Associated Vulnerability
Title:Android 资源管理错误漏洞 (CVE-2019-2215)Description:A use-after-free in binder.c allows an elevation of privilege from an application to the Linux Kernel. No user interaction is required to exploit this vulnerability, however exploitation does require either the installation of a malicious local application or a separate vulnerability in a network facing application.Product: AndroidAndroid ID: A-141720095
Description
This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem.
Readme
# Android Kernel Exploitation Lab
This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem.
## Documentation
- [Environment Setup](documentation/environment_setup.md)
- [Kernel privesc with gdb script](documentation/kernel_privesc_with_gdb_scripts.md)
- [Fuzzing with syzkaller](documentation/fuzzing_with_syzkaller.md)
- [Fuzzing with AFL++](documentation/fuzzing_with_afl++.md)
### Technical Details: CVE-2019-2215
This vulnerability is a use-after-free in the Android binder driver with the following characteristics:
1. **Root Cause**: When a binder fd is added to an epoll instance and then the thread exits, the binder_thread object is freed while still accessible through epoll.
2. **Exploitation Path**:
- Add a binder file descriptor to an epoll instance
- Call BINDER_THREAD_EXIT ioctl which frees binder_thread
- Access the freed binder_thread through epoll
- This leads to a use-after-free condition exploitable for privilege escalation
3. **Impact**: This vulnerability affects Android 8.x, 9.0, and early versions of 10, potentially allowing local privilege escalation to root.
4. **Further Reading**:
- [Original report on Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1942)
- [Patch in Android kernel](https://android.googlesource.com/kernel/common/+/b77915bc0d4536a18d3f8d2d5a4d3770658bbc38)
## TODO
This lab is a work in progress. Here are planned improvements:
### Short-term Improvements
- [ ] Fix Syzkaller configuration to properly target Android-specific syscalls
- [ ] Fix this Syzkaller issue
```bash
[ 3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[ 4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out
```
- [ ] Add detailed instructions for analyzing crash reports
- [ ] Include a simple exploit template for CVE-2019-2215
- [ ] Document proper kernel config settings for QEMU VM boot compatibility
### Future Enhancements
- [ ] Add support for other Android kernel vulnerabilities
- [ ] Create a Docker container for easier setup
- [ ] Add more comprehensive debugging guides with GDB examples
- [ ] Implement a step-by-step guide for developing a full privilege escalation exploit
- [ ] Support for ARM64 architecture in addition to x86_64
### Known Issues
```bash
[ 3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[ 4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out
```
### Community Contributions
If you're interested in contributing to this project, please consider addressing any of the items above or submit your own ideas through a pull request.
#### Help
particularly looking for help with:
1. Fixing the known issues
2. Improving QEMU configuration for better compatibility with the Android kernel
3. Creating a reliable fuzzing setup that works across different Linux distributions
If you have expertise in these areas, your contributions would be greatly appreciated!
File Snapshot
[4.0K] /data/pocs/bd21acf31fbc4560a5faa3284faccdfb195ac3dd
├── [4.0K] custom-manifest
│ └── [1.3K] goldfish-android10-manifest.xml
├── [4.0K] documentation
│ ├── [3.4K] environment_setup.md
│ ├── [2.1K] fuzzing_with_afl++.md
│ ├── [3.9K] fuzzing_with_syzkaller.md
│ └── [2.6K] kernel_privesc_with_gdb_scripts.md
├── [4.0K] exploit-code
│ ├── [ 17K] binder_cve_2019_2215_exploit.cpp
│ ├── [2.9K] binder_cve_2019_2215_exploit.h
│ ├── [1.9K] binder_cve_2019_2215_poc.c
│ ├── [2.6K] CMakeLists.txt
│ ├── [5.4K] common.h
│ └── [3.3K] Makefile
├── [4.0K] fuzzer
│ ├── [1.5K] binder_fuzzer.c
│ └── [ 123] fuzzer_wrapper.sh
├── [4.0K] gdb-scripts
│ ├── [7.8K] binder_debug.py
│ └── [ 11K] kernel_privesc.py
├── [4.0K] kernel-build-configs
│ ├── [1.4K] x86_64_kasan_build.sh
│ └── [1.2K] x86_64_kasan_debug_build.sh
├── [1.0K] LICENSE
├── [4.0K] patches
│ └── [1.6K] android-binder-cve-2019-2215-patch.patch
└── [5.6K] README.md
7 directories, 20 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →