CVE-2020-12753 PoC — LG Mobile Devices With Android 缓冲区错误漏洞

Source

Associated Vulnerability

Description

A proof-of-concept for CVE-2020-12753

Readme

# CVE-2020-12753-PoC
This repo contains a proof-of-concept for 🔋📱❄️🥾🔓, an SBL1/aboot vuln for Secure EL3 arbitrary code execution on the LG Stylo 4 (AMZ/Q710ULM). This is only tested on updates 20a and 20c and with the SBL1 variant of the vulnerability.

```
 - Makefile                 : Builds raw_resources_a_mod.img given sbl_rop.s and raw_resources.img_884736
 - raw_resources.img_884736 : Original raw_resources partition; sha256 510def86aa7608ac02f243d3c161bf973ac4add066be763c8abcb2fee90a454c
 - raw_resources_a_mod.img  : pre-compiled raw_resources partition to be flashed; sha256 26ee5f4589009bc20269bdb813a78d729b9daba44f7826560f6b7201f5396e73
 - payload.bin              : pre-compiled output of sbl_rop.s (no RLE compression)
 - lg-craftres.py           : Python3 script which takes in raw_resources.img_884736 and payload.bin and outputs raw_resources_a_mod.img
 - sbl_rop.s                : ROP payload to be written to the stack by load_res_888rle_image
 - sbl_gadgets.s            : ROP gadget defines for SBL1, included by sbl_rop.s
```

To build from source, armips (https://github.com/Kingcom/armips) and Python 3 are required.

File Snapshot

 [4.0K]  /data/pocs/d330cad8a9fb13c5482b5061c11cb67706b03e5c
├── [5.1K]  lg-craftres.py
├── [ 444]  payload.bin
├── [4.0M]  raw_resources_a_mod.img
├── [4.0M]  raw_resources.img_884736
├── [1.1K]  README.md
├── [ 537]  sbl_gadgets.s
└── [2.8K]  sbl_rop.s

0 directories, 7 files

Remarks