CVE-2022-23731 PoC — Lg Electronics Lg WebOs 安全漏洞

Source

Associated Vulnerability

Description

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

Readme

# WAMpage
WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)

This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want [RootMyTV](https://github.com/RootMyTV/RootMyTV.github.io), which offers a reliable 1-click persistent root.

Currently only supports WebOS 4.x on 32-bit SoCs. This software is provided AS IS, use at your own risk, etc. etc.

Writeup: https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html

![image](https://user-images.githubusercontent.com/13520633/147524216-c9fab6cd-6841-42ab-96b4-b7dd91ff0b23.png)


## Building

Prerequesites:

```bash
apt install qemu-user
npm install -g @webosose/ares-cli
```

Compiling:

```bash
make
```

## Testing Locally

`make test` will build and run the exploit in `d8`, running in `qemu-arm`. (A pre-compiled version of d8 and its dependencies are included in the `bin/` directory). If the exploit works succesfully, you'll probably get something like this:

```
[+] Starting WAMpage...
[+] addrof(myobj) = 0x5a68f5d1
[+] Test: reconstructed myobj: {"foo":"bar"}
[+] Set up arbread32/arbwrite32.
[+] stage2 shellcode loaded @ 0xff458000
[+] myfunc @ 0x5a693369
[+] stage1 RWX buf @ 0x5bb8f280
[+] Copied stage1 shellcode. Calling...
Traceback (most recent call last):
  File "<stdin>", line 25, in <module>
IOError: [Errno 13] Permission denied: '/dev/mem'
```

The permission error is expected, assuming your machine isn't totally misconfigured.

You can test the `devmemes.py` exploit by running it directly on a TV, but you'll either need root to begin with, or some other kind of unsandboxed/unjailed shell.

## Installation on TV

You can use `ares-install`, or manually copy over the IPK and run this from the devmode shell:

```bash
luna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{"id":"tv.rootmy.wampage","ipkUrl":"/path/to/wampage.ipk","subscribe":true}'
```

## Running on TV

Launch the app and press the "Start Exploit" button. If all goes well, a telnet server should open up on port 31337.

File Snapshot

 [4.0K]  /data/pocs/8383f8e3bdbb6e6e609b3c72b8e9fdbbad90818e
├── [4.0K]  app
│   ├── [ 173]  appinfo.json
│   ├── [8.4K]  icon.png
│   ├── [ 752]  index.html
│   ├── [4.0K]  lib
│   │   ├── [3.1K]  base64binary.js
│   │   └── [ 286]  logging.js
│   └── [4.4K]  wampage.js
├── [4.0K]  bin
│   ├── [ 53M]  d8
│   ├── [4.0K]  d8_libs
│   │   ├── [ 13M]  libc.so.6
│   │   ├── [ 99K]  libgcc_s.so.1
│   │   ├── [5.4M]  libm.so.6
│   │   ├── [2.1M]  libpthread.so.0
│   │   ├── [379K]  librt.so.1
│   │   ├── [830K]  libstdc++.so.6
│   │   ├── [ 37K]  libunwind-arm.so.8.0.1
│   │   └── [ 29K]  libunwind.so.8.0.1
│   ├── [ 120]  d8.sh
│   ├── [ 30M]  mksnapshot
│   ├── [4.0K]  mksnapshot_libs
│   │   ├── [1.9M]  libc.so.6
│   │   ├── [118K]  libgcc_s.so.1
│   │   ├── [1.0M]  libm.so.6
│   │   ├── [156K]  libpthread.so.0
│   │   ├── [ 38K]  librt.so.1
│   │   └── [1.9M]  libstdc++.so.6
│   ├── [ 145]  mksnapshot.sh
│   ├── [218K]  natives_blob.bin
│   └── [  24]  snapshot_blob.bin -> ../app/snapshot_blob.bin
├── [4.0K]  build
├── [1.0K]  LICENSE
├── [1000]  Makefile
├── [2.0K]  README.md
└── [4.0K]  src
    ├── [2.4K]  devmemes.py
    ├── [ 489]  patch_snapshot.py
    ├── [4.0K]  shellcode
    │   ├── [ 704]  Makefile
    │   ├── [ 557]  python_shellcode_stub.s
    │   ├── [ 628]  shellcode_runner.c
    │   └── [ 287]  shellcode.s
    └── [ 376]  snapshot.js

8 directories, 36 files

Remarks