Quote:
Originally Posted by ixtab
As far as I understood, yifanlu has an idea about K4NT. I cannot be of any help with that device. So yeah, let's keep a stack of possible exploits for later, and keep looking for others while we have full access  |
I did tell
yifanlu the details of my payload destination and trigger methods, but he may have found others as well, and he should soon be able to test whatever he may have found in the gpl source code now that he ordered a K4NT.
The K4NT should have even more possible payload destinations than are found in the Touch, because root is writable by default on the K4NT (no need to do "mntroot rw" despite the warning after shell login). I only tested this on the version 4.0, so it still needs to be tested on 4.0.1.
I have not looked for additional exploits after discovering that the K4NT root is writable. Perhaps we should inject the developer key directly with the tar bug without relying on a script (in case the script execution gets disabled).
Clearly, the Touch MP3 exploit has come and gone and it is time to use the next one (your locale payload injected with the tar bug). I will defer to
yifanlu's judgement about when the time is right to use each of the remaining known exploits.