Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-4322 PoC — QSEECOM driver for the Linux kernel 安全漏洞

Source
https://github.com/askk/CVE-2014-4322_adaptation
Associated Vulnerability
Title:QSEECOM driver for the Linux kernel 安全漏洞 (CVE-2014-4322)
Description:Android contributions for MSM是一个Android的MSM项目,该项目的主要目的是建立一个包含高通MSM芯片组的Android平台。QSEECOM driver是一个提供了ioctl系统调用接口到用户空间的客户端进行通信的驱动程序。 Qualcomm Innovation Center(QuIC)Android contributions for MSM设备中使用的QSEECOM driver for the Linux kernel 3.x版本中的drivers/misc/q
Description
Just an attempt to adapt for Note 4, I do not know what I am doing.
Readme
# CVE-2014-4322_adaptation
Just an attempt to adapt for Note 4, I do not know what I am doing.
There is currently a way to write to system using ADB (CVE-2014-7951 and CVE-2014-7953). 
zxz0O0 has confirmed writing to system works. 
What we needed was to gain System UID to execute CVE-2014-4322.
I am looking at how CVE-2014-4322 works to see if I could wrap it in an APK which may already be done in giefroot.
And then to check use terms of installing SuperUser.
If anyone by chance looks at this, I am a complete novice and I have absolutely no idea what I am doing.
File Snapshot

 [4.0K]  /data/pocs/34961fd541fa21f216fe5420485aae58d9d85de2
├── [4.0K]  CVE-2014-4322_poc-from retme7
│   ├── [4.0K]  jni
│   │   ├── [ 280]  Android.mk
│   │   ├── [  61]  Application.mk
│   │   ├── [ 14K]  msm.c
│   │   ├── [6.2K]  qseecom.h
│   │   └── [ 238]  shellcode.S
│   ├── [ 11K]  kernel.h
│   ├── [4.0K]  libs
│   │   └── [4.0K]  armeabi
│   │       └── [ 13K]  msdd
│   ├── [4.0K]  obj
│   │   └── [4.0K]  local
│   │       └── [4.0K]  armeabi
│   │           ├── [ 48K]  msdd
│   │           └── [4.0K]  objs
│   │               └── [4.0K]  msdd
│   │                   ├── [ 22K]  msm.o
│   │                   ├── [ 29K]  msm.o.d
│   │                   ├── [1.4K]  shellcode.o
│   │                   └── [ 563]  shellcode.o.d
│   └── [ 835]  README.md
├── [4.0K]  giefrootv3 files
│   ├── [ 259]  a
│   ├── [642K]  busybox
│   ├── [ 43K]  exploitServiceApp.apk
│   ├── [4.0K]  exploitServiceApp Decompiled
│   │   ├── [ 694]  AndroidManifest.xml
│   │   ├── [ 248]  apktool.yml
│   │   ├── [4.0K]  lib
│   │   │   └── [4.0K]  armeabi
│   │   │       └── [ 17K]  libexploitHelper.so
│   │   ├── [4.0K]  res
│   │   │   ├── [4.0K]  drawable-640dpi
│   │   │   │   └── [7.0K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-hdpi
│   │   │   │   └── [3.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-ldpi
│   │   │   │   └── [2.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-mdpi
│   │   │   │   └── [2.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xhdpi
│   │   │   │   └── [4.2K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxhdpi
│   │   │   │   └── [4.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  layout
│   │   │   │   └── [ 428]  main.xml
│   │   │   └── [4.0K]  values
│   │   │       ├── [ 110]  dimens.xml
│   │   │       ├── [ 114]  ids.xml
│   │   │       ├── [ 368]  public.xml
│   │   │       └── [ 115]  strings.xml
│   │   ├── [4.0K]  smali
│   │   │   ├── [4.0K]  AAdroid
│   │   │   │   └── [4.0K]  os
│   │   │   │       └── [ 622]  BinderProxy.smali
│   │   │   ├── [4.0K]  BBdroid
│   │   │   │   └── [4.0K]  os
│   │   │   │       └── [ 637]  BinderProxy.smali
│   │   │   └── [4.0K]  org
│   │   │       └── [4.0K]  keenteam
│   │   │           ├── [ 333]  BuildConfig.smali
│   │   │           ├── [ 76K]  exploit_CVE_2014_7911.smali
│   │   │           ├── [8.0K]  exploitHelper.smali
│   │   │           ├── [ 489]  R$attr.smali
│   │   │           ├── [ 563]  R$dimen.smali
│   │   │           ├── [ 569]  R$drawable.smali
│   │   │           ├── [ 555]  R$id.smali
│   │   │           ├── [ 558]  R$layout.smali
│   │   │           ├── [ 562]  R$string.smali
│   │   │           ├── [ 558]  R.smali
│   │   │           └── [3.1K]  ServiceExploitActivity.smali
│   │   └── [4.0K]  src
│   │       ├── [4.0K]  AAdroid
│   │       │   └── [4.0K]  os
│   │       │       └── [ 466]  BinderProxy.java
│   │       ├── [4.0K]  BBdroid
│   │       │   └── [4.0K]  os
│   │       │       └── [ 470]  BinderProxy.java
│   │       └── [4.0K]  org
│   │           └── [4.0K]  keenteam
│   │               ├── [ 312]  BuildConfig.java
│   │               ├── [ 16K]  exploit_CVE_2014_7911.java
│   │               ├── [2.6K]  exploitHelper.java
│   │               ├── [ 321]  R$attr.java
│   │               ├── [ 376]  R$dimen.java
│   │               ├── [ 376]  R$drawable.java
│   │               ├── [ 374]  R$id.java
│   │               ├── [ 369]  R$layout.java
│   │               ├── [ 373]  R$string.java
│   │               ├── [1.1K]  R.java
│   │               └── [1.4K]  ServiceExploitActivity.java
│   ├── [4.0K]  exploitServiceApp unpack
│   │   ├── [1.7K]  AndroidManifest.xml
│   │   ├── [ 15K]  classes.dex
│   │   ├── [4.0K]  lib
│   │   │   └── [4.0K]  armeabi
│   │   │       └── [ 17K]  libexploitHelper.so
│   │   ├── [4.0K]  META-INF
│   │   │   ├── [1.2K]  CERT.RSA
│   │   │   ├── [ 949]  CERT.SF
│   │   │   └── [ 897]  MANIFEST.MF
│   │   ├── [4.0K]  res
│   │   │   ├── [4.0K]  drawable-hdpi
│   │   │   │   └── [3.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-ldpi
│   │   │   │   └── [2.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-mdpi
│   │   │   │   └── [2.3K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xhdpi
│   │   │   │   └── [4.2K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxhdpi
│   │   │   │   └── [4.6K]  ic_launcher.png
│   │   │   ├── [4.0K]  drawable-xxxhdpi
│   │   │   │   └── [7.0K]  ic_launcher.png
│   │   │   └── [4.0K]  layout
│   │   │       └── [ 644]  main.xml
│   │   └── [1.7K]  resources.arsc
│   ├── [ 22K]  getroot
│   ├── [ 59K]  getroot.c
│   ├── [ 237]  giefroot
│   ├── [ 752]  installsupersu.sh
│   ├── [ 13K]  modulecrcpatch
│   ├── [1.7K]  systemrw.sh
│   └── [ 34K]  wp_mod.ko
└── [ 569]  README.md

48 directories, 78 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.