https://github.com/davidbuchanan314/wampage
WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)
https://github.com/davidbuchanan314/wampage
arm cve-2022-23731 exploit javascript lg-webos lg-webos-tv lpe python v8 webos webos-tv
Last synced: 10 days ago
JSON representation
WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)
- Host: GitHub
- URL: https://github.com/davidbuchanan314/wampage
- Owner: DavidBuchanan314
- License: mit
- Created: 2021-12-26T04:29:09.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-03-19T16:24:28.000Z (about 3 years ago)
- Last Synced: 2025-04-12T13:13:22.103Z (10 days ago)
- Topics: arm, cve-2022-23731, exploit, javascript, lg-webos, lg-webos-tv, lpe, python, v8, webos, webos-tv
- Language: JavaScript
- Homepage: https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html
- Size: 38.7 MB
- Stars: 49
- Watchers: 3
- Forks: 8
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# WAMpage
WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)
This exploit is mainly of interest to other researchers - if you just want to root your TV, you probably want [RootMyTV](https://github.com/RootMyTV/RootMyTV.github.io), which offers a reliable 1-click persistent root.
Currently only supports WebOS 4.x on 32-bit SoCs. This software is provided AS IS, use at your own risk, etc. etc.
Writeup: https://www.da.vidbuchanan.co.uk/blog/webos-wampage.html
## Building
Prerequesites:
```bash
apt install qemu-user
npm install -g @webosose/ares-cli
```
Compiling:
```bash
make
```
## Testing Locally
`make test` will build and run the exploit in `d8`, running in `qemu-arm`. (A pre-compiled version of d8 and its dependencies are included in the `bin/` directory). If the exploit works succesfully, you'll probably get something like this:
```
[+] Starting WAMpage...
[+] addrof(myobj) = 0x5a68f5d1
[+] Test: reconstructed myobj: {"foo":"bar"}
[+] Set up arbread32/arbwrite32.
[+] stage2 shellcode loaded @ 0xff458000
[+] myfunc @ 0x5a693369
[+] stage1 RWX buf @ 0x5bb8f280
[+] Copied stage1 shellcode. Calling...
Traceback (most recent call last):
File "", line 25, in
IOError: [Errno 13] Permission denied: '/dev/mem'
```
The permission error is expected, assuming your machine isn't totally misconfigured.
You can test the `devmemes.py` exploit by running it directly on a TV, but you'll either need root to begin with, or some other kind of unsandboxed/unjailed shell.
## Installation on TV
You can use `ares-install`, or manually copy over the IPK and run this from the devmode shell:
```bash
luna-send-pub -i 'luna://com.webos.appInstallService/dev/install' '{"id":"tv.rootmy.wampage","ipkUrl":"/path/to/wampage.ipk","subscribe":true}'
```
## Running on TV
Launch the app and press the "Start Exploit" button. If all goes well, a telnet server should open up on port 31337.