漏洞平台

POC详情： bd21acf31fbc4560a5faa3284faccdfb195ac3dd

来源

https://github.com/0xbinder/android-kernel-exploitation-lab

关联漏洞

标题： Android 资源管理错误漏洞 (CVE-2019-2215)
描述：Android是美国谷歌（Google）和开放手持设备联盟（简称OHA）的一套以Linux为基础的开源操作系统。 Android中的binder.c文件存在资源管理错误漏洞。攻击者可利用该漏洞提升权限。

描述

This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem.

介绍

# Android Kernel Exploitation Lab

This lab guides you through setting up an environment to explore CVE-2019-2215, a critical Android kernel vulnerability in the binder subsystem.

## Documentation

- [Environment Setup](documentation/environment_setup.md)
- [Kernel privesc with gdb script](documentation/kernel_privesc_with_gdb_scripts.md)
- [Fuzzing with syzkaller](documentation/fuzzing_with_syzkaller.md)
- [Fuzzing with AFL++](documentation/fuzzing_with_afl++.md)

### Technical Details: CVE-2019-2215

This vulnerability is a use-after-free in the Android binder driver with the following characteristics:

1. **Root Cause**: When a binder fd is added to an epoll instance and then the thread exits, the binder_thread object is freed while still accessible through epoll.

2. **Exploitation Path**:
   - Add a binder file descriptor to an epoll instance
   - Call BINDER_THREAD_EXIT ioctl which frees binder_thread
   - Access the freed binder_thread through epoll
   - This leads to a use-after-free condition exploitable for privilege escalation

3. **Impact**: This vulnerability affects Android 8.x, 9.0, and early versions of 10, potentially allowing local privilege escalation to root.

4. **Further Reading**:
   - [Original report on Project Zero](https://bugs.chromium.org/p/project-zero/issues/detail?id=1942)
   - [Patch in Android kernel](https://android.googlesource.com/kernel/common/+/b77915bc0d4536a18d3f8d2d5a4d3770658bbc38)

## TODO

This lab is a work in progress. Here are planned improvements:

### Short-term Improvements
- [ ] Fix Syzkaller configuration to properly target Android-specific syscalls
- [ ] Fix this Syzkaller issue
```bash
[    3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[    4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out
```
- [ ] Add detailed instructions for analyzing crash reports
- [ ] Include a simple exploit template for CVE-2019-2215
- [ ] Document proper kernel config settings for QEMU VM boot compatibility

### Future Enhancements
- [ ] Add support for other Android kernel vulnerabilities
- [ ] Create a Docker container for easier setup
- [ ] Add more comprehensive debugging guides with GDB examples
- [ ] Implement a step-by-step guide for developing a full privilege escalation exploit
- [ ] Support for ARM64 architecture in addition to x86_64

### Known Issues

```bash
[    3.030651] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x2868278d270, max_idle_ns: 440795290098 ns
[    4.040338] clocksource: Switched to clocksource tsc
2025/03/24 21:04:23 running ssh: []string{"-p", "13199", "-F", "/dev/null", "-o", "UserKnownHostsFile=/dev/null", "-o", "IdentitiesOnly=yes", "-o", "BatchMode=yes", "-o", "StrictHostKeyChecking=no", "-o", "ConnectTimeout=10", "-i", "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa", "-v", "root@localhost", "pwd"}
2025/03/24 21:04:33 ssh failed: failed to run ["ssh" "-p" "13199" "-F" "/dev/null" "-o" "UserKnownHostsFile=/dev/null" "-o" "IdentitiesOnly=yes" "-o" "BatchMode=yes" "-o" "StrictHostKeyChecking=no" "-o" "ConnectTimeout=10" "-i" "/home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa" "-v" "root@localhost" "pwd"]: exit status 255
OpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
debug1: Reading configuration data /dev/null
debug1: Connecting to localhost [::1] port 13199.
debug1: connect to address ::1 port 13199: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 13199.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa type 0
debug1: identity file /home/0xbinder/android-kernel-exploitation-lab/bullseye.id_rsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.9
Connection timed out during banner exchange
Connection to 127.0.0.1 port 13199 timed out
```

### Community Contributions
If you're interested in contributing to this project, please consider addressing any of the items above or submit your own ideas through a pull request.

#### Help
particularly looking for help with:
1. Fixing the known issues
2. Improving QEMU configuration for better compatibility with the Android kernel
3. Creating a reliable fuzzing setup that works across different Linux distributions

If you have expertise in these areas, your contributions would be greatly appreciated!

文件快照


 [4.0K]  /data/pocs/bd21acf31fbc4560a5faa3284faccdfb195ac3dd
├── [4.0K]  custom-manifest
│   └── [1.3K]  goldfish-android10-manifest.xml
├── [4.0K]  documentation
│   ├── [3.4K]  environment_setup.md
│   ├── [2.1K]  fuzzing_with_afl++.md
│   ├── [3.9K]  fuzzing_with_syzkaller.md
│   └── [2.6K]  kernel_privesc_with_gdb_scripts.md
├── [4.0K]  exploit-code
│   ├── [ 17K]  binder_cve_2019_2215_exploit.cpp
│   ├── [2.9K]  binder_cve_2019_2215_exploit.h
│   ├── [1.9K]  binder_cve_2019_2215_poc.c
│   ├── [2.6K]  CMakeLists.txt
│   ├── [5.4K]  common.h
│   └── [3.3K]  Makefile
├── [4.0K]  fuzzer
│   ├── [1.5K]  binder_fuzzer.c
│   └── [ 123]  fuzzer_wrapper.sh
├── [4.0K]  gdb-scripts
│   ├── [7.8K]  binder_debug.py
│   └── [ 11K]  kernel_privesc.py
├── [4.0K]  kernel-build-configs
│   ├── [1.4K]  x86_64_kasan_build.sh
│   └── [1.2K]  x86_64_kasan_debug_build.sh
├── [1.0K]  LICENSE
├── [4.0K]  patches
│   └── [1.6K]  android-binder-cve-2019-2215-patch.patch
└── [5.6K]  README.md

7 directories, 20 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。