CVE-2014-4322 PoC — QSEECOM driver for the Linux kernel 安全漏洞

Source

https://github.com/askk/CVE-2014-4322_adaptation

Associated Vulnerability

Title:QSEECOM driver for the Linux kernel 安全漏洞 (CVE-2014-4322)
Description:drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain offset, length, and base values within an ioctl call, which allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application.

Description

Just an attempt to adapt for Note 4, I do not know what I am doing.

Readme

# CVE-2014-4322_adaptation
Just an attempt to adapt for Note 4, I do not know what I am doing.
There is currently a way to write to system using ADB (CVE-2014-7951 and CVE-2014-7953). 
zxz0O0 has confirmed writing to system works. 
What we needed was to gain System UID to execute CVE-2014-4322.
I am looking at how CVE-2014-4322 works to see if I could wrap it in an APK which may already be done in giefroot.
And then to check use terms of installing SuperUser.
If anyone by chance looks at this, I am a complete novice and I have absolutely no idea what I am doing.

File Snapshot


 [4.0K]  /data/pocs/34961fd541fa21f216fe5420485aae58d9d85de2
├── [4.0K]  CVE-2014-4322_poc-from retme7
│   ├── [4.0K]  jni
│   │   ├── [ 280]  Android.mk
│   │   ├── [  61]  Application.mk
│   │   ├── [ 14K]  msm.c
│   │   ├── [6.2K]  qseecom.h
│   │   └── [ 238]  shellcode.S
│   ├── [ 11K]  kernel.h
│   ├── [4.0K]  libs
│   │   └── [4.0K]  armeabi
│   │       └── [ 13K]  msdd
│   ├── [4.0K]  obj
│   │   └── [4.0K]  local
│   │       └── [4.0K]  armeabi
│   │           ├── [ 48K]  msdd
│   │           └── [4.0K]  objs
│   │               └── [4.0K]  msdd
│   │                   ├── [ 22K]  msm.o
│   │                   ├── [ 29K]  msm.o.d
│   │                   ├── [1.4K]  shellcode.o
│   │                   └── [ 563]  shellcode.o.d
│   └── [ 835]  README.md
├── [4.0K]  giefrootv3 files
│   ├── [ 259]  a
│   ├── [642K]  busybox
│   ├── [ 43K]  exploitServiceApp.apk
│   ├── [4.0K]  exploitServiceApp Decompiled
│   │   ├── [ 694]  AndroidManifest.xml
│   │   ├── [ 248]  apktool.yml
│   │   ├── [4.0K]  lib
│   │   │   └── [4.0K]  armeabi
│   │   │       └── [ 17K]  libexploitHelper.so
│   │   ├── [4.0K]  res
│   │   │   ├── [4.0K]  drawable-640dpi
│   │   │   │   └── [7.0K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-hdpi
│   │   │   │   └── [3.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-ldpi
│   │   │   │   └── [2.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-mdpi
│   │   │   │   └── [2.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xhdpi
│   │   │   │   └── [4.2K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxhdpi
│   │   │   │   └── [4.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  layout
│   │   │   │   └── [ 428]  main.xml
│   │   │   └── [4.0K]  values
│   │   │       ├── [ 110]  dimens.xml
│   │   │       ├── [ 114]  ids.xml
│   │   │       ├── [ 368]  public.xml
│   │   │       └── [ 115]  strings.xml
│   │   ├── [4.0K]  smali
│   │   │   ├── [4.0K]  AAdroid
│   │   │   │   └── [4.0K]  os
│   │   │   │       └── [ 622]  BinderProxy.smali
│   │   │   ├── [4.0K]  BBdroid
│   │   │   │   └── [4.0K]  os
│   │   │   │       └── [ 637]  BinderProxy.smali
│   │   │   └── [4.0K]  org
│   │   │       └── [4.0K]  keenteam
│   │   │           ├── [ 333]  BuildConfig.smali
│   │   │           ├── [ 76K]  exploit_CVE_2014_7911.smali
│   │   │           ├── [8.0K]  exploitHelper.smali
│   │   │           ├── [ 489]  R$attr.smali
│   │   │           ├── [ 563]  R$dimen.smali
│   │   │           ├── [ 569]  R$drawable.smali
│   │   │           ├── [ 555]  R$id.smali
│   │   │           ├── [ 558]  R$layout.smali
│   │   │           ├── [ 562]  R$string.smali
│   │   │           ├── [ 558]  R.smali
│   │   │           └── [3.1K]  ServiceExploitActivity.smali
│   │   └── [4.0K]  src
│   │       ├── [4.0K]  AAdroid
│   │       │   └── [4.0K]  os
│   │       │       └── [ 466]  BinderProxy.java
│   │       ├── [4.0K]  BBdroid
│   │       │   └── [4.0K]  os
│   │       │       └── [ 470]  BinderProxy.java
│   │       └── [4.0K]  org
│   │           └── [4.0K]  keenteam
│   │               ├── [ 312]  BuildConfig.java
│   │               ├── [ 16K]  exploit_CVE_2014_7911.java
│   │               ├── [2.6K]  exploitHelper.java
│   │               ├── [ 321]  R$attr.java
│   │               ├── [ 376]  R$dimen.java
│   │               ├── [ 376]  R$drawable.java
│   │               ├── [ 374]  R$id.java
│   │               ├── [ 369]  R$layout.java
│   │               ├── [ 373]  R$string.java
│   │               ├── [1.1K]  R.java
│   │               └── [1.4K]  ServiceExploitActivity.java
│   ├── [4.0K]  exploitServiceApp unpack
│   │   ├── [1.7K]  AndroidManifest.xml
│   │   ├── [ 15K]  classes.dex
│   │   ├── [4.0K]  lib
│   │   │   └── [4.0K]  armeabi
│   │   │       └── [ 17K]  libexploitHelper.so
│   │   ├── [4.0K]  META-INF
│   │   │   ├── [1.2K]  CERT.RSA
│   │   │   ├── [ 949]  CERT.SF
│   │   │   └── [ 897]  MANIFEST.MF
│   │   ├── [4.0K]  res
│   │   │   ├── [4.0K]  drawable-hdpi
│   │   │   │   └── [3.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-ldpi
│   │   │   │   └── [2.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-mdpi
│   │   │   │   └── [2.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xhdpi
│   │   │   │   └── [4.2K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxhdpi
│   │   │   │   └── [4.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxxhdpi
│   │   │   │   └── [7.0K]  ic_launcher.png
│   │   │   └── [4.0K]  layout
│   │   │       └── [ 644]  main.xml
│   │   └── [1.7K]  resources.arsc
│   ├── [ 22K]  getroot
│   ├── [ 59K]  getroot.c
│   ├── [ 237]  giefroot
│   ├── [ 752]  installsupersu.sh
│   ├── [ 13K]  modulecrcpatch
│   ├── [1.7K]  systemrw.sh
│   └── [ 34K]  wp_mod.ko
└── [ 569]  README.md

48 directories, 78 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!