May 11, 2021

Star-Light Smart-TV Exploitation

Home Forums Star-Light Smart-TV Exploitation

This topic contains 0 replies, has 1 voice, and was last updated by  anonymous 3 weeks, 4 days ago.

  • Author
    Posts
  • #383496

    anonymous
    Participant

    DISCLAIMER: Everything I am testing on is my own and is on my own private network.

    ​

    A couple months ago I bought a Star-Light 32SLTA2300FS Smart TV, which if you do not know is made by a Romanian company. Due to the fact that it is a relatively “no-name” brand, I have not been able to find the actual website for some more information. I do, however have a user manual I have not looked through yet.

    ​

    Here is what I HAVE tried on my journey trying to exploit in:

    -Did an nmap scan (nmap -sC -sV -A -p- $LOCAL_IP) which returned the following:

    `Starting Nmap 7.91 (` `https://nmap.org` `) at $TIME`

    `Nmap scan report for $LOCAL_IP`

    `Host is up (0.0085s latency).`

    `Not shown: 65526 closed ports`

    `PORT STATE SERVICE VERSION`

    `2870/tcp open daishi?`

    `7382/tcp open unknown`

    `7681/tcp open unknown`

    `9080/tcp open http Mongoose httpd |_http-title: Site doesn’t have a title (application/json).`

    `36867/tcp open unknown`

    `56615/tcp open unknown`

    `56789/tcp open tcpwrapped`

    `56790/tcp open tcpwrapped`

    `60962/tcp open unknown`

    `3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at` `https://nmap.org/cgi-bin/submit.cgi?new-service` `: ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port7382-TCP:V=7.91%I=7%D=4/14%Time=60774C7D%P=aarch64-unknown-linux-an SF:droid%r(NULL,1B8,”&x03) SF:%x03 SF:) SF:0”x03) SF:’x03) SF:( SF:0x03) SF:!x03) SF:x80x07x008x04&x16x0cx04x004x07x20 SF:x03) SF:0x12x03) SF:x03 SF:) SF:”)%r(GenericLines,1B8,”&x03) SF:0 SF:%x03) SF:”x03) SF:0’x03 SF:0) SF:(x03) SF:0!x03) SF:0x80x07x008x04&x16x0cx04x004 SF:x07x20x03) SF:x12x03) SF:0 SF:x03) SF:0”)%r(GetRequest,1B8,”&x03 SF:) SF:0%x03) SF:0”x03) SF:’ SF:x03) SF:0(x03) SF:!x03) SF:x80x07x008x04&x16x0c SF:x04x004x07x20x03) SF:0x12x03) SF: SF:0x03) SF:”); ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)============== SF-Port36867-TCP:V=7.91%I=7%D=4/14%Time=60774C7D%P=aarch64-unknown-linux-a SF:ndroid%r(NULL,1B8,”&x03) SF:0%x0 SF:3) SF:”x03) SF:0’x03) SF:0( SF:x03) SF:0!x03) SF:0x80x07x008x04&x16x0cx04x004x07x20 SF:0x03) SF:x12x03) SF:0x03 SF:)`

    -Used dirb to look for directories at `http://$LOCAL_IP:9080/` but that only found `/ping`. If I visit it, it seems like an ASCII-file that just says “pong”

    -Connected to the `unknown` ports via Netcat, which just returned a random set of characters containing exclamation points, etc.

    ​

    Today I will try another dirb scan with a larger wordlist, and when I have the time I will look through the user manual.

    If anyone is familiar with the aforementioned port numbers (I also do not understand all those bytes in the nmap scan) and how they could be exploited to gain a shell, it would be much appreciated if you could point me in the right direction.

You must be logged in to reply to this topic.