Forum Thread: Android Stagefright Integer Overflow Code CVE: 2015-3864 Is Available!

Android Stagefright Integer Overflow Code CVE: 2015-3864 Is Available!

Android libstagefright - Integer Overflow Remote Code Execution source code is now available at https://www.exploit-db.com/exploits/38226/

Something different than what we had a week ago.

Lets brainstorm:

  • What it is?
  • How can we use it?
  • Everything else it can be useful for

4 Responses

Seems like this script creates a malicious video file called exploit.mp4, and then serves it through a cherrypy webpage:

indexpage = '''
<!DOCTYPE html>
<html>
<head>
<title>Stagefrightened!</title>
</head>
<body>
<script>
window.setTimeout('location.reload(true);', 4000);
</script>
<iframe src='/exploit.mp4'></iframe>
</body>
</html>
'''

However, I can't really find out how to actually use this script to control a device, as I can't find where to specify any ip adress and port to connect back to. Maybe this is because this is just a proof of concept and there is no part where an actual shell is created.

I hope people more experienced than me can elaborate on this one.

This poc seems more elaborate: it will take an external file for shellcode (shellcode.bin) and will care about padding the lenght by itself (one could generate shellcode with metasploit or just use the one from previous script). But most important, seems it will find the memory addresses and rop on it own, starting from your android lib. So potentially this could make more custom exploit in terms of target and shellcode. Last, like Aperock said, the exploit is served within a webpage created by a cherrypy server. Page is reloaded every 4 seconds, so if exploit fails once, it will retry (as stated before in the stagefright discussion and notes, it might require the exploited app to retry opening the file multiple times)

Unfortunately, I'm stuck in a point where I can't find any 'mmap64' address. All libs I fed him have only 'mmap' and not 'mmap64'. Trying to change it from mmap64 to mmap will result in a failure later, where address for pop-r0-r1-r2-r3-pc is "none" (unavailable). My best guess would be trying with another lib that is loaded by the system and has the missing mmap64 address.

Another guess would be splitting this instruction 'pop {r0, r1, r2, r3, pc}' into two smaller chunks, but I'm not so proficient with asm, so if you have any idea how can I split that into two or more simpler instructions, that could help. (EDIT: after deeper inspection, I don't think this would help anyway, but I'm leaving this here for the record)

EDIT: I checked libc.so on 3 different devices, none contains nor mmap64 nor a suitable pop instruction in the lib. I leave the md5 generated with

md5sum /system/lib/libc.so
(you can run on your own device).
bd5f9332272a0cead585d1659abf1136
c384a3b7528b04cdfe759e6fd1a3d75e
9c4a60e4301f43e93fc26b4e6024ac30

EDIT: new theory, this exploit is for android L. I found a reference of that here but I don't have any device that match requirements (linked version is arm64 but also arm seems to have that). If you have one, please contact me. This is as far as I can get for now. Maybe.

EDIT: found one for a supposed android L, not sure about the version because I found it online, and without reference of precise version. I leave the hash of libc.so here

15ad00739e7efca81972eee06136aab5
I can see the mmap64 address now, but still no trace of pop-r0-r1... instruction.

I ran the code in (kali linux) but I've got error no such file for shellcode.bin. how I solve this and would this work on android 4.2.2?

my s5 is vulnerable, so i want to test the exploit. but wonder how to do O.o

Share Your Thoughts

  • Hot
  • Active