Jump to content

dzmanto

Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

 Content Type 

Everything posted by dzmanto

  1. dzmanto
    Currently I don't have time. Cheers, Daniela
  2. dzmanto
    Dear Prophet: Here is how we're going to find out. The device according to static/mejs/mediaelement-and-player.min.js has flash player 9 0 124 installed. A flash file is thus needed with an exploit for flash version 9 0 124. Ideally, the flash file opens a root shell on some port while the USB device streams its content. Cheers, Daniela
  3. dzmanto
    Hi again: Below is the content of static/js/settings.js: /* This file includes portions of CryptoJS: Copyright 2009–2012 by Jeff Mott. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation or other materials provided with the distribution. Neither the name CryptoJS nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS," AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* CryptoJS v3.0.2 code.google.com/p/crypto-js (c) 2009-2012 by Jeff Mott. All rights reserved. code.google.com/p/crypto-js/wiki/License */ var CryptoJS=CryptoJS||function(g,i){var f={},b=f.lib={},m=b.Base=function(){function a(){}return{extend:function(e){a.prototype=this;var c=new a;e&&c.mixIn(e);c.$super=this;return c},create:function(){var a=this.extend();a.init.apply(a,arguments);return a},init:function(){},mixIn:function(a){for(var c in a)a.hasOwnProperty(c)&&(this[c]=a[c]);a.hasOwnProperty("toString")&&(this.toString=a.toString)},clone:function(){return this.$super.extend(this)}}}(),l=b.WordArray=m.extend({init:function(a,e){a= this.words=a||[];this.sigBytes=e!=i?e:4*a.length},toString:function(a){return(a||d).stringify(this)},concat:function(a){var e=this.words,c=a.words,o=this.sigBytes,a=a.sigBytes;this.clamp();if(o%4)for(var b=0;b<a;b++)e[o+b>>>2]|=(c[b>>>2]>>>24-8*(b%4)&255)<<24-8*((o+b)%4);else if(65535<c.length)for(b=0;b<a;b+=4)e[o+b>>>2]=c[b>>>2];else e.push.apply(e,c);this.sigBytes+=a;return this},clamp:function(){var a=this.words,e=this.sigBytes;a[e>>>2]&=4294967295<<32-8*(e%4);a.length=g.ceil(e/4)},clone:function(){var a= m.clone.call(this);a.words=this.words.slice(0);return a},random:function(a){for(var e=[],c=0;c<a;c+=4)e.push(4294967296*g.random()|0);return l.create(e,a)}}),n=f.enc={},d=n.Hex={stringify:function(a){for(var e=a.words,a=a.sigBytes,c=[],b=0;b<a;b++){var d=e[b>>>2]>>>24-8*(b%4)&255;c.push((d>>>4).toString(16));c.push((d&15).toString(16))}return c.join("")},parse:function(a){for(var e=a.length,c=[],b=0;b<e;b+=2)c[b>>>3]|=parseInt(a.substr(b,2),16)<<24-4*(b%8);return l.create(c,e/2)}},j=n.Latin1={stringify:function(a){for(var e= a.words,a=a.sigBytes,b=[],d=0;d<a;d++)b.push(String.fromCharCode(e[d>>>2]>>>24-8*(d%4)&255));return b.join("")},parse:function(a){for(var b=a.length,c=[],d=0;d<b;d++)c[d>>>2]|=(a.charCodeAt(d)&255)<<24-8*(d%4);return l.create(c,b)}},k=n.Utf8={stringify:function(a){try{return decodeURIComponent(escape(j.stringify(a)))}catch(b){throw Error("Malformed UTF-8 data");}},parse:function(a){return j.parse(unescape(encodeURIComponent(a)))}},h=b.BufferedBlockAlgorithm=m.extend({reset:function(){this._data=l.create(); this._nDataBytes=0},_append:function(a){"string"==typeof a&&(a=k.parse(a));this._data.concat(a);this._nDataBytes+=a.sigBytes},_process:function(a){var b=this._data,c=b.words,d=b.sigBytes,j=this.blockSize,h=d/(4*j),h=a?g.ceil(h):g.max((h|0)-this._minBufferSize,0),a=h*j,d=g.min(4*a,d);if(a){for(var f=0;f<a;f+=j)this._doProcessBlock(c,f);f=c.splice(0,a);b.sigBytes-=d}return l.create(f,d)},clone:function(){var a=m.clone.call(this);a._data=this._data.clone();return a},_minBufferSize:0});b.Hasher=h.extend({init:function(){this.reset()}, reset:function(){h.reset.call(this);this._doReset()},update:function(a){this._append(a);this._process();return this},finalize:function(a){a&&this._append(a);this._doFinalize();return this._hash},clone:function(){var a=h.clone.call(this);a._hash=this._hash.clone();return a},blockSize:16,_createHelper:function(a){return function(b,c){return a.create(c).finalize(b)}},_createHmacHelper:function(a){return function(b,c){return u.HMAC.create(a,c).finalize(b)}}});var u=f.algo={};return f}(Math); (function(){var g=CryptoJS,i=g.lib,f=i.WordArray,i=i.Hasher,b=[],m=g.algo.SHA1=i.extend({_doReset:function(){this._hash=f.create([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(f,n){for(var d=this._hash.words,j=d[0],k=d[1],h=d[2],g=d[3],a=d[4],e=0;80>e;e++){if(16>e)b[e]=f[n+e]|0;else{var c=b[e-3]^b[e-8]^b[e-14]^b[e-16];b[e]=c<<1|c>>>31}c=(j<<5|j>>>27)+a+b[e];c=20>e?c+((k&h|~k&g)+1518500249):40>e?c+((k^h^g)+1859775393):60>e?c+((k&h|k&g|h&g)-1894007588):c+((k^h^g)- 899497514);a=g;g=h;h=k<<30|k>>>2;k=j;j=c}d[0]=d[0]+j|0;d[1]=d[1]+k|0;d[2]=d[2]+h|0;d[3]=d[3]+g|0;d[4]=d[4]+a|0},_doFinalize:function(){var b=this._data,f=b.words,d=8*this._nDataBytes,j=8*b.sigBytes;f[j>>>5]|=128<<24-j%32;f[(j+64>>>9<<4)+15]=d;b.sigBytes=4*f.length;this._process()}});g.SHA1=i._createHelper(m);g.HmacSHA1=i._createHmacHelper(m)})(); (function(){var g=CryptoJS,i=g.enc.Utf8;g.algo.HMAC=g.lib.Base.extend({init:function(f,b){f=this._hasher=f.create();"string"==typeof b&&(b=i.parse(b));var g=f.blockSize,l=4*g;b.sigBytes>l&&(b=f.finalize(b));for(var n=this._oKey=b.clone(),d=this._iKey=b.clone(),j=n.words,k=d.words,h=0;h<g;h++)j[h]^=1549556828,k[h]^=909522486;n.sigBytes=d.sigBytes=l;this.reset()},reset:function(){var f=this._hasher;f.reset();f.update(this._iKey)},update:function(f){this._hasher.update(f);return this},finalize:function(f){var b= this._hasher,f=b.finalize(f);b.reset();return b.finalize(this._oKey.clone().concat(f))}})})(); (function(){var g=CryptoJS,i=g.lib,f=i.Base,b=i.WordArray,i=g.algo,m=i.HMAC,l=i.PBKDF2=f.extend({cfg:f.extend({keySize:4,hasher:i.SHA1,iterations:1}),init:function(b){this.cfg=this.cfg.extend(b)},compute:function(f,d){for(var g=this.cfg,k=m.create(g.hasher,f),h=b.create(),i=b.create([1]),a=h.words,e=i.words,c=g.keySize,g=g.iterations;a.length<c;){var l=k.update(d).finalize(i);k.reset();for(var q=l.words,t=q.length,r=l,s=1;s<g;s++){r=k.finalize(r);k.reset();for(var v=r.words,p=0;p<t;p++)q[p]^=v[p]}h.concat(l); e[0]++}h.sigBytes=4*c;return h}});g.PBKDF2=function(b,d,f){return l.create(f).compute(b,d)}})(); (function(o){function q(b,f,a,e,c,d,g){b=b+(f&a|~f&e)+c+g;return(b<<d|b>>>32-d)+f}function l(b,f,a,e,c,d,g){b=b+(f&e|a&~e)+c+g;return(b<<d|b>>>32-d)+f}function m(b,f,a,e,c,d,g){b=b+(f^a^e)+c+g;return(b<<d|b>>>32-d)+f}function n(b,f,a,e,c,d,g){b=b+(a^(f|~e))+c+g;return(b<<d|b>>>32-d)+f}var j=CryptoJS,k=j.lib,r=k.WordArray,k=k.Hasher,p=j.algo,h=[];(function(){for(var b=0;64>b;b++)h[b]=4294967296*o.abs(o.sin(b+1))|0})();p=p.MD5=k.extend({_doReset:function(){this._hash=r.create([1732584193,4023233417, 2562383102,271733878])},_doProcessBlock:function(b,f){for(var a=0;16>a;a++){var e=f+a,c=b[e];b[e]=(c<<8|c>>>24)&16711935|(c<<24|c>>>8)&4278255360}for(var e=this._hash.words,c=e[0],d=e[1],g=e[2],i=e[3],a=0;64>a;a+=4)16>a?(c=q(c,d,g,i,b[f+a],7,h[a]),i=q(i,c,d,g,b[f+a+1],12,h[a+1]),g=q(g,i,c,d,b[f+a+2],17,h[a+2]),d=q(d,g,i,c,b[f+a+3],22,h[a+3])):32>a?(c=l(c,d,g,i,b[f+(a+1)%16],5,h[a]),i=l(i,c,d,g,b[f+(a+6)%16],9,h[a+1]),g=l(g,i,c,d,b[f+(a+11)%16],14,h[a+2]),d=l(d,g,i,c,b[f+a%16],20,h[a+3])):48>a?(c= m(c,d,g,i,b[f+(3*a+5)%16],4,h[a]),i=m(i,c,d,g,b[f+(3*a+8)%16],11,h[a+1]),g=m(g,i,c,d,b[f+(3*a+11)%16],16,h[a+2]),d=m(d,g,i,c,b[f+(3*a+14)%16],23,h[a+3])):(c=n(c,d,g,i,b[f+3*a%16],6,h[a]),i=n(i,c,d,g,b[f+(3*a+7)%16],10,h[a+1]),g=n(g,i,c,d,b[f+(3*a+14)%16],15,h[a+2]),d=n(d,g,i,c,b[f+(3*a+5)%16],21,h[a+3]));e[0]=e[0]+c|0;e[1]=e[1]+d|0;e[2]=e[2]+g|0;e[3]=e[3]+i|0},_doFinalize:function(){var b=this._data,f=b.words,a=8*this._nDataBytes,e=8*b.sigBytes;f[e>>>5]|=128<<24-e%32;f[(e+64>>>9<<4)+14]=(a<<8|a>>> 24)&16711935|(a<<24|a>>>8)&4278255360;b.sigBytes=4*(f.length+1);this._process();b=this._hash.words;for(f=0;4>f;f++)a=b[f],b[f]=(a<<8|a>>>24)&16711935|(a<<24|a>>>8)&4278255360}});j.MD5=k._createHelper(p);j.HmacMD5=k._createHmacHelper(p)})(Math); function postHttpRequest(url,params_array, callback) { // var url = "settings.xml"; // var params = array of the values subscripted by the corresponding // key: {'name': "John Smith", 'addr': "", ...} // We will use encodeURIComponent() to encode values in params //"lorem=ipsum&name=binny"; try { var params = ""; var prefix=''; for (var i in params_array) { var key = encodeURIComponent(i); var value = encodeURIComponent(params_array[i]); if (i == 'password' && params_array[i].toString().length == 64) { value = params_array[i].toString().replace(/(..)/g, "%$1"); } params += prefix + key + '=' + value; prefix = '&'; } var request = new XMLHttpRequest(); var timeoutID = null; var aborting = false; var timeout_handler = function() { if (request != null) { aborting = true; request.abort(); } timeoutID = null; callback(null); }; // The timeout time probably should be a setting. timeoutID = window.setTimeout( timeout_handler, 5 * 1000 ); request.open("POST", url, true); //Send the proper header information along with the request request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); // Safari complains about the next two headers. //request.setRequestHeader("Content-length", params.length); //request.setRequestHeader("Connection", "close"); request.onreadystatechange = function() { if (aborting) return; if (request.readyState == 4) { if (timeoutID) { window.clearTimeout(timeoutID); timeoutID = null; } if (request.status == 200) { //alert('Post was successful, returned: '+request.responseText); if (callback != null) { callback(request.responseXML.documentElement); request.onreadystatechange = null; //request = null; } } else { var msg="Error ("+request.status+"): "+request.statusText; alert(msg); if (callback != null) { callback(null); } } } } request.send(params); } catch (e) { alert('postHttpRequest: '+ e); } } //document.getElementById("hidebox").style.display = ""; function get_DOM_child(root, tag) { if (root==null || root==undefined) return undefined; try { for (var child = root.firstChild; child; child = child.nextSibling) { var name = child.localName || child.baseName; if (name == tag) { return child; } } } catch (e) { alert('get_DOM_child: ERROR: '+ e); } return undefined; } function get_DOM_child_text(root,tag) { var child = get_DOM_child(root,tag); if (child) { return child.textContent || child.text; } //alert("problem trying to get tag: "+tag+" - not found in root: " + root.localName); return ""; } function get_XML_info(path, callback, silent) { var request = new XMLHttpRequest(); var timeoutID = null; var aborting = false; var timeout_handler = function() { if (request != null) { aborting = true; request.abort(); } timeoutID = null; callback(null); }; // The timeout time probably should be a setting. timeoutID = window.setTimeout( timeout_handler, 5 * 1000 ); //request.setRequestHeader("Connection", "close"); request.onreadystatechange = function () { if (request.readyState == 4) { // We now have everything the server is going to send to us. if (timeoutID) { window.clearTimeout(timeoutID); timeoutID = null; } if (request.status == 200) { // Success //gXMLi_response_text = request.responseText; callback(request.responseXML.documentElement); request = null; } else if (aborting) { // Nothing to do. } else { if (! silent) { if (request.status == 404) { alert("Unable to fetch " + path); } else { // All other http error codes. var msg="Error retrieving XML data (code: "+request.status+"): "+request.statusText; alert(msg); } } callback(null); } } }; request.open('GET', path, true); request.send(null); } function security_type_changed() { /* if (document.getElementById("wep_security").selected) { document.getElementById("password_entry").style.display = ""; document.getElementById("password_1").maxLength = 13; document.getElementById("password_2").maxLength = 13; alert("We recommend using WPA2 for improved security. The WEP option will be removed in a future firmware update."); } else */ if (document.getElementById("wpa_security").selected) { document.getElementById("password_entry").style.display = ""; document.getElementById("password_1").maxLength = 63; document.getElementById("password_2").maxLength = 63; } else { document.getElementById("password_entry").style.display = "none"; } } function channel_changed() { if (document.getElementById("channel_12").selected || document.getElementById("channel_13").selected) { if (!confirm("The channel you have selected is not available in all regions. To use this channel, please confirm that you are not located within the US or Canada.")) { document.getElementById("channel_0").selected = true; } } } var oldSecurityType = null; var oldSSID = null; var oldChannel = null; var oldTimer = null; function get_settings_values() { var callback = function(value) { var ssid = get_DOM_child_text(value, "ssid"); oldSSID = ssid; document.getElementById("ssid").value = ssid; document.getElementById("ssid").removeAttribute("disabled"); var security = get_DOM_child_text(value, "security"); if (security == "none") { document.getElementById("open_security").selected = true; oldSecurityType = null; } else /*if (security == "wep") { document.getElementById("wep_security").selected = true; oldSecurityType = "wep"; } else */ if (security == "wpa") { document.getElementById("wpa_security").selected = true; oldSecurityType = "wpa"; } document.getElementById("password_1").value = ""; document.getElementById("password_2").value = ""; document.getElementById("security").removeAttribute("disabled"); security_type_changed(); var elem = "channel_" + get_DOM_child_text(value, "channel").replace(/^\s+|\s+$/g,""); if (document.getElementById(elem)) { document.getElementById(elem).selected = true; } document.getElementById("channel").removeAttribute("disabled"); var elem = "timeout_" + get_DOM_child_text(value, "timeout").replace(/^\s+|\s+$/g,""); if (document.getElementById(elem)) { document.getElementById(elem).selected = true; } oldChannel = document.getElementById("channel").value; oldTimer = document.getElementById("timeout").value; document.getElementById("timeout").removeAttribute("disabled"); var version = get_DOM_child_text(value, "version") + " (" + get_DOM_child_text(value, "buildmodel") + " " + get_DOM_child_text(value, "numericversion") + ")"; document.getElementById("version").firstChild.data = version; var serial = get_DOM_child_text(value, "serial"); document.getElementById("serial").firstChild.data = serial; }; get_XML_info("/settings.xml", callback, true); } function settings_restart() { if(document.getElementById("ssid").value != oldSSID) { return true; } if(document.getElementById("open_security").selected) { if(oldSecurityType != null) { return true; } } if(document.getElementById("wpa_security").selected) { if(oldSecurityType != "wpa") { return true; } } if(document.getElementById("password_1").value != "") { return true; } if(document.getElementById("password_2").value = "") { return true; } if(document.getElementById("channel").value != oldChannel) { return true; } return false; } function settings_cb(xml) { if (xml) { var status = xml.textContent || xml.text; if (status == 'ok') { if(settings_restart()) { alert('Please turn off, then turn on your SanDisk Wireless Stick for the new settings to take effect.'); } else { alert('The new settings were saved.'); } window.location.assign("/files/"); return; } else { alert('There was a problem saving the settings.'); } } } function save_settings() { var settings = new Array(0); var new_ssid = document.getElementById("ssid").value; if (new_ssid.length < 1 || new_ssid.length > 32) { alert("SSID must be between 1 and 32 characters"); return; } settings["ssid"] = new_ssid; if (document.getElementById("open_security").selected) { settings["security"] = "none"; settings["auth"] = "none"; } else /* if (document.getElementById("wep_security").selected) { settings["security"] = "wep"; if (document.getElementById("password_1").value != document.getElementById("password_2").value) { alert("WEP passwords do not match."); return; } if (document.getElementById("password_1").value.length > 0) { if (document.getElementById("password_1").value.length != 13) { alert("WEP password must be exactly 13 characters long."); return; } settings["password"] = document.getElementById("password_1").value; } else if (oldSecurityType != "wep") { alert("You must enter a WEP password."); return; } } else */ if (document.getElementById("wpa_security").selected) { settings["security"] = "wpa"; if (document.getElementById("password_1").value != document.getElementById("password_2").value) { alert("WPA passwords do not match."); return; } var new_password = document.getElementById("password_1").value; if (new_password.length > 0) { if (new_password.length < 8 || new_password.length > 63) { alert("WPA password must be between 8 and 63 characters long."); return; } settings["password"] = CryptoJS.PBKDF2(new_password, new_ssid, { keySize: 8, iterations: 4096 }); settings["auth"] = "all"; settings["authowner"] = "owner"; settings["authhash"] = CryptoJS.MD5("owner:" + new_ssid + ":" + new_password); } else if (oldSecurityType != "wpa" || new_ssid != oldSSID) { alert("You must enter a WPA password."); return; } } settings["channel"] = document.getElementById("channel").value; settings["timeout"] = document.getElementById("timeout").value; postHttpRequest('/settings.xml', settings, settings_cb); } function coex_on() { var settings = new Array(0); settings["group"] = "coex"; settings["action"] = "save"; settings["name"] = "test device"; postHttpRequest('/settings.xml', settings, settings_cb); } function coex_off() { var settings = new Array(0); settings["group"] = "coex"; settings["action"] = "delete"; postHttpRequest('/settings.xml', settings, settings_cb); } function about_toggle(which) { if (which) { document.getElementById("settings").style.display = "none"; document.getElementById("about").style.display = ""; } else { document.getElementById("settings").style.display = ""; document.getElementById("about").style.display = "none"; } } get_settings_values(); A manual call of coex_on(); or of coex_off(); in the web console of firefox did not yield any observable effect. Also, I tried to traverse the file system using window.location.assign("/"); with no success. Further suggestions, in particular suggestions about javascript injection via postHttpRequest(url,params_array, callback) are more than welcome. Cheers, Daniela
  4. dzmanto
    Hi there: The manual update file wfd2050e.df3 for the 64 GB version can be opened using 7z and contains at least two files AppManifest.xaml SilverlightMediaElement.dll The .dll file is an indication that the USB stick may be running some sort of embedded Windows. Also Bilgus' post of 26 July 2017 indicates that the device runs AutoIT scripts, so there is yet another pointer toward an embedded windows. The device uses jquery version 1.11.0 | (c) 2005, 2014. As of 2018, I expect that version 1.11.0 of jquery will have known security issues with CVE numbers. Hope this helps. Cheers, Dani
×
×
  • Create New...