Netgear NTV200-100NAS​

From Exploitee.rs
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

NetgearNeoTV.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Netgear NTV200-100NAS​ media player.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Netgear NTV200-100NAS​ at Amazon

UART Pinout

Exploitation

After analyzing and extracting the firmware by way of dumping the NAND flash, we discovered a flaw that allowed for code executing as root. This is a bit more complex than others, but it is still very straightforward to do.

Any of the "apps" on the device (flash applets) are downloaded from this url: http://updates1.netgear.com (yes, it's HTTP)

Using dnsspoof, we can spoof that url to point to a webserver that we control.

On that webserver, create the directory structure outlined below:

 /ntv200/us/game/

Since we will be using the Texas Hold'em app to gain root, download and place in that folder this file: http://updates1.netgear.com/ntv200/us/game/texas.tar

This is a two step process:

  • Step 1
    • Place a symlink labeled "hackme" pointing to /
  • Step 2
    • Drop the actual payload through the symlink

So, we first modify texas.tar - Add a symlink of hackme to / Copy that as texas.tar in the directory above, save it, and click the Texas Hold'em app. It will black screen, hit home a few times. Delete the texas.tar, and replace it with the new texas.tar that is created below:

Modify the tar, replace the symlink with a a folder structure:

/hackme/mnt/pstor/ 

Add a file in that directory called rcc.user calling telnet

FIX---------
telnetd

This file is run via bash as root and will persist at every boot. Login using the username root, no password!