Hacking Blues Dionysus Blazakis -- October 22, 2012 When each day brings a new collection of stories about the horrors of the cyber age, it’s easy to forget why anyone would spend their professional lives in the security industry. Microsoft urged to sue exploit vendors! Huawei is coming -- hide your kids! The project I’m going to describe reminded me of the many tasks in this industry I enjoy. It also functioned as a soft target to run up the score a bit – after spending time fighting DEP, ASLR and process sandboxing, it’s nice to pop a shell without the Rube Goldberg quality of a modern exploit every now and then (but that’s fun too).

The Start It started with a friend mentioning he was gifted a Blu-ray player equipped with ethernet, WiFi, and a JVM (which I later learned was part of the Blu-ray standard.) The player is a Magnavox MBP5120F/F7 – at the time of writing, refurbished devices are cheap to purchase and easy to find. Originally, I just wanted to examine the firmware, but the goal mutated into gaining code execution to pop-up a picture or change the splash screen – like Xzibit, I wanted to pimp my Bluray player. With a little digging, it was easy to find a copy of the latest firmware upgrade and a document describing the update process. The firmware upgrade was burned to as disc and placed in the player for upgrade. In a moment of innocence, we took a look at the firmware upgrade binary just in case it was unencrypted: 00000000 00000010 00000020 00000030 00000040 00000050 00000060 00000070

02 7a 13 7a 7a 2f 7a d6

6d 3c 46 3c 3c 54 3c 28

a0 49 2c 49 49 90 49 4b

d1 5e 3a 5e 5e d5 5e df

69 00 08 00 00 6d 00 84

6e 00 00 00 00 61 00 01

64 00 00 00 00 69 00 00

65 00 00 00 00 6e 00 00

7a 7a a6 7a 76 7a 7a 96

b8 3c 06 3c 28 28 3c df

d8 49 83 49 4b 59 49 84

b5 5e f1 5e df de 5e 30

62 00 78 00 84 6f 00 14

6c 00 5f 00 01 00 00 b9

65 00 74 00 00 00 00 00

00 00 61 00 00 00 00 00

|.m..indez...ble.| |z