CVE-2015-1474 PoC — Android ‘GraphicBuffer::unflatten’函数数字错误漏洞

Source

https://github.com/p1gl3t/CVE-2015-1474_poc

Associated Vulnerability

Title:Android ‘GraphicBuffer::unflatten’函数数字错误漏洞 (CVE-2015-1474)
Description:Multiple integer overflows in the GraphicBuffer::unflatten function in platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0 allow attackers to gain privileges or cause a denial of service (memory corruption) via vectors that trigger a large number of (1) file descriptors or (2) integer values.

Readme

This code is ment to be a tentative of a poc for CVE-2015-1474.
The code is based on the code of the screencap comand, but generates a rogue parcel that crashes the surfaceflinger when it is deserialized.
See more at http://forum.xda-developers.com/kindle-fire-hdx/orig-development/evaluating-cve-2015-1474-to-escalate-to-t3045163.

Clone under frameworks/base/cmds/badscreencap and compile with mmm frameworks/base/cmds/badscreencap.
To be able to compile you change the visibility of BBinder::onTransact to public (in frameworks/native/include/Binder.h). This is required for getting the vtable offset of that method.

You can pull the required .so's from your device (or OTA package) if you do not want to build the entire native Android framework.

File Snapshot


 [4.0K]  /data/pocs/d2870f844383e1798ffc9ee54665dd362f388c6b
├── [ 450]  Android.mk
├── [2.4K]  Android.mk.static.failed
├── [   0]  LICENSE
├── [ 752]  README.md
└── [ 15K]  screencap.cpp

0 directories, 5 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!