PoC Exploit Samsung...
 
Notifications
Clear all

PoC Exploit Samsung Android Phones

17 Posts
8 Users
0 Likes
3,960 Views
(@trewmte)
Posts: 1877
Noble Member
Topic starter
 

A PoC (Proof Of Concept) exploit takes advantage of a known vulnerability in Samsung's Android phones that allows an attacker to access phone storages via USB, bypassing lock screen and/or Charge only mode. This is because one of the most common ways to connect your Android phone to your computer is by using the Media Transfer Protocol (MTP). Via MTP you can manage folders, files (and some other things) on the different storages (i.e. internal memory and SD) available on your device. When the screen of the phone is locked with password or when the USB mode is set to Charge only it shouldn't be possible to access the device via MTP (or other USB protocols). In reality what really happens is that the device will prevent you from obtaining the "list" of the available storages, but it will let you do everything else. Many common MTP clients won't, probably, let you access a device that reports zero storages. But you can write a client that just asks for a list of all files on all storages and the device will satisfy your request. The interesting thing is that in the answer that you will get from the device you will also have storage ids for the returned files, which means that now you can use those storage ids with request that can't be issued generically against all storages i.e. file uploads. This vulnerability has been found on Samsung's devices from 2012 until 2017, with any android versions from 4.0.3 to 7.x.

The tool is free - https://github.com/smeso/MTPwn

 
Posted : 17/05/2018 1:52 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Thanks for sharing, this post came right in time! If it will work on the device I got in a highly sensitive case, hopefully it will keep behind the bars a dangerous criminal! )

If it works, I'll write some feedback on it.

 
Posted : 17/05/2018 7:03 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

No luck, the Android Security Patch Level is newer on this device. It is also encrypted and asking for password on boot, so no MTP connection could be set up anyway (

 
Posted : 18/05/2018 10:11 am
(@mcman)
Posts: 189
Estimable Member
 

It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics

 
Posted : 18/05/2018 1:23 pm
 Bypx
(@bypx)
Posts: 9
Active Member
 

It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics

Hi, I've a Samsung J320F with secure boot enabled and I don't know the password.

Dump via Forensic recovery with axiom won't help because phone is encrypted, do you think there is any way to get files?

 
Posted : 18/05/2018 2:24 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

@Bypx If it is important, we can extract the user data from your encrypted dump, feel free to message me.

 
Posted : 18/05/2018 6:57 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

I already posted that the security patch level of the SM-N950F device I got is newer and this exploit won't work (

Any ideas are welcome, if we could dump the phone (even encrypted) we could move forward…

 
Posted : 18/05/2018 7:01 pm
(@mcman)
Posts: 189
Estimable Member
 

I already posted that the security patch level of the SM-N950F device I got is newer and this exploit won't work (

Any ideas are welcome, if we could dump the phone (even encrypted) we could move forward…

Yeah sorry that part was meant as a general information for anyone else looking at that exploit, I knew neither option would work for you based on the patch level.

My next guess would be engboot? I haven't tried one for a Note 8 yet but I've seen a few files out there for them. Worth a shot anyway.

Jamie

 
Posted : 18/05/2018 7:38 pm
(@shaunnash)
Posts: 2
New Member
 

This is an interesting topic, and will be of value to those with backlogs and otherwise SOL. I'm curious if anyone has taken the time to go through and adapt this POC to function for extraction (beyond the integrated tool of Magnet's)? As others have stated, MTP is better than nothing, but this code woudn't work for most purposes as it writes files to the target device in the process of poc-ing. We're not coders here but might take a stab at adapting this to a sounder approach. If anyone has already begun or has their own, we'd welcome the input. Thanks for the discussion.

 
Posted : 26/05/2018 2:48 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

The MTP read and write functions are public, anybody can use them!

Besides the PoC of MTPawn, there is a sample for pushing a file on the root (/) of the MTP filesystem. Comment those lines from the original PoC and feel free to fork the project and add a "recursive read all" on github.

I think this is what everybody is wanting, too bad that I won't do it )

 
Posted : 02/06/2018 8:22 pm
Page 1 / 2
Share: