Sony BDP-S5100

From Exploitee.rs
Revision as of 23:39, 11 August 2014 by CJ (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

"Although the information we release has been verified and shown to work to the best our knowledge, we cant be held accountable for bricked devices or roots gone wrong."

Sony-bdp-s5100-multi-region-blu-ray-dvd-player.jpg

This page will be dedicated to a general overview, descriptions, and information related to the Sony BDP-S5100 Blu-Ray player .

Purchase

Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device. Purchase the Sony BDP-S5100 Blu-Ray Player at Amazon

GPL

You can find GPL code for the Sony BDP-S5100 Here

Exploitation

A bug exists in the MTK supplied SDK which affects many Blu-Ray players, including the BDP-S5100. ​ The main binary, which controls all aspects of the player has leftover debug instructions for the VUDU app. When the VUDU app is run, if a file exists named "vudu.txt" , in a directory labeled "vudu" on a FAT formatted flash drive it will attempt to execute "vudu/vudu.sh", and deletes vudu.txt. It runs this sh as root. Using the commands below, you can spawn a root telnet shell, allowing access to the device:

  • Create a folder named "vudu" on a FAT formatted flash drive.
  • Inside that folder, create a blank file named "vudu.txt"
  • Also in that folder, create a file named "vudu.sh" containing the following:
#!/bin/sh

echo "executing" > /mnt/sda1/vudu.txt
mount -t overlayfs -o overlayfs /etc/passwd
echo "root::0:0:root:/root:/bin/sh" > /etc/passwd

/mnt/rootfs_normal/usr/sbin/telnetd

  • Start the player with the flash drive plugged in, and execute the VUDU app. The code has been executed, and a telnet shell now exists for you to connect to on port 23 as root. Following this, you will be brought back to the main menu.