Difference between revisions of "Netgear Push2TV (PTV3000)​​"

From Exploitee.rs
Jump to navigationJump to search
 
m (Text replacement - "gtvcom-20" to "exploiteers-20")
 
(2 intermediate revisions by one other user not shown)
Line 7: Line 7:
== Purchase ==
== Purchase ==
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.
[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=gtvcom-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]
[http://www.amazon.com/gp/product/B00904JILO/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=B00904JILO&linkCode=as2&tag=exploiteers-20&linkId=TZYDPVXAW3YVMF7N Purchase the Netgear Push2TV at Amazon]


== Pinout ==
== Pinout ==
Line 22: Line 22:
* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
* There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment
* Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment
==Root Demo==
{{#ev:youtube|CaL8O26oXas}}

Latest revision as of 01:22, 7 February 2016

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

NetgearPush2TV.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Netgear Push2TV.

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Netgear Push2TV at Amazon

Pinout

Exploitation

There are multiple vulnerabilities in the Netgear Push2TV (PTV3000)

  • Connecting to the UART per the input above, press the spacebar while booting to interrupt the bootloader, U-Boot. From here you can execute your own bootloader commands. "setenv bootargs init=/bin/sh" will drop you to a root shell
  • If you miss that, via UART again, a root console is active for 2-3 seconds after booting. As long as you enter your commands while it boots, they will be executed.
  • There is also a command injection in the web interface. By inserting a command in the box nickname field (say ;reboot;) the command will be executed as root.
  • Finally, the SPI flash chip holds the U-Boot environment, it can be reflashed to load a modified environment

Root Demo