Rooting Every Android From extension to exploitation

More documents

Recommendations

Info

Case study 2 – How to exploit • Overwriting a global function pointer located behind aucOidbuf to achieve kernel code execution • Corrupting unrelated global variables as little as possible to avoid a kernel crash. • The offset of pfWlanRemove is unknown • To meet these requirements,firstly leaking the value of variables behind aucOidbuf is necessary. Overwrite this ptr .data ffffffc0010be928 ~ ffffffc0010c0228 int8 aucOidbuf[4096] Unrelated variables pfWlanRemove pfWlanProbe
Case study 2 – Leaking the value • Another command PRIV_CMD_GET_DEBUG_CODE completed the task perfectly… • No boundary check when call copy_to_user , data leaked. • Now we get the value of variables behind gucBufDbgCode which is a variable just behind 1097 case PRIV_CMD_GET_DEBUG_CODE: aucOidbuf 1098 { 1099 wlanQueryDebugCode(prGlueInfo->prAdapter); 1100 kalMemSet(gucBufDbgCode, '.', sizeof(gucBufDbgCode)); 1101 if (copy_to_user(prIwReqData->data.pointer, gucBufDbgCode, prIwReqData->data.length)) { 1102 return -EFAULT; 1103 } 1104 else 1105 return status; 1106 } drivers/misc/mediatek/connectivity/combo/drv_wlan/mt6628/wlan/os/linux/gl_wext_priv.c
Page 1 and 2: Rooting Every Android : From extens
Page 3 and 4: Agenda • Overview • Wi-Fi chips
Page 5 and 6: WEXT Attack Surface Analysis • Wi
Page 7 and 8: WEXT Attack Surface Analysis (cont.
Page 11 and 12: Wait a Minute! • Don’t we have
Page 13 and 14: How to Exploit • Data flow is ver
Page 17: Case study 2 - The overflow • No
Page 23 and 24: Case study 3 - Discover the bug •
Page 25 and 26: First issue: Expose a surface for a
Page 27 and 28: Android-ID-24739315 • The patch i
Page 29 and 30: How to trigger • Unfortunately tw
Page 31 and 32: ATTACKER Binder IPC Binder thread o
Page 33 and 34: But how small the window is! • Fr
Page 35 and 36: Heap spraying by sendmmsg • Creat
Page 37 and 38: Happy rooting • Now you have kern
Page 39 and 40: Google’s latest mitigation • CV

Rooting Every Android From extension to exploitation

Create successful ePaper yourself

Delete template?

Save as template?