um all the models you see there are vulnerable, every seri, uh every device in the My Cloud uh series is gonna be vulnerable to the uh bugs you’re gonna see um and I’ve already hacked this one once before. So, uh let’s go to the next slide. So, a little bit about the hardware, um its an Intel Pentium N 3, thirty seven ten quad core 1.6 gigahertz processor, it’s got 4 gigabytes of RAM and 4 bays. Um we’re talking about this specific model, the PR 41, which is the one I purchased and uh use at home. So, the My Cloud series of devices, we released about eighty three RCEs uh, uh earlier this year and just dropped it on Western Digital, so uh we haha we dropped 14 pre auth bugs, 13 of them were Remote Code Execution, um 1 was an arbitrary file upload pre auth um and the beautiful thing about this device is that the uh web directory it's not squashfs it's not packed system, it’s ext3, you can modify it and just keep going. So, PHP shells, get you an instant root, so um then we had 70 post auth RCEs. The thing about the uh post auths were that they fixed all the pre auth vulnerabilities um one month after disclosure, a little more than a month for all the devices but uh they didn’t fix any of the post auth, post auth vulnerabilities um I don’t, I don’t know what the thought process was behind that but uh um, that is just what we observed. Next. So, we’re gonna talk about the first bug that we have here, um it’s the Western Digital My Cloud arbitrary file Upload. Um, we had released one of a sim, similar bug to them, um, full disclosure a few months back, and this is just another one, when we had 83 bugs, it’s kind of hard to uh like dive super deep cause you just keep finding more and more bugs. It took me a month just to write up the des uh analysis because it was you know 84 different vulnerabilities and I wanted to make sure that I, I was pretty thorough. So, in this particular one you’ll see, it’s php code, you’ll see uh request um global variable with uh name and password and redirect uri online it’s 29, 30, 31. Essentially with request it means it could be a cookie it could be a get it could be a post. Um, so what this particular code does the snip it thing that you notice is that it makes a request to this my dealing slash my dealing dot cgi uh cgi script and tries to compare the response to see if it has uh the auth status um string. And If it does and it notices that you are not authenticated it’s gonna spit you out. But the thing is this file doesn’t exist, so it 4 oh 4’s, it never matches, and this authentication code does nothing. Um, so, yeah it, it's great it’s at the top of the arbitrary file upload  if this worked, theoretically maybe it would be some kind of authentication, I don’t know where the my dealing portion comes in. Um, next slide. So, here’s where the actual file upload comes in. Um, you can see that there’s a request folder, so we can specify what folder the file gets uploaded into. Then it’s a multipart file upload in php and so that global uh variable files gets filled in with the filename of whatever file you upload. So between specifying the filename and specifying the folder, you can write to anywhere on the file system with any arbitrary name, with any arbitrary payload, um preauth. And so, if you see at the bottom, I have the POC, we essentially just uh, echo into temp slash PHP shell hit curl with a multipart file upload with the PHP shell, and then you have a PHP shell you can root the device with. Um, so you want PHP shells? Because that’s how you get PHP shells. Okay, next slide. So, we have this, we found this other bug and this bug is an authentication bypass and how it works is there’s this uh wto binary and this binary what it, what it really is meant for is it databases the users IP and the session timeout and and they call this binary to reset the the timeout and the IP and uh or set it or delete it or whatever is happening, logout/login um and then they also use an isAdmin cookie or a username cookie. Cookies are client supplied. So, there’s no real authentication in that portion the isADmin cookie if it equals 1 you’re an administrator they check the IP, they check that you’re logged in but, or that there’s an admin account logged in from your IP in the timeout but, then they also check the isAdmin cookie which is completely user supplied. They also check the username cookie uh, it could just be admin, it could be an actual username um and they use exec calls to essentially call this binary to reset everything and the CGI binaries do the exact same thing with this wto binary. On the left you can see uh arguments for it. Uh, next slide. So what we do here is um this is the network manager cgi and this is where the vulnerability really comes into place, um so there process is, they check if command, if the command get variable is equal to get CGI get IPV6. Then they check if the flag get variable is equal to 1. Uh, if those are the case they reset the WTO timeout and the IP for the admin user whatev- whoever is making that request. This is all prior to actually kicking the user out if they’re not authenticated, so,  you just make this request and you are logged in um your WTO timeout resets, your IP resets um you get a 404 error but yet still resets the WTO information so uh, next slide. So, uh what we did is we took that authentication bypass, we took one of any or actually any of the 70 post auth RCEs that we talked about earlier and we team them together and you get uh root code execution. Um, so yeah they didn’t fix the RCEs and it made it just that much easier for us to team an authentication bypass with one of the uh post auth uh RCEs for a pre auth RCEs for a pre auth RCE, you can see at the bottom, we make the first request that resets the timeout and IP address and the second request actually executes the payload, in this case it’d be ID um and just as a heads up, I don’t think we mentioned this earlier, but the idea here is at the end of this talk, uh show a loop, or not a loop but a uh, a run through of all the demos uh all together, um we got a special guest coming, we’ve got some stuff to give out, we’re gonna have a lot of fun so, I recommend you stay till the end. Next slide. K and then we have this Vudu Spark. Vudu Spark is a media streaming stick it was only available from Walmart and Walmart dot com and uh it really only provides Vudu streaming service. Next slide. This particular one, when you get it you uh it’s a 20 dollar stick, it’s really cheap. It has a header for UART already, so you can just jam a wire in there, you can connect to the pads right underneath uh for the footprint of that header um and the top pin is ground, the second pin is tx and the next pin is rx um, fifty seven six hundred eight n one start it up, instant root shell, like Qua said earlier, there is no step three. Um, next, okay and so then we have the Amazon Tap, uh this was Amazon’s attempt at making an Alexa device that uh was portable. So the idea is you take this bluetooth speaker around, you tether it to your phone and you have Alexa on the go. Um, it’s always online, always listening, it has about 9 hour battery and it actually has secure boot, unlike the echo or the dot. Next slide. Within this device is a freescale MX6, um the secure boot implementation is implemented within U-boot, um it's a popular open source boot loader. Um it boots from an eMMC flash so if all else fails we really could just pulled the flash, but there’s a way easier way, um it’s full of glue, I assume just to uh uh make sure it doesn’t rattle um it’s really pote, put together well for that. Um and we have a full teardown and I think Ifixit also has a full teardown, so just to give you a good picture of the board. Um, next slide. So, here’s how this one works, uh there’s a UART U-boot output with no shell. There’s a Kernel, uh Kernel debug output also no shell, and then there's a TM30 slash TM26 which is the tx rx for UART but again we don’t have a shell, what do we do? Um, well there’s this trick with U-boot that if you ground the flash at the exact right moment, it’s the the det zero pin one flash uh if you ground the flash at the exact right moment, a lot of times you get dropped into a U-boot shell and from U-boot you can do what we call kernel hijacking which is where you uh replace one of the command line arguments with uh kernel arguments with uh init equals slash bin slash sh and instead of the normal init scripts that happen when the device boots up, it runs init slash sh and you normally just drop into a root shell over UART. Um, so in this case, next slide, if you uh lower the resistor to ground at tp27 you can see how I did it in the right of the picture, and you ground it during boot after U-boot starts printing out output it drops to a U-boot shell. Um, and so then it’s pretty trivial, um we can’t read the environmental variables just because I-I think it’s some modified version of uh U-boot without printiv which is uh what we normally use to view all of the environment variables. Um but we can still write to memory and execute code, so um, next slide. Alright, so now I’m going to pass it over to [inaudible] alright [inaudible]. Come on up CJ.


>>Hey Def Con I’m null string, how’s everybody doing? [applause] cool. Alright, you guys wanna see some more bugs? Alright, so yeah long time human, first time speaker, good to be here. Glad to be in front of everyone talking about these bugs. Uh we have the QNAP NAS TS-131 uh 131 and 131 P, and probably a few other models too, uh most of the consumer models. Uh they’re network attached storage devices, they have a nice little unix operating system on board, uh you can download apps from an app store. Do things like uh music transcoding, and video transcoding uh like uh like little picture book thing if you want to directly access your NAS to go through like a slideshow. Uh a lot of stuff like that. It runs at 1.6 gigahertz ARM processor uh actually pretty nice little devices uh it’s good if you just need a, a NAS for your house. Next slide. So uh there’s a couple of interesting services on the NAS, uh one in particular and well, before, before that just specifically uh services that listen just on the network uh that don’t have any authentication to access, just things that are forded out to the network, available on as you can see uh all interfaces. So uh, one such service is the my transcode server which is a video transcoding service uh you can upload and specify video files to be transcoded from one format to another uh and there’s several different commands that you can issue to the service over the network without any authentication. Next slide. So, one such command that you can issue is a rm file command. And the commands are issued in such a way that uh basically you specify a command string which is a d word specifies which command is to be executed, and then the parameters for that command. So for the rm file, you specify the d word, say which command you want to execute. And the first argument and only argument is the file path of the file that  you want to delete from the uh video transcoding server. And uh so you would give it a d word, execute the command, the path to the file and then a null byte terminator. So, uh once you issue that command, it is issued to a uh another function, that does filtering on the file path you provide. Uh, the filtering, as you can see in the bottom right of the slide, filters out things like spaces, bangs, dollar signs, anything you would think like would be good to execute a command with. However, they failed to filter out backslashes and vertical pipes in that function. So, uh by issuing a command that contains vertical pipes at the beginning and end after an initial slash to get past another check to make sure it’s a proper path, and a proper path apparently is any string that starts with a uh a slash. So uh you issue a command, uh to remove a file backsla or forward slash and then a pipe and then you can execute any command after the pipe. So uh next slide. So there’s uh you can see the format of the command, uh there. Uh the d word at the beginning, uh oh x oh 1 followed by 3 null bytes to execute the rm file command, a single slash and then wrapped in vertical pipes you can put any command you would like to be executed as root and a terminating null byte. So, you can see here at the bottom we have a POC to uh kerl a shell script and just pipe it right into bash and uh you can put anything you want in there, a bash reverse shell, another file download, load a kernel module cause it’ll let you do that, um whatever you’d like and just basically fire it off with that service and it will execute it as root. Next slide. Alright, next up we have the Belkin N300 WiFi range extender. It’s like aaaaa wall vampire range extender. You plug it into the wall, you login to its little open wifi network and configure it. You give it your wireless network credentials and it will extend the range of your wireless network. Uh I guess it's for places like uh if you’ve got like a big house or a house with bathrooms in weird places where you can’t get very good wifi coverage you plug it into your wall set it up on your network and it will extend the range of your network a little bit. So, uh starting off we just do a hardware root, just like tear the bezel off of it and look around for headers and pins, anything we can get to uh get to the debug console and see what it’s doing behind the scenes while we do stuff in the network interfaces. Uh it’ll drop to a root shell once you find the UART pins. Uh I think we have a picture on the next slide, or maybe not but it’ll be on the wiki either way if you want to go that way. But you can skip the entire hardware root process at this point. Uh after getting the hardware root, we went and pulled the firmware, looked around, uh looked through the web application files and uh setting hidden dot asp which is the uh the file you’re directed to when you want to go set up a wireless network that's not broadcasting its ssid. That particular script uh as executed by the CGI uh it doesn’t do any sanitization or checking against any of the form parameters that you provide. The only sanitization or checking that is done is on the client's side so you can just bypass it completely and uh just throw in any kind of command injection. So just like throw some semi colons and a command you want executed into any of the parameters and it will get passed to the shell when it does the wpa supplicant commands to setup the wireless configuration. Doing that uh runs as root along with every single other service and process on the device uh eh eh it makes sense uh your not really expecting anyone to be getting on here, you don’t really need to set up like access control for different users if it's a device that you never expect anyone to get a shell on in the first place, so uh any command you execute through that will execute as root. Next slide. Here you can see uh there’s a couple caveats as far as actually getting uh exciting commands executed, uh the busybox binary that’s provided on the device is uh fairly limited uh it’s not really the standard busybox so the best uh commands that you can do to get a callback or any kind of network communication off of the device would be Wget or ping. So there’s no tel or no telnet, no netcat, no telnetd even. Uh so basically what you’d end up having to do if you wanted to get a shell back out over the network would be to, similar to the uh to the qnap payload from before you would Wget a payload on the device, or you could also tftp a payload onto the device and then use the command execution to execute the payload at the path you downloaded it to. Doing that will also run as root, and uh here at the bottom you can see we have a poc for that exact payload uh you can see wget then echo a, uh that’s about all it takes. Any one of these fields, these uh aaa, bbb, ccc,ddd, eee,fff, all of those, anywhere just uh put your payload anywhere you want and put these form fields and it will execute as root. Next slide. Alright, the Netgear WN3000RP WiFi extender. Super similar to the Belkin, uh same thing, you plug it in, configure it, it extends the range of your wireless network, so you can get around like bathrooms or if you have like a giant house and don’t have like 5 gigahertz wifi. Uh, so yeah, you plug it in, and uh it runs MIPS32 uh SOC and it’s got a openWRT KAMIKAZE instillation on it. Everything else is just uh sort of in a assist file. Next slide. So, UART, uh super easy to locate right underneath the uh net header uh, so from the right side it's vcc and then over on the left is ground and you just uh plug your UART adaptor into there and boot it up and be patient and it drops into a root shell you could execute telnet after it boots up and get a better shell over the network, and have full access to your wifi range extender. Next slide. And you can see, logging in over telnet uh they didn’t change the uh login banner so it’s just opened up WRT KAMIKAZE and the only user on the device is root once again. So, no access controls, uh just uh, just the root user. Next slide,yeah. Alright, uh the Linksys WRT1200AC. It’s a, it’s a really nice router, it’s uh fast, uh it’s got a 1.3 gigahertz dual-core ARM processor, wireless A through C and the firmware version for our bug is 1 point zero point 5 point 177401, which as of the other day is the latest firmware released by Linksys. Next slide. So the bug here uh is post authentication. You log into the device with your administrator credentials and you go to the file sharing section, and the file sharing section is setup to allow you to do like uh DLNA so if you wanted to cast something to like a chromecast or another media streaming device or if you wanted to access your router for whatever reason over ftps from somewhere else. Or, uh if you want to use ftp locally or uh I think it also has smb within the internal network as well. So uh, you can specify a specific path uh within the file sharing path uh in the administrator section of the web interface for the router. However, the only uh only sanitization takes place on the client side in javascript. So, normally what it would do is when you would go and try do like a directory traversal or uh absolute path to something  that’s outside of where it’s originally set up uh it would give you an error saying that it’s an invalid path and it would make you start over. However, if you just grab a valid command as a curl or a,a valid request as a curl command and then modify the variables there, uh there’s no verification or sanitization whatsoever on the server side. So you can basically provide any path you’d like. Next slide. So here you can see a curl command where I removed the credentials from my router. Uh and you would have to put your own credentials in there. Uh, but as you can see here towards the bottom on the left uh test user and password is admin, haha, uhh, yeah. And so you can uh, you can provide a direct traversal string and traverse all the way back to the root directory. Uh hop on over ftp and then just drop some scripts into init or uh rc dot d and have them execute as root when the device boots up again. So, basically drop whatever script you want, whether it's telnet or adding a user to the password file or whatever you’d like uh again executed as root when the device boots up. Or if you just want to pull files off of the device after you get the direct root first swap you can do that as well. Next slide. The uh LG BPM350 is a blu ray disc player, and it also has uh wifi and apps and streaming things like that, it’s one of the smart blu ray players. Uh it’s actually a, it’s a pretty nice device. It’s one of the few that I decide to keep after this, uh it’s a pretty nice media player, I-I recommend it, it’s pretty cheap too. So, uh it includes uh, like a little app store and a few pre-defined apps that you can uh, you can download right away and then other ones that you can download from the store, and one of the apps that it comes pre installed with is the pandora internet radio app. Uh, the interesting thing about the Pandora internet radio app, uh on this particular device, it’s one of the few apps that uh has sort of like an execution chain to actually start the app up. So, the first thing is a binary that gets executed, that calls a shell script on the local file system and that particular shell script will go through and uh and check for multiple file paths for the actual Pandora app to execute. It just so happens that that script will check for the file paths uh for paths that are mapped to USB devices instead of the local file system first so it tries uh like for instance like sda1 or sdb1 before it will go and try the uh mounted block for the  flash file system. So, what you can do is you can basically just uh use the correct file name that it's looking for on the USB device put whatever payload you would like in that shell script, plug in the USB device and launch the Pandora app and it will execute your command as root. Next slide. Yeah, so uh, uh you can also set it up. It’s really easy to grab the command uh to actually execute Pandora normally off of the file system, so you just throw that into the end of your command execution after you get a shell set up, just a quick uh, it even has like the dev tcp and everything in prox so you can do a really simple bash reverse shell, get a shell onto the device and start Pandora so you can listen to music while you continue hacking [laughter]. So, uh yeah if you just wanna like you can grab that out of the slide, go pick one of these up at like Walmart or something for like 40 bucks and you can have a nice rooted uh DVD player uh take off all the region locking and everything and watch whatever you want on it. Next slide. The D-Link DCS 936-L Wi-Fi camera. It is a smart camera with a wide angle lens, a 720p HD display, built in night vision and sound detection and motion detection. It’s actually a pretty nice camera, um, not nice enough to keep, but it’s really nice, if you want one in your house, if you want that. Uh, the firmware version for the bugs we found was 1 point 02 point 01. Uh, last checked a couple days ago, still good, no updates yet. Next slide. So, one of the issues we ran into when working on this device was that the firmware updates are encrypted. Uh rsa I think it was twenty fourty eight  bit encryption. Uh, so we were having trouble getting into the firmware to actually uh look at what the device was doing. Uh, we ended up finding some, some bugs in the web interface we were able to use to get access to the device and pull the firmware off that way and figure out how it actually uh decrypts the firmware update. So, what it does is uh it does a uh aes encrypted basically uh rsa key decrypts that it uses that key to decrypt a couple of different firmware blobs and then flashes or uh writes them onto the flash. You can see here it’s, it’s, it’s really just using system to openssl encryption and decryption. Uh, so, uh pretty easy to f, uh to find when your looking through the firmware to figure out how it’s working. So we got that one worked out pretty quick. Uh, we haven’t verified any of the other device models yet, but, uh based on what we’ve seen, it’s more, it’s more than likely that uh most of the encrypted firmware updates for the d-link devices are going to be using the same key, which is on the next slide. Yeah, that one. So uh yeah you run those two commands on the firmware file, you can just download it straight from d-link’s website, run these two commands, extract the firmware and uh dig around for a better bugs. That key, you can just copy that, you can skip those commands up there above, or the first one, uh and go ahead and just do the second one and use that key. Uh, you can write your own firmware encrypted with that key and it’ll upload it, uh install it that way, if you want to do a custom firmware as well. Next slide. And the bug that we use to actually pull the firmware encryption key off in the first place was this post authentication root command injection via arbitrary command injection due to improper sanitization. So uh, at, like at this point with this device, it seems like you could go to Best Buy or Walmart or Target or any of those stores and pick up like any given device that says smart on the box and just put a command injection in the SSID field and you’ll get a F*****g root shell [laughter]. So, yeah. That com uh that curl command right there, super quick, you just uh log on to the device, uh it leaves default credentials when you first get it and just shove whatever command you want to execute into the SSID field and it’ll execute it as root, only one user. So, uh yeah, if you wanna hack some cameras or media players, anything that says smart on the box, probably a good bet that the uh SSID field is going to be completely unsanitized, and then just shoved right into a wpa_supplicant command, just execute as root and next slide. And the Lutron LBDG2WH Caseta smart bridge it's uh one of the smart bridges for your house uh control your like smart power outlets, your smart blinds, your smart garage, smart cat, smart dog, all that stuff. Uh, you can control up to 50 devices, including smart cats and dogs, and lights, thermostats, dimmers, all that stuff. Next slide. So, uh once again, another UART interface, unlabeled, sitting on the board, you can see that there are three test pads there. Uh on the farthest left you’ve got ground and then tx and rx, uh just drop some rossen on there, and then tin the pads and then just put some magnet wire on it you can get right on. Uh digging around the file system, you can pull off the applications that are included on the file system, any kind of ssh keys, private keys, uh, keys for communication with the external servers and all of that. The cloud stuff, uh yeah. Just uh drops straight into a root shell, solder onto it and get on, it’s that easy. Next slide. And change places, this is CJ zero zero zero


>>Howdy all, um I’m disappointed that I left my scotch up here, not back there because now I have a whole glass. But Amear if you could advance the slides please. OH that’s good. So, first off, uh Vizio smart TV. Specifically the P602UI. It’s a 4k smart TV. It has all the bells and whistles for you know a year ago or so. Kind of cheap, no HDR, four two zero chrome reversal 422 excuse me 422. Uh for those in the audience who know, it’s a big deal, if not it doesn’t matter. Um new TVs are better. Um full ray backlit SDK has different, a different SOC for the 4k bits. Uh sigma system on chip as I mentioned, which will be important later, uh and it’s also a Yahoo smart TV which apparently was a thing for a while, nobody uses it anymore but, it will be important. Amear if you could advance please. So, first attempt when I got the TV, of course I didn’t want to just pull it apart because my lovely wife would get kind of pissed off saying why’d you break the TV? So, bought a main board and I will whore our blackhat talk again. If you look at our blackhat talk we talked about extracting eMMC flash, reading data. Uh from there we’re able to read write, read and write eMMC, eMMC flash, that way we were able to as Amear talked about earlier, extract a lovely firmware, look through it, find all the little good bits and go from there. We also added a back door for debugging purposes cause it wasn’t, the kernel was signed, the file system was also signed but there was an envy RAM partition that was not signed, which we, which is used for persistence so you could just drop a by- a payload there and win, but that’s not the fun stuff. Amear if you could advance. So, there’s a user manual feature. The user manual feature after you after you got the firmware digging through it is actually an HTML page that's launched by a hidden opera web browser. Not accessible, but it’s there, it’s used for like Netflix and Amazon, and a bunch of different apps that are relatively useless. Um, the user manual also has an update procedure. So, I was like hey, this looks interesting. Digging through it, it pulls a tar file down from an https server, there is certificate pending, um and that does a gpg check so there’s a signature check, not really a great avenue, but I’m like how does it download? There’s javascript command called sigma dot exec and it lend- runs a wget command. And I’m like hmmmm okay. So, using that command you can run any, any command you want on that TV as root, and it will execute depending on where it is, you could potentially even do a man in the middle which we’ll talk about if we could advance to the next slide please. So, if we make a custom app, um what we can do is some fun trickery. The Yahoo smart TV development kit is still online and a thing, you make a tiny app and the app is an html file and xml file, nothing fancy and some javascript, there’s a sample that I pulled and just made some changes. So you take the sample, you push it to there server, and then from the TV you can download it and it pretty much when you run it, it accesses a custom library called lip sigma something or other dot so, from that lip sigma it parses things, there use to be a white list of Amazon, Netflix, local host, file, stuff like that, now that’s pretty much gone. But, it, my thought is, if we make a custom app, point it at a file descriptor, can we actually run javascript code as root? If we can advance to the next slide please. So, if we use that lovely URL command, were reference, were installing an app, uh with an xml file and referencing an html file inside of it to launch. So, it’s kinda like going to a homepage on a web browser, but with a lovely built in app, with our lovely logo so that’s actually in the development store right now. Um, that pretty much points at an HTML file that uses the same sigma dot exec command to launch a telnet daemon on port 1337, and then, root shell, nice and easy one app click and there you go. So, if we could advance to the next slide please, we’ve got some more devices and I’ve gotta get through them kind of quick. So, obviously I’m not James Bond, I can’t even run, but say I want to spy on somebody. There’s this AOBO smart cam on ebay, I’m sorry well ebay, Amazon, your pick. Um, 20 bucks, it’s supposed to be great. If we could advance. So, when you turn it on, it’s got a little battery built in, it creates its own access point, broadcasting in the clear, so you know, no counter intelligence service of Target would ever, ever find this. Um, the AP also doesn’t need a password. So, you just directly connect to it. Not great. Nmapping it shows open ftp and telnet, at this point I’m like, this is dumb. Uh, if you could advance please. So, I’m hoping at least there’s a username and password audit. Username yes, password no. Login with the username root [laughter] you’ve got, you’ve got the camera [applause]. So, if you could advance please, instead of James Bond it’s more like Spies Like Us because they don’t know what the h**l they’re doing. So, next up is the Cujo. It’s a home security firewall designed to protect pretty much everything on your network from hackers against internet of things and viruses and all the big evil scary things. It’s 250 bucks and it’s 3 pieces of plastic covered in all globs of glue. If you could advance please. Literally had to break the plastic to get the main board out, ripping, ripping, ripping. I guess this might be tamper evident to stop quote on quote hackers or I have no fricken clue. If you could advance please. The main board, also covered in glue, across a bunch of nice little interesting pads, in the kitchen with an ove glove and a paint uh, uh a wallpaper um heat gun, you can actually pull that glue right off. So, it doesn’t really do anything and if you could advance please. We’ve got access to UART on those pads, same type of thing as the Amazon echo if you ground up the eMMC data line which is really tiny you can’t see but the slides will be online, there’s a full res pictures, you can then get, you, you can then get U-boot bootloader shell access and read and write memory to your hearts content. We’re working on building that further, get the file system out, this was my last weekend. Uh, could you advance please? Uh, VeraEdge smart home controller. Home automation hub you know, lights, doors, thermostat, all that jazz. Please advance. Um, there’s a local file disclosure bug with the store file and get file dot sh, pretty much you call store file dot sh and then get file dot sh. Store file dot sh creates a file, a folder, my b- excuse me, creates a folder in the right spot and then get file will let you pull something using directory traversal as you can see it that second curl and we’re specifically targeting etc cmh cmh dot conf. Go to advance please. So, from there we just got, it’s a simple bash script, nothing crazy, we pull get file, we use get file dot sh to pull etc cmh cmh dot conf. We pull down a thing with the SSID and password, which is also printed on the box. So you know, there uh, better that it’s on the box, but whatever. Um, fun fact,that password is also the same password for ssh root login. So, you can grab the password nice and easily by just running this all pre auth. Which, this hasn’t been released before as of the rest of them, nor have the rest of them. If you could advance please. And the last chew, and I’m going to be quick about this cause we have a special guest coming up, it's a smart speaker, WiFi, you know Pandora, IHeartradio, Spotify, has an android app. If you could advance please. Uh, we reversed the android app, and I say reversed because you know simple tools, it’s java. Uh, found the update procedure, cleared the update server, got the firmware back as Amear was talking about earlier, from that firmware, we identified a potential vulnerability in rootApp, uh the iwpriv was just passing commands, was being executed with percent s which is for string, this being passed right to system, great thing to check for, not escape, not anything, and that can actually be accessed pre authenticated through httpapi. If you could advance please. Uh, here’s the curl, you see usr bin, telnetd, usr sbin telnetd, which is a thing going. Now we have root on the device, again pre auth, this is on the internet it gets pumped. Could you advance please? So, that had me thinking, this was another Fry’s trip, uh Cobblestone Wifi audio receiver, pretty much the same thing but without a speaker and considerably cheaper. Thank you sir. Uh could we advance please. Um again, Thursday went to Fry’s Las Vegas, super great for last minute things, although we spent like 3 hours there because too much time in Fry’s. Needed to confirm a hypothesis, the thing did have a telnet server with the username admin password ad admin, that’s not the important part if you could advance please. Same exact exploit worked, different manufacturer, so that confirmed the hypothesis. If you could advance please. Uh, same bug, different manufacturer as I said, part of a turnkey wifi solution called LinkPlay, uh that’s the link to all the after we reverse the app reversed, all of the firmware’s in there uh 96 unique models, 7 hardware revisions many appear to be affected by this remote code execution, there are 35 products listed on the LinkPlay wiimu page alone. If you could advance. Which encompass all of these, we haven’t bought them, we’re assuming most of them are vulnerable, not really sure. But now I’m going to hand it back to Amear if you could advance the slide please because we have some freebies [applause][laughter]


>>alright everyone so yeah we have some freebies and were not, so here’s the thing, we got a ton of them, um I’m going to explain to you what they are real quickly, we’re going to give them out while we are showing our roots um and so that’s the plan um yeah, we got a special guest, um what I want to do is let’s get everyone to start changing dual core so we can get him to come up here, do a little rap and really make our exploit show. So, uh, I got some free stuff, I got some free dual core CD’s,I got some free boards, first of all, the boards, before we start chanting, we have eMMC boards, what they do is, they allow you to communicate with eMMC flash, with as little as 5 pins through a standard SD card reader/writer. We have a white paper for it you can go look up, um from blackhat this year we’ll have you know probably roughly 2,000 of these, we have some Exploitee.rs stickers and the CD’s, we’ll just be walking around handing them out um try to give Dual Core some attention, I know you want freebies, but he’s awesome and he’s agreed to come out and do some stuff for us so let’s go ahead and chanting Dual Core, let’s get this guy going up here, come on [applause] come on, Dual Core, Dual Core, come on, Dual Core, come on, come on, Dual Core, Dual Core, Dual Core, Dual Core, come on buddy, Dual Core, Dual Core, Dual Core, yeah boy [applause] The nicest guy ever, nicest guy ever, come here buddy give me a hug. Dual Core, Dual Core. 


>>Make some noise for Exploitee.rs [applause]. They truly hack all the things. My name is nt80 I’m the rapper and Dual Core, I’d like to play a song called all the things. We’re gonna rap, drink all the booze and hack all the things. Row 64 connecting to NASA. Pump it up, you can make it go to 11, here we go. Yo, even out settle scores quick, our disaster recovery requires even more disc put your bytes up prove it or you forfeit got my C64 and we blew it into orbit N bytes with 8 straight perfect [indiscernible] in motion make 8 great circuits incase you heard it's a name fake service, optimize our run time to escape verdicts, got an image in a scope flow and then they can’t sign pass the code sanitize command lines landmine. So before they’ll see me after running I start virtual plus velociraptor don’t prove we’re human unless we really have to my team builds schemes and destroy recaptcha hate what they see, finish this chapter by the way we’re not any geeks we hacked into NASA we drink all the booze, drink all the booze, drink all the booze got this vodka and this redbull they still give me wings so we drink all the booze, drink all the booze, drink all the booze, zero through three we’re in every single ring, yo I’m just waiting till my blackberry dies cause I’ll replace it with a raspberry pi, don’t compare to this try it made everything they said dull, neutralize any threat to red skull to dev no they killed virus writers that we mention but instead they ascended to the vx heavens and reincarnate as live wires still inside hindsight design device drivers, which school will we hit next? They didn’t want to form that so we gotta print app, next step there’s a chin check free styles and I spin best they didn’t decrypt yet crush internet MCs and rhyme battles get your wifi deck that’ll hack by pineapple I don’t think you’ll like my snapple cause I popped it with Vodka and a cyanide capsule. Make some noise for Exploitee.rs [applause] Here we go, we drink all the booze, drink all the booze, drink all the booze, got this vodka and this redbull they still give me wings so we drink all the booze, drink all the booze, drink all the booze, you know there’s gonna be security right? First we drink all the booze then hack all the things, then backdoor the firmware on anything you bring, regardless of the hardware service or recoded, connected to the internet someone’s gonna own it. This is for the pirates that clap and love the sound, attacking from the clouds and were back and underground there's some asking from us how tour notes around the globe track and hunt you down hacked on a schedule add it to your calendar devices online, here comes another challenger safe infiltrated, so undercover, this is for my comrades  whose there with their debuggers that trace every buffer examine any code flow haven’t been to sleep, pop another nodoze think I need a planet sized urn cause some men just wanna watch the world burn, your turn here we go, we drink all the booze, drink all the booze, drink all the booze, got this vodka and this redbull they still give me wings so we drink all the booze, drink all the booze, drink all the booze, zero through three were in every single ring I mean these servers have more firewalls than the devil's bedroom. Hack all the things. Everybody hit up Exploitee.rs exploit ee dot rs download the whitepapers get the code get odays get shells my names int80 I’m the rapper and dual core I love you guys have an awfum- awesome Def Con yeah well good luck man [applause].