Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2015-1528 PoC — Android‘native_handle_ create()’函数数字错误漏洞

Source
https://github.com/secmob/PoCForCVE-2015-1528
Associated Vulnerability
Title:Android‘native_handle_ create()’函数数字错误漏洞 (CVE-2015-1528)
Description:Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.
Description
I'll submit the poc after blackhat
Readme
This PoC is divided into three Parts,
the folder mediaserver help to inject code into mediaserver from a normal application.
the folder surfaceflinger help to inject code to surfaceflinger after you got mediaserver permission.
the folder system_server help to inject code to system_server after you got surfaceflinger permission.
the bbshell folder help to inject busybox to mediaserver

the PoC contain many hard codes, I tested it on Nexus 5 for Android 5.0(LRX21O), you may have to adust these hard codes to suit your case.
detail introduce about the vulnerability please refer to 
https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege-wp.pdf
File Snapshot

 [4.0K]  /data/pocs/25db80f2548d0557d8b9a315431df11f6ff47912
├── [4.0K]  bbshell
│   ├── [ 493]  Android.mk
│   ├── [ 11K]  bbshell.cpp
│   ├── [ 677]  bbshell.h
│   ├── [ 574]  main.cpp
│   └── [ 472]  test.sh
├── [4.0K]  mediaserver
│   ├── [1.3K]  Android.mk
│   ├── [  92]  asm.S
│   ├── [4.7K]  help.cpp
│   ├── [ 43K]  media.cpp
│   ├── [5.4K]  runsc.cpp
│   └── [8.4K]  shellcode.cpp
├── [ 718]  README.md
├── [4.0K]  surfaceflinger
│   ├── [ 964]  Android.mk
│   ├── [ 27K]  expsur.cpp
│   └── [4.9K]  help.cpp
└── [4.0K]  systemserver
    ├── [ 609]  Android.mk
    ├── [ 21K]  expsys.cpp
    ├── [ 22K]  expsys.cpp.more
    └── [4.7K]  help.cpp

4 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →