Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2015-1474 PoC — Android ‘GraphicBuffer::unflatten’函数数字错误漏洞

Source
https://github.com/p1gl3t/CVE-2015-1474_poc
Associated Vulnerability
Title:Android ‘GraphicBuffer::unflatten’函数数字错误漏洞 (CVE-2015-1474)
Description:Google Chrome是美国谷歌(Google)公司开发的一款Web浏览器。Android是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套以Linux为基础的开源操作系统。 Android 5.0及之前版本的platform/frameworks/native/libs/ui/GraphicBuffer.cpp文件中的‘GraphicBuffer::unflatten’函数存在整数溢出漏洞。攻击者可利用该漏洞获取特权,或造成拒绝服务(内存损坏)。
Readme
This code is ment to be a tentative of a poc for CVE-2015-1474.
The code is based on the code of the screencap comand, but generates a rogue parcel that crashes the surfaceflinger when it is deserialized.
See more at http://forum.xda-developers.com/kindle-fire-hdx/orig-development/evaluating-cve-2015-1474-to-escalate-to-t3045163.

Clone under frameworks/base/cmds/badscreencap and compile with mmm frameworks/base/cmds/badscreencap.
To be able to compile you change the visibility of BBinder::onTransact to public (in frameworks/native/include/Binder.h). This is required for getting the vtable offset of that method.

You can pull the required .so's from your device (or OTA package) if you do not want to build the entire native Android framework.
File Snapshot

 [4.0K]  /data/pocs/d2870f844383e1798ffc9ee54665dd362f388c6b
├── [ 450]  Android.mk
├── [2.4K]  Android.mk.static.failed
├── [   0]  LICENSE
├── [ 752]  README.md
└── [ 15K]  screencap.cpp

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.