What's new

Finisterre

Professional
Joined
May 31, 2018
Messages
646
Reaction score
654
Location
Midwest
It seems you can shell out remotely on the X2 with old known vulnerable windows services... this gives you access to the E:\ drive where the game resides unencrypted.

This likely works against other Windows Embedded based systems if you are able to enable basic networking.

More detail & exploit here
https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi
 

Attachments

  • 4DF53204-E6B7-42B8-B4C5-027D3B4928E6.jpeg
    4DF53204-E6B7-42B8-B4C5-027D3B4928E6.jpeg
    123.9 KB · Views: 292
  • D918C83C-5825-4F5C-8B37-8FD58C00F348.jpeg
    D918C83C-5825-4F5C-8B37-8FD58C00F348.jpeg
    366.9 KB · Views: 287
  • 38FC2C28-E15C-4CDC-9C2A-E35E61059885.jpeg
    38FC2C28-E15C-4CDC-9C2A-E35E61059885.jpeg
    187.7 KB · Views: 286
  • 91AB3E17-8204-43F4-A8DC-6A8B7B49375B.jpeg
    91AB3E17-8204-43F4-A8DC-6A8B7B49375B.jpeg
    139.3 KB · Views: 372
The x3 doesn't run Windows XP, so this exploit most likely wont work.

The encryption routine for the virtual disks is known, so dumping the games is easily achieved without needing to exploit the unit.
 
Correct, ms08-067 is a <=Vista/2008 vulnerability. Windows 7 came out in 2009.

Where can I read more about encryption routine on the x3's?
 
The x3 doesn't run Windows XP, so this exploit most likely wont work.

The encryption routine for the virtual disks is known, so dumping the games is easily achieved without needing to exploit the unit.
There are of course different forms of access... one may find it easier to wind up on the same network as a running machine, vs dissassembly, and removal / transplant of the physical drive into a rig for extraction.

It is always beneficial to be aware of the basic concept of remote access via exploitation. This specific module may not apply, how about EternalBlue? Or a hand full of other options :)

RingEdge runs WinXp someone could test there if they were willing. Mine isn’t currently in a state to be tested.
 
For anyone following along the “download -r” command in Meterpreter will allow archival of the game files sans disassembly or power down of a running unit.

I don’t know how they handle the OS for each game, so your mileage may vary.
 

Attachments

  • 2BADD5A3-6C2D-43EB-8D9B-131C6B0DE626.jpeg
    2BADD5A3-6C2D-43EB-8D9B-131C6B0DE626.jpeg
    759.2 KB · Views: 234

Attachments

  • ED26B631-139B-4C56-946B-444A8A5D7244.jpeg
    ED26B631-139B-4C56-946B-444A8A5D7244.jpeg
    207.7 KB · Views: 228
E:\ drive where the game resides unencrypted.

Well to be fair, thats because thats after the system mounts if a game has txce , or txac well your still sol but yea there are a whole host of exploits you can do to any X system just to get the files off the drive tbh since you can add just bout anything to the os.
 
The x3 doesn't run Windows XP, so this exploit most likely wont work.

The encryption routine for the virtual disks is known, so dumping the games is easily achieved without needing to exploit the unit.
So I've had 2 x3's show up. First one was a P&D on Windows Embedded 8 Standard. The second one is a LoV4 Windows 7 Embedded. The P&D appears to be vulnerable to ms17-010, but I couldn't pop it. The LoV4 I had no issues.

auSJF8c.png


For those playing along, the username and password were not standard on the LoV4. fwiw
 
Back
Top