Join Us!

PoC Exploit Samsung...
 
Notifications
Clear all

PoC Exploit Samsung Android Phones  

Page 1 / 2
  RSS
trewmte
(@trewmte)
Community Legend

A PoC (Proof Of Concept) exploit takes advantage of a known vulnerability in Samsung's Android phones that allows an attacker to access phone storages via USB, bypassing lock screen and/or Charge only mode. This is because one of the most common ways to connect your Android phone to your computer is by using the Media Transfer Protocol (MTP). Via MTP you can manage folders, files (and some other things) on the different storages (i.e. internal memory and SD) available on your device. When the screen of the phone is locked with password or when the USB mode is set to Charge only it shouldn't be possible to access the device via MTP (or other USB protocols). In reality what really happens is that the device will prevent you from obtaining the "list" of the available storages, but it will let you do everything else. Many common MTP clients won't, probably, let you access a device that reports zero storages. But you can write a client that just asks for a list of all files on all storages and the device will satisfy your request. The interesting thing is that in the answer that you will get from the device you will also have storage ids for the returned files, which means that now you can use those storage ids with request that can't be issued generically against all storages i.e. file uploads. This vulnerability has been found on Samsung's devices from 2012 until 2017, with any android versions from 4.0.3 to 7.x.

The tool is free - https://github.com/smeso/MTPwn

Quote
Posted : 17/05/2018 2:52 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Thanks for sharing, this post came right in time! If it will work on the device I got in a highly sensitive case, hopefully it will keep behind the bars a dangerous criminal! )

If it works, I'll write some feedback on it.

ReplyQuote
Posted : 17/05/2018 8:03 pm
passcodeunlock
(@passcodeunlock)
Senior Member

No luck, the Android Security Patch Level is newer on this device. It is also encrypted and asking for password on boot, so no MTP connection could be set up anyway (

ReplyQuote
Posted : 18/05/2018 11:11 am
mcman
(@mcman)
Active Member

It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 18/05/2018 2:23 pm
Bypx
 Bypx
(@bypx)
New Member

It's a decent exploit and MTP data is better than nothing usually. A friend of mine used it for an S7 that had a busted screen that couldn't be repaired. Security patch level needs to be before Oct/Nov 2017 (depending on the device). Encryption shouldn't be a problem but the secure boot would cause an issue as you need to boot the phone.

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

Jamie McQuaid
Magnet Forensics

Hi, I've a Samsung J320F with secure boot enabled and I don't know the password.

Dump via Forensic recovery with axiom won't help because phone is encrypted, do you think there is any way to get files?

ReplyQuote
Posted : 18/05/2018 3:24 pm
passcodeunlock
(@passcodeunlock)
Senior Member

@Bypx If it is important, we can extract the user data from your encrypted dump, feel free to message me.

ReplyQuote
Posted : 18/05/2018 7:57 pm
passcodeunlock
(@passcodeunlock)
Senior Member

If you have Magnet AXIOM, it uses this exploit and works quite well. If you don't have it, give the script a try.

I already posted that the security patch level of the SM-N950F device I got is newer and this exploit won't work (

Any ideas are welcome, if we could dump the phone (even encrypted) we could move forward…

ReplyQuote
Posted : 18/05/2018 8:01 pm
mcman
(@mcman)
Active Member

I already posted that the security patch level of the SM-N950F device I got is newer and this exploit won't work (

Any ideas are welcome, if we could dump the phone (even encrypted) we could move forward…

Yeah sorry that part was meant as a general information for anyone else looking at that exploit, I knew neither option would work for you based on the patch level.

My next guess would be engboot? I haven't tried one for a Note 8 yet but I've seen a few files out there for them. Worth a shot anyway.

Jamie

ReplyQuote
Posted : 18/05/2018 8:38 pm
shaunnash
(@shaunnash)
New Member

This is an interesting topic, and will be of value to those with backlogs and otherwise SOL. I'm curious if anyone has taken the time to go through and adapt this POC to function for extraction (beyond the integrated tool of Magnet's)? As others have stated, MTP is better than nothing, but this code woudn't work for most purposes as it writes files to the target device in the process of poc-ing. We're not coders here but might take a stab at adapting this to a sounder approach. If anyone has already begun or has their own, we'd welcome the input. Thanks for the discussion.

ReplyQuote
Posted : 26/05/2018 3:48 am
passcodeunlock
(@passcodeunlock)
Senior Member

The MTP read and write functions are public, anybody can use them!

Besides the PoC of MTPawn, there is a sample for pushing a file on the root (/) of the MTP filesystem. Comment those lines from the original PoC and feel free to fork the project and add a "recursive read all" on github.

I think this is what everybody is wanting, too bad that I won't do it )

ReplyQuote
Posted : 02/06/2018 9:22 pm
shahartal
(@shahartal)
Junior Member

Yes, the MTP exploit is pretty decent, we had it in UFED since almost two years ago (August 2016) after we discovered it privately - that's what powered the "Partial File System" Samsung method.
Several other vendors have added implementations a few months after it was publicly released in November 2017.

Regarding the J320F/N950F with (or without) Secure Startup - we can provide lock-bypassing physicals with access to KNOX Secure Folder for these models and many others at CAS.

Shahar

ReplyQuote
Posted : 11/06/2018 3:13 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Hmm, I'm in doubt a bit about the N950F )

ReplyQuote
Posted : 11/06/2018 9:59 pm
shahartal
(@shahartal)
Junior Member

Well, many people doubted when we (Cellebrite) said we could unlock iPhones with iOS 9, and then 10, and then 11… wink
The Galaxy Note 8 was easier.

Shahar

ReplyQuote
Posted : 12/06/2018 9:23 am
Thomass30
(@thomass30)
Active Member

This exploit only works on Samsung devices Yes ?

ReplyQuote
Posted : 12/06/2018 10:22 am
Thomass30
(@thomass30)
Active Member

I got Samsung Samsung Galaxy J7 2016 (J710FN) with broken screen. The phone is working but I cant see anything. I use this MTPwn exploit and it worked. It listed me phone's files and downloaded one random file.

My question is how to customize this to exploit to download all the visible - listed files ?

ReplyQuote
Posted : 14/06/2018 1:17 pm
Page 1 / 2
Share: