Methods for starting raw sh shell (telnet like) latest firmware
#Get usb stick, and copy nc (netcat) from e.g backtrack to usb stick
#Plugin the USB stick into your boxee box
Any usb disk will mount automatically in /tmp/mnt/ID, but also have a symlink from /media/LABEL to the mount point.
ie: /media/My_pendrive -> /tmp/mnt/F56-A64-74R
You can use this symlink instead of the mountpoint, and skip the next 3 steps.
#You need to find out where it's mounted so go to http://yourboxeebox:8080
#Click Get latest logs, open the log file and view the "storage"
#Here you can see the usb drive beeing mounted to e.g /tmp/mnt/123-123
#Go to your boxee box settings/network and choose servers.
#Choose "Share Workgroup"
#Type in ;cp /tmp/mnt/123-123/nc /tmp;
#Go back out to the main settings menu again
#Go back in to the "Share Workgroup"
#Type /tmp/nc -lvp 31337 -e /bin/sh
#Go back, and the boxee will freeze. That means that it has executed nc, and waiting for netcat to end.
#In your backtrack, or windows or what you have, do
#nc yourboxeehost 31337
#You will see a blank prompt, try ls - al
Would like to Thank the original author of the command execution bug GTVHacker, thanks for a fun Defcon!
Methods for Starting Telnet
!!! Neither method seems to work in Firmware 22.214.171.12419 or higher !!!
#Add repository http://erikkristensen.com/boxee/
#Launch "UnBoxed" app.
#Click Start Telnet
#Add the UnBoxed Mirror to get a working version of the app without the notice. (The one above just says that it no longer works)
#Add repository http://infinityoverzero.com/bbox/rep/
#Launch "UnBoxed" app.
Launcher App (Method 2)
- Add repository dir.fuzzthed.com
- Start "Launcher" app.
- Create an application.
#* Name the application <tt>Start Telnet</tt>.
#* Link should be "/etc/init.d/telnetd start" - include the quotes.
- Create another application.
#* Name the application Stop Telnet.
#* Link should be "/etc/init.d/telnetd stop" - include the quotes.
Launching "Start Telnet" should allow you to telnet to the box - you should be automatically logged in as root with no password prompt.
Launching the applications appears to do nothing, but will start or stop the telnet daemon behind the scenes.
Some display and formatting issues have been noticed with PuTTY, but "telnet" under Linux works fine. Use the "raw" mode in PuTTY and specify port 23 instead of using the "Telnet" default. This still has some display issues, but works well enough.
Normally we'd create a symlink in /dev/rc3.d/ to /etc/init.d/telnetd to start it on boot, but the root filesystem is read-only (on a rootfs filesystem). It can't be remounted read-write.
This does start (or stop) a root shell with no password. The root partition is read-only, but this could pose a security risk, depending on your network. You may want to stop the Telnet daemon (or reboot) when you're done experimenting.