Network Exploits Kin TWOm

---

Network Exploitation

Hello Everyone! This is my first ever post, I just got the Kin TWOm a few days ago and i've been playing around with a few different exploits.

Port Scanning

There are only two open ports on this device:

Port 138: NetBios-DGM
Port 137: Microsoft Windows Mobile netbios-ssn

I will be attempting to run a few different netbios attacks and I'll let you guys know if I gain root access!

Browser Exploits

According to the Wikipedia page on the Kin Series of phones the Browser Agent is: Mozilla/4.0 (compatible; MSIE 6.0; Windows CE; IEMobile 6.12; en-US; KIN.Two 1.0)

I will also attempt to run many IE 6,7,8 etc. exploits on this device.

I'LL KEEP YOU GUYS POSTED! Also, If you know any more information about the networking aspect of this device PLEASE RESPOND TO THIS POST!

Thanks.

True, but port hacks use the 139 port.
Also, netbios commands (alas "nbstat") don't work with the kin ip (just retested with router-asigned local ip), but kin answers pings.

Also, dont just believe what wiki says. Test a browser detector page for the browser headers, and the capabilities.

As we have understood the storage upload/download i guess that we can also retest this kind of approach.

Dont want to upset ya, but i tried most of the exploits and the meta xploit things without nothing more than explorer crashes without rooting. Also, we do not know anything (or almost) from the OS, so shellcodes in ARM assembly may not work when using dll addresses.

As othes say that the M versions can open youtube, that's a good point to check too. I will think about it.

Edit, just checked it. Kin uses the "rtsp" protocol, which was unable on the version "kin two" (without M). Unfortunately, my kin doesnt play any vid from the net (maybe because not using 3g and just wifi).

Don't forget to test on 1.00 firmware. Since 1.00 had KIN Studio, which synced up everything. You might be able to get through the KIN Studio Sync.

Give me a working kin two then. Also, a CDMA connection tower to at least, get the kin to try to call home.

.... just kidding.

@john, your kin wont let you watch videos? Well it's not because your using a wifi network because I use a wifi network all the time. If you want youtube to work, then go to the page with the video, close out, go to settings then browser and delete temporary files and cache

i appoligize if this doesnt pertain, but on MS answers fourms i read that the loop on the orginial KIN OS uses a URL to function. Maybe this is exploitable..

somebody should look into this though.

So.. i doubt that is up to a common user level to test this but, as i said before, the kin two (twoM version only) uses RTSP.

It's possible to use a custom url for that protocol in the normal address bar. For example:

rtsp://lamewebsite.com/roflvideo/

Of course, if you'r on a lan, you can achive something like:

rtsp://192.168.1.2/roflvideotest/

having a a custom program listening on port 554 (default rtsp) at 192.168.1.2 .

There are some exploits (old, around the web) called "PoC rtsp exploit" which uses customized rtsp packets to execute code and/or crash the receiver program.

Mmmm or probably not crashing either, but showing the "Doh! can't play this".

Of course, as you can see, you can patiently wait for a rtsp random url (not a real rtsp one) to load ("Loading...") to see that's Zune (aka "Music & more") App what loads the video.
So zune is the program to crash and/or exploit, which is not a weak target (not much more info about it or its weaknesses).

@JohnKussack,

What about this HTTP zune exploit that allows overwriting zune files:
http://securityresponse.symantec.com...jsp?asid=22921

(I don't know anything about this exploit other than that it exists)

Quote:

Originally Posted by Marcellus1

What about this HTTP zune exploit that allows overwriting zune files:
http://securityresponse.symantec.com...jsp?asid=22921

From what i see, it's a (microsoft caused) name mistake. This seems to be for the Zune software at windows, not for the zune software (at Zune devices/kin).

It's like zune of zune devices under zune os to run zune apps in a zune world where everything is named zune.

Yup, i was right. Just tested a local server at home:

Code:

Kin RTSP server test on port 554
Waiting for connection from the kin
Kin connected from Address:  ('192.168.2.150', 49173)
##########################

DESCRIBE rtsp://192.168.2.134/ RTSP/1.0
CSeq: 1
Accept: application/sdp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)


##########################

Edit: after several tries, it seems like it just su.... accepts .3gp files, and refuses to get another filetype. Ironically, the Microsoft papers about this, say that rtsp client should send the accepted files with the DESCRIBE request. (Home team failing, anyone?).

I doubt it would just accept the exploit idea (found the code for the exploit and did not work, just normal error) or be a possible hole into the system.

Quote:

Originally Posted by johnkussack

Edit: after several tries, it seems like it just su.... accepts .3gp files, and refuses to get another filetype.

Have you tried an mp4 or m4a file?