Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[dmcdonnell]

....For now, it is our intention to release a proof-of-concept exploit in 30 days.  I'll try to post an update if that timeline changes....

The 30 day notice period has now expired......................

[zcutlip]

The 30 day notice period has now expired......................

I haven't forgotten. Stay tuned.

[zcutlip]

Okay here's the proof of concept exploit.  Please note, *this isn't for everyone*.  This will give you a root shell, which is essential for further research into unlocking, but it's not an unlock.  I believe that a persistent unlock will follow relatively easily from this.

Please read the README for essential details.

A word of warning.  You'll be tempted, like me, to muck around and make changes to the root filesystem on your live device. DON'T DO IT.  You'll brick your device.  I believe the bootloader performs an integrity check across the JFFS2 filesystems before booting.  If this check fails the boot process stops.

You can check out the exploit code from:
https://github.com/zcutlip/exploit-poc.git

But it's probably easier to download this tarball:
http://s3.amazonaws.com/zcutlip_storage/homehub3b.tar.gz

Zach

[burakkucat]

Thank you, Zach. I shall examine your proof as soon as time permits. 

[snadge]

thanks.. hope you can do something with it B'Kat  8)

[zcutlip]

Thank you, Zach. I shall examine your proof as soon as time permits. 

Let me know if I can help or if anything doesn't make sense.  Be sure to check the included vulnerability report for affected firmware versions.

Zach

[burakkucat]

A rather sleepy b*cat believes he has noticed a typo in the Vulnerability Report --

Credit for this discovery goes to Zachary Cutlip, zcutlip@tacnetsol.com and Tactical Network Solutions, LLC
Assistance provided by:
Craig Heffner, cheffner@tacnetsol.com
Form participants on http://www.kitz.co.uk/

sed 's/Form participants/Forum participants/' perhaps? 

[burakkucat]

The file environment.py was edited --

[bcat@Duo2 TNS_homehub3b_exploit]$ cat environment.py
# Copyright (c) 2013 Zachary Cutlip
#                    Tactical Network Solutions, LLC

#void 0 octects, and values that map to whitepace chacters.
#CALLBACK_IP="192.168.99.64"
CALLBACK_IP="192.168.1.2"
[bcat@Duo2 TNS_homehub3b_exploit]$

A script session was started and the exploit was invoked.

[bcat@Duo2 TNS_homehub3b_exploit]$ cat try-01.txt
Script started on Wed 09 Jan 2013 01:05:59 GMT
[bcat@Duo2 TNS_homehub3b_exploit]$ ll
total 3412
-rw-r-----. 1 bcat bcat     178 Jan  8 02:56 environment.py
-rw-r-----. 1 bcat bcat 3434454 Jan  8 22:41 HH3.0B_Remote_Exploit.mp4
-rwxr-x---. 1 bcat bcat   13009 Jan  8 02:12
-rw-r-----. 1 bcat bcat   18092 Jan  8 02:13 LICENSE
-rw-r-----. 1 bcat bcat    1291 Jan  8 02:12 msearch_crash.py
-rw-r-----. 1 bcat bcat    1177 Jan  8 02:51 README
drwxr-x---. 5 bcat bcat    4096 Jan  9 01:04 simplesploit
-rw-r-----. 1 bcat bcat    2611 Jan  8 22:27 TNS_Vulnerability_Report_BT_HomeHub_3.0b.txt
-rw-r-----. 1 bcat bcat       0 Jan  9 01:05 try-01.txt
[bcat@Duo2 TNS_homehub3b_exploit]$ hh3b_exploit.py
Traceback (most recent call last):
  File "./hh3b_exploit.py", line 76, in <module>
    from simplesploit.servers.callbacK_server import Callback
ImportError: No module named callbacK_server
[bcat@Duo2 TNS_homehub3b_exploit]$ exit

Script done on Wed 09 Jan 2013 01:08:39 GMT
[bcat@Duo2 TNS_homehub3b_exploit]$

The cat-cursing started. And abated after a few minutes when I noticed an errant upper case 'K'.

Someone has left a typo in the python code (hh3b_exploit.py)!    I wonder who it could be! 

Now that he has the exploit working, b*cat -->     whilst Zach --> 

[zcutlip]

sed 's/Form participants/Forum participants/' perhaps? 

Yup. Caught that one earlier, but hadn't committed the change yet.  Updated now.

[zcutlip]

The cat-cursing started. And abated after a few minutes when I noticed an errant upper case 'K'.

Someone has left a typo in the python code (hh3b_exploit.py)!    I wonder who it could be! 

Now that he has the exploit working, b*cat -->     whilst Zach --> 

Drat! Thought I had committed that fix.  :-/ Not up to my usual standards.

Should be fixed now. 

[SecTSys]

WooT - i guess it is time to play!

Thank you zach - that is great news! and good to see!

[btsimonh]

thanks Zach - now we see if my 'dead' v3b is still running upnp

And yes it is!  So, how to implement a permanent mod....

Well, one option is to create a modified usb-storage.ko, as this would be loaded from /var/modules on boot.  Maybe have it restart the kernel with a new command line changing the rootfs to the backup rootfs, then the thing won't die from the bootloader checking of the rootfs (maybe! .  Another route would be to try to create a subversive bt plugin, but it's not obvious if these would be loaded from /var/middleware or not.

[zcutlip]

thanks Zach - now we see if my 'dead' v3b is still running upnp

And yes it is!  So, how to implement a permanent mod....

Glad it's working for you.

Something that would be useful if someone is able to do it is to snag a firmware update file.  So far I've been unsuccessful at making my devices update.

When you brick the hh3b, it boots into a recovery mode, allowing you to upload a firmware file.  Having the firmware would allow us to take more risks in examining the device since there would be a way to recover if things go wrong.

[SecTSys]

speaking of bricking HH3 - did you get the new one i sent out yet zach?

saying that though my Mother sent out a parcel for me before the new year and that still hasn't arrived at mine yet...

how's this for an idea once we crack this little beauty, we go and crack the postal service and solve their problems...

[zcutlip]

speaking of bricking HH3 - did you get the new one i sent out yet zach?

saying that though my Mother sent out a parcel for me before the new year and that still hasn't arrived at mine yet...

how's this for an idea once we crack this little beauty, we go and crack the postal service and solve their problems...

Just came in today. Thanks. :-)