Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-1528 PoC — Android‘native_handle_ create()’函数数字错误漏洞

Source
https://github.com/kanpol/PoCForCVE-2015-1528
Associated Vulnerability
Title:Android‘native_handle_ create()’函数数字错误漏洞 (CVE-2015-1528)
Description:Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.
Readme
This PoC is divided into three Parts,
the folder mediaserver help to inject code into mediaserver from a normal application.
the folder surfaceflinger help to inject code to surfaceflinger after you got mediaserver permission.
the folder system_server help to inject code to system_server after you got surfaceflinger permission.
the bbshell folder help to inject busybox to mediaserver

the PoC contain many hard codes, I tested it on Nexus 5 for Android 5.0(LRX21O), you may have to adust these hard codes to suit your case.
detail introduce about the vulnerability please refer to 
https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege-wp.pdf
File Snapshot

 [4.0K]  /data/pocs/00a1b2757b7f5a09d4ab554113a4230403894242
├── [4.0K]  bbshell
│   ├── [ 493]  Android.mk
│   ├── [ 11K]  bbshell.cpp
│   ├── [ 677]  bbshell.h
│   ├── [ 574]  main.cpp
│   └── [ 472]  test.sh
├── [4.0K]  mediaserver
│   ├── [1.3K]  Android.mk
│   ├── [  92]  asm.S
│   ├── [4.7K]  help.cpp
│   ├── [ 43K]  media.cpp
│   ├── [5.4K]  runsc.cpp
│   └── [8.4K]  shellcode.cpp
├── [ 718]  README.md
├── [4.0K]  surfaceflinger
│   ├── [ 964]  Android.mk
│   ├── [ 27K]  expsur.cpp
│   └── [4.9K]  help.cpp
└── [4.0K]  systemserver
    ├── [ 609]  Android.mk
    ├── [ 21K]  expsys.cpp
    ├── [ 22K]  expsys.cpp.more
    └── [4.7K]  help.cpp

4 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →