关联漏洞
标题:Android‘native_handle_ create()’函数数字错误漏洞 (CVE-2015-1528)Description:Google Chrome是美国谷歌(Google)公司开发的一款Web浏览器。Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。 Android 5.1及之前版本的libcutils/native_handle.c文件中的‘native_handle_create’函数存在整数溢出漏洞。攻击者可借助特制的应用程序利用该漏洞获取其他应用程序的权限,或造成拒绝服务(Binder堆内存损坏)。
Description
I'll submit the poc after blackhat
介绍
This PoC is divided into three Parts,
the folder mediaserver help to inject code into mediaserver from a normal application.
the folder surfaceflinger help to inject code to surfaceflinger after you got mediaserver permission.
the folder system_server help to inject code to system_server after you got surfaceflinger permission.
the bbshell folder help to inject busybox to mediaserver
the PoC contain many hard codes, I tested it on Nexus 5 for Android 5.0(LRX21O), you may have to adust these hard codes to suit your case.
detail introduce about the vulnerability please refer to
https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege-wp.pdf
文件快照
[4.0K] /data/pocs/25db80f2548d0557d8b9a315431df11f6ff47912
├── [4.0K] bbshell
│ ├── [ 493] Android.mk
│ ├── [ 11K] bbshell.cpp
│ ├── [ 677] bbshell.h
│ ├── [ 574] main.cpp
│ └── [ 472] test.sh
├── [4.0K] mediaserver
│ ├── [1.3K] Android.mk
│ ├── [ 92] asm.S
│ ├── [4.7K] help.cpp
│ ├── [ 43K] media.cpp
│ ├── [5.4K] runsc.cpp
│ └── [8.4K] shellcode.cpp
├── [ 718] README.md
├── [4.0K] surfaceflinger
│ ├── [ 964] Android.mk
│ ├── [ 27K] expsur.cpp
│ └── [4.9K] help.cpp
└── [4.0K] systemserver
├── [ 609] Android.mk
├── [ 21K] expsys.cpp
├── [ 22K] expsys.cpp.more
└── [4.7K] help.cpp
4 directories, 19 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →