{"id":18715872,"url":"https://github.com/davidbuchanan314/wampage","last_synced_at":"2025-04-12T13:13:32.792Z","repository":{"id":104802263,"uuid":"441808910","full_name":"DavidBuchanan314/WAMpage","owner":"DavidBuchanan314","description":"WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)","archived":false,"fork":false,"pushed_at":"2022-03-19T16:24:28.000Z","size":40550,"stargazers_count":49,"open_issues_count":1,"forks_count":8,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-12T13:13:22.103Z","etag":null,"topics":["arm","cve-2022-23731","exploit","javascript","lg-webos","lg-webos-tv","lpe","python","v8","webos","webos-tv"],"latest_commit_sha":null,"homepage":"https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/DavidBuchanan314.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-12-26T04:29:09.000Z","updated_at":"2025-03-11T17:19:54.000Z","dependencies_parsed_at":"2023-06-17T18:34:43.521Z","dependency_job_id":null,"html_url":"https://github.com/DavidBuchanan314/WAMpage","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidBuchanan314%2FWAMpage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidBuchanan314%2FWAMpage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidBuchanan314%2FWAMpage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/DavidBuchanan314%2FWAMpage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/DavidBuchanan314","download_url":"https://codeload.github.com/DavidBuchanan314/WAMpage/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248571863,"owners_count":21126522,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["arm","cve-2022-23731","exploit","javascript","lg-webos","lg-webos-tv","lpe","python","v8","webos","webos-tv"],"created_at":"2024-11-07T13:10:35.975Z","updated_at":"2025-04-12T13:13:32.784Z","avatar_url":"https://github.com/DavidBuchanan314.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# WAMpage\nWAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)\n\nThis exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want [RootMyTV](https://github.com/RootMyTV/RootMyTV.github.io), which offers a reliable 1-click persistent root.\n\nCurrently only supports WebOS 4.x on 32-bit SoCs. This software is provided AS IS, use at your own risk, etc. etc.\n\nWriteup: https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html\n\n![image](https://user-images.githubusercontent.com/13520633/147524216-c9fab6cd-6841-42ab-96b4-b7dd91ff0b23.png)\n\n\n## Building\n\nPrerequesites:\n\n```bash\napt install qemu-user\nnpm install -g @webosose/ares-cli\n```\n\nCompiling:\n\n```bash\nmake\n```\n\n## Testing Locally\n\n`make test` will build and run the exploit in `d8`, running in `qemu-arm`. (A pre-compiled version of d8 and its dependencies are included in the `bin/` directory). If the exploit works succesfully, you'll probably get something like this:\n\n```\n[+] Starting WAMpage...\n[+] addrof(myobj) = 0x5a68f5d1\n[+] Test: reconstructed myobj: {\"foo\":\"bar\"}\n[+] Set up arbread32/arbwrite32.\n[+] stage2 shellcode loaded @ 0xff458000\n[+] myfunc @ 0x5a693369\n[+] stage1 RWX buf @ 0x5bb8f280\n[+] Copied stage1 shellcode. Calling...\nTraceback (most recent call last):\n  File \"\u003cstdin\u003e\", line 25, in \u003cmodule\u003e\nIOError: [Errno 13] Permission denied: '/dev/mem'\n```\n\nThe permission error is expected, assuming your machine isn't totally misconfigured.\n\nYou can test the `devmemes.py` exploit by running it directly on a TV, but you'll either need root to begin with, or some other kind of unsandboxed/unjailed shell.\n\n## Installation on TV\n\nYou can use `ares-install`, or manually copy over the IPK and run this from the devmode shell:\n\n```bash\nluna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{\"id\":\"tv.rootmy.wampage\",\"ipkUrl\":\"/path/to/wampage.ipk\",\"subscribe\":true}'\n```\n\n## Running on TV\n\nLaunch the app and press the \"Start Exploit\" button. If all goes well, a telnet server should open up on port 31337.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidbuchanan314%2Fwampage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdavidbuchanan314%2Fwampage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdavidbuchanan314%2Fwampage/lists"}