I'll submit the poc after blackhatThis PoC is divided into three Parts,
the folder mediaserver help to inject code into mediaserver from a normal application.
the folder surfaceflinger help to inject code to surfaceflinger after you got mediaserver permission.
the folder system_server help to inject code to system_server after you got surfaceflinger permission.
the bbshell folder help to inject busybox to mediaserver
the PoC contain many hard codes, I tested it on Nexus 5 for Android 5.0(LRX21O), you may have to adust these hard codes to suit your case.
detail introduce about the vulnerability please refer to
https://www.blackhat.com/docs/us-15/materials/us-15-Gong-Fuzzing-Android-System-Services-By-Binder-Call-To-Escalate-Privilege-wp.pdf
[4.0K] /data/pocs/25db80f2548d0557d8b9a315431df11f6ff47912
├── [4.0K] bbshell
│ ├── [ 493] Android.mk
│ ├── [ 11K] bbshell.cpp
│ ├── [ 677] bbshell.h
│ ├── [ 574] main.cpp
│ └── [ 472] test.sh
├── [4.0K] mediaserver
│ ├── [1.3K] Android.mk
│ ├── [ 92] asm.S
│ ├── [4.7K] help.cpp
│ ├── [ 43K] media.cpp
│ ├── [5.4K] runsc.cpp
│ └── [8.4K] shellcode.cpp
├── [ 718] README.md
├── [4.0K] surfaceflinger
│ ├── [ 964] Android.mk
│ ├── [ 27K] expsur.cpp
│ └── [4.9K] help.cpp
└── [4.0K] systemserver
├── [ 609] Android.mk
├── [ 21K] expsys.cpp
├── [ 22K] expsys.cpp.more
└── [4.7K] help.cpp
4 directories, 19 files