Blackstar - Revision history

JennyWakeman: gug

2024-09-11T14:38:21Z

gug

← Older revision		Revision as of 14:38, 11 September 2024
Line 1:		Line 1:
	This is a ~~project to (hopefully) achieve remote code execution~~ on the Dish Network ~~ViP line of set-top boxes~~. ~~The unit used for testing is~~ a ~~Dish Network ViP222k~~.		This project is an attempt to boot a custom kernel on the Dish Network ViP222k series satellite receivers. So far, we have achieved a buffer overflow which could potentially result in remote code execution.

	~~I wouldn't place bets on this project's success. I do not have a background in cybersecurity or pentesting. It'd be funny though.~~		== Project Goals ==
			We'd like to boot a custom kernel (either Linux or NetBSD) via kexec upon gaining code execution on the target, purely over the network without plugging anything into the receiver itself. (Outside of potentially a USB stick?)
	== Goals ==

	* Framebuffer access (~~for funniest image I'll ever take~~)
	* Boot NetBSD (someday, ~~somehow)~~
	* Run Doom (~~maybe~~)

	== UPnP ==		== UPnP ==

JennyWakeman: JennyWakeman moved page EchoStomp PLUS to Blackstar: cooler name

2024-09-11T14:33:05Z

JennyWakeman moved page EchoStomp PLUS to Blackstar: cooler name

← Older revision		Revision as of 14:33, 11 September 2024
(No difference)

JennyWakeman: add section on cve

2024-09-11T14:32:24Z

add section on cve

← Older revision		Revision as of 14:32, 11 September 2024
Line 20:		Line 20:
	(Among various other things.)		(Among various other things.)

	Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions. ~~This has~~ the ~~added advantage of being able to quickly detect model information and grab~~ the unit~~'s IP (for port scanning~~, ~~which will be done Soon~~<~~sup~~>ᚾᛖ</~~sup~~>.)		Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions.

			=== Exploit ===
			Though the firmware on the test unit was last updated in 2019, the version of <code>libupnp</code> present on the system is version 1.6.6, which is susceptible to [https://nvd.nist.gov/vuln/detail/CVE-2012-5958 CVE-2012-5958], a buffer overflow capable of remote code execution. Using Metasploit's module for this CVE, we were able to trigger the overflow, although without a proper payload, the UPnP server simply crashed (after two attempts).

			The potential for this exploit is that we can remotely boot a modified NetBSD or Linux kernel on affected boxes over the network, discovering and exploiting boxes via UPnP.
	[[Category:Projects]]		[[Category:Projects]]

JennyWakeman: What? Help me!

2024-09-10T14:31:22Z

What? Help me!

← Older revision		Revision as of 14:31, 10 September 2024
Line 21:		Line 21:

	Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions. This has the added advantage of being able to quickly detect model information and grab the unit's IP (for port scanning, which will be done Soon<sup>ᚾᛖ</sup>.)		Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions. This has the added advantage of being able to quickly detect model information and grab the unit's IP (for port scanning, which will be done Soon<sup>ᚾᛖ</sup>.)
			[[Category:Projects]]

JennyWakeman: jcnjkndjknaskjnckjndsakjfbdfbjhbdhfwboechwfoexuiofaonucfoiunuipqnoirunsoiufcnoiafuoinuciodsnauopibeiqubwrcrberyrwehwrnehuidxfjneoqjrjbijausodjfcobuiewcjneuweqirbqiudhboxnqyuiybduyauiybauiefonjeqpxiqefournqceuroiquriupxueoqxunuqexuehmmnqdpznjafhdfhbehcqoonuiwhmefixuefuzhbeuiqseyuefnhxnhfiuhninhewqioybffgryweiueyzbfyxgexweybfgqixbyefgigeqnxgfeyfqgenxygwehqjggdhgafshfgiexqbeytvieytewvytftewvfiqwvtvyetwgfnyyifbysfubiabduyfboefyeborybiubwufbyeoufybyasybidosafybfucknyndxiuyebifvuebxnqnyszehbyezuyiybiu

2024-09-10T14:14:25Z

jcnjkndjknaskjnckjndsakjfbdfbjhbdhfwboechwfoexuiofaonucfoiunuipqnoirunsoiufcnoiafuoinuciodsnauopibeiqubwrcrberyrwehwrnehuidxfjneoqjrjbijausodjfcobuiewcjneuweqirbqiudhboxnqyuiybduyauiybauiefonjeqpxiqefournqceuroiquriupxueoqxunuqexuehmmnqdpznjafhdfhbehcqoonuiwhmefixuefuzhbeuiqseyuefnhxnhfiuhninhewqioybffgryweiueyzbfyxgexweybfgqixbyefgigeqnxgfeyfqgenxygwehqjggdhgafshfgiexqbeytvieytewvytftewvfiqwvtvyetwgfnyyifbysfubiabduyfboefyeborybiubwufbyeoufybyasybidosafybfucknyndxiuyebifvuebxnqnyszehbyezuyiybiu

New page

This is a project to (hopefully) achieve remote code execution on the Dish Network ViP line of set-top boxes. The unit used for testing is a Dish Network ViP222k.

I wouldn't place bets on this project's success. I do not have a background in cybersecurity or pentesting. It'd be funny though.

== Goals ==

* Framebuffer access (for funniest image I'll ever take)
* Boot NetBSD (someday, somehow)
* Run Doom (maybe)

== UPnP ==
On startup, the ViP units expose a UPnP server with a surprising (alarming?) amount of functions. Some examples:

* Increment/decrement channel
* Force redownload program guide
* Lock/unlock front panel controls and remote
* Remote reboot
* Test satellite switch (annoying, takes a very long time!)

(Among various other things.)

Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions. This has the added advantage of being able to quickly detect model information and grab the unit's IP (for port scanning, which will be done Soon<sup>ᚾᛖ</sup>.)