fsebugoutzone.org:9999

       Post APRkdaFwPkhxIonbJw by vidister@chaos.social
 (DIR) More posts by vidister@chaos.social
 (DIR) Post #APRYulhptkNKHqH4zI by vidister@chaos.social
       2022-11-09T23:51:05Z
       
       4 likes, 1 repeats
       
       Today in a meeting I joked that I wanted to display bad apple on the IP phone that my employer gave to me.That&#39;s a nice evening project, so I&#39;ll take you on the journey of trying to get this working. [Thread]
       
 (DIR) Post #APRYunURGWqZos1PNo by vidister@chaos.social
       2022-11-09T23:54:44Z
       
       0 likes, 0 repeats
       
       First things first: How do I get root access on this thing? I don&#39;t want to break it, so opening it to look for a serial console is not an option.However, a short search on the Internet leads us to exploitdb, where someone found a way to misuse the ping/traceroute feature to run arbitrary commands as root. (with a valid session token, of course.)https://www.exploit-db.com/exploits/50509
       
 (DIR) Post #APRYuozfftQMU1drhg by vidister@chaos.social
       2022-11-10T00:01:29Z
       
       0 likes, 0 repeats
       
       Let&#39;s find out if this works on our particular model and firmware..We fire up the browser dev tools, &quot;copy as curl&quot; and paste into Insomnia to get the three(??) session tokens. We play around with the request.aaand.. BINGO!
       
 (DIR) Post #APRYuqUY6ZiZ8562TI by vidister@chaos.social
       2022-11-10T00:08:40Z
       
       0 likes, 0 repeats
       
       Let&#39;s have a look at what we have..This seems to be some linux 2.6 (the best one!) with bare busybox utils. No package manager, no curl, not even netcat :( But at least there&#39;s a telnet server.
       
 (DIR) Post #APRkdY5wRxWMbE6aSO by vidister@chaos.social
       2022-11-10T00:16:53Z
       
       0 likes, 0 repeats
       
       Let&#39;s try to start a telnet server!That worked right away.Luckily there are two users with passwords: `root` and `toor`.I tried some permutations of my admin pin and default passwords but these didn&#39;t work.I tried to replace the passwords in /etc/shadow with my own unix flavored salted md5 hashes, but for some reason this still didn&#39;t work.What a bummer.
       
 (DIR) Post #APRkdYZMgZ3a4Ts5Jo by vidister@chaos.social
       2022-11-10T00:25:37Z
       
       0 likes, 0 repeats
       
       So no interactive shell for us. :(But we need to find a way stream video data to this device.No telnet client, no netcat. /dev/tcp doesn&#39;t work, this isn&#39;t bash. There&#39;s no python, no perl, no lua...Sure, we could cross-compile something and put it on the device in base64 encoded. But that sucks. We&#39;d need to get the platform and libc version right... and copying will be a pain with the request size limit of our entry point.
       
 (DIR) Post #APRkdZBIPXOjy7cNRQ by vidister@chaos.social
       2022-11-10T00:34:03Z
       
       0 likes, 0 repeats
       
       I crawl through the filesystem to find anything that might work. Maybe there&#39;s something in the software that powers the phone that we can use?Oh, there are some really interesting binaries.. openvpn? bluetoothd? lighttpd? another busybox?!?Nice. They compiled wget in!
       
 (DIR) Post #APRkdZhYTbCbaAi8iu by vidister@chaos.social
       2022-11-10T00:43:40Z
       
       1 likes, 0 repeats
       
       Now we can fetch files. So, how do we draw to the display of the phone? There&#39;s no X11/Wayland or something like that, it looks like the software directly writes to the frame buffer.Let&#39;s try this... cat /dev/urandom &gt; /dev/fb0Beautiful. 😎
       
 (DIR) Post #APRkdaFwPkhxIonbJw by vidister@chaos.social
       2022-11-10T01:00:39Z
       
       0 likes, 0 repeats
       
       I&#39;m sure we can trick our good ol&#39; friend ffmpeg into generating the raw frames in the right format.The display has 480x272 pixels, the first color format that comes to my mind is rgb24. For a moment I descend into chaos when trying to use ffmpeg, but eventually I succeed.With confidence I start pythons built in http server using `python -m http.server` to serve the files.The idea is simple: `wget -O - &lt;url&gt; &gt; /dev/fb0`.This looks... wrong.
       
 (DIR) Post #APRkdaj0ffxakyOod6 by vidister@chaos.social
       2022-11-10T01:16:08Z
       
       0 likes, 0 repeats
       
       To figure out what&#39;s going on we need to generate some test images.This image should be completely blue. But we only get some weird white vertical stripes.Turns out, there are sooo many weird pixel formats!https://usage.toolstud.io/docs/ffmpeg/usage/pix_fmts/
       
 (DIR) Post #APRkdbGKfmcCQJzQZM by vidister@chaos.social
       2022-11-10T01:32:03Z
       
       0 likes, 0 repeats
       
       Never gonna give up finding the right format.We actually have 16 bits per pixel.5 for red, 6 for green and 5 for blue. Little endian.It&#39;s rgb565le. sure.. 🙄
       
 (DIR) Post #APRkdbkSrkiZvm5UXI by vidister@chaos.social
       2022-11-10T01:39:46Z
       
       0 likes, 0 repeats
       
       This is just a single frame. How do we make a video of it?First idea: Let&#39;s just write something that keeps telling our phone to fetch a new frame over and over again. How bad can it be?So I get my curl command, wrap it in a for loop and... it&#39;s bad. Maybe ~2 frames per second? We need something better.
       
 (DIR) Post #APRkdcJujx4fhifnn6 by vidister@chaos.social
       2022-11-10T01:48:55Z
       
       1 likes, 0 repeats
       
       the obvious improvement is to run the loop on the phone itself. Easier said than done, with our bare busybox shell..Actually it took me quiet a while to find a way that works.for i in {{1..1200}}Nope. Not supported.for i in $(seq 1 1200)No seq binary.while (( $i &lt; $frames ))Not supportedwhile [[ $i -lt $frames ]]This works!Now we need to increment our variable.i++of course noti=$(( $i + 1 ))no arithmetic supported.i=$(expr $i + 1)this works!
       
 (DIR) Post #APRkdcmH2Vl97fwRzk by vidister@chaos.social
       2022-11-10T02:10:21Z
       
       2 likes, 1 repeats
       
       And this is it, the moment we all have been waiting for...Bad Apple on my desk phone!
       
 (DIR) Post #APRkdeFjYSv1hKjUYK by vidister@chaos.social
       2022-11-10T02:14:43Z
       
       0 likes, 0 repeats
       
       It&#39;s really shitty. It manages to get around 6 FPS, depending on how busy the phone is with doing phone things. And sometimes the UI flashes up when it tries to update the screen.But it works!
       
 (DIR) Post #APRkdfkxxpUoMULwsC by vidister@chaos.social
       2022-11-10T02:17:54Z
       
       0 likes, 0 repeats
       
       I bet there are dozens of possible improvements.We haven&#39;t got audio working yet, that should be doable. One idea I had was to fix the skew in the playback time by writing a small webserver that delivers the right frame for the current playback time. This would allow the device to skip frames.Maybe there is a trivial way to implement the whole thing without performing a costly HTTP request for every frame?
       
 (DIR) Post #APRkdhDMXjnwsqe8m0 by vidister@chaos.social
       2022-11-10T02:19:17Z
       
       0 likes, 0 repeats
       
       But this is left for as an exercise to you.I just had to procrastinate important stuff and wanted to prove a point.
       
 (DIR) Post #APSUI97Mpnw2SvyQ3k by puniko@mk.absturztau.be
       2022-11-10T10:56:35.550Z
       
       0 likes, 0 repeats
       
       @vidister@chaos.social is that gabi from project feline? :blobcataww: