Blackstar
This project is an attempt to boot a custom kernel on the Dish Network ViP222k series satellite receivers. So far, we have achieved a buffer overflow which could potentially result in remote code execution.
Project Goals
We'd like to boot a custom kernel (either Linux or NetBSD) via kexec upon gaining code execution on the target, purely over the network without plugging anything into the receiver itself. (Outside of potentially a USB stick?)
UPnP
On startup, the ViP units expose a UPnP server with a surprising (alarming?) amount of functions. Some examples:
- Increment/decrement channel
- Force redownload program guide
- Lock/unlock front panel controls and remote
- Remote reboot
- Test satellite switch (annoying, takes a very long time!)
(Among various other things.)
Currently, a Python script has been written (and will eventually be released) that can detect ViP units on a wireless network (via UPnP) and execute exposed actions.
Exploit
Though the firmware on the test unit was last updated in 2019, the version of libupnp
present on the system is version 1.6.6, which is susceptible to CVE-2012-5958, a buffer overflow capable of remote code execution. Using Metasploit's module for this CVE, we were able to trigger the overflow, although without a proper payload, the UPnP server simply crashed (after two attempts).
The potential for this exploit is that we can remotely boot a modified NetBSD or Linux kernel on affected boxes over the network, discovering and exploiting boxes via UPnP.