Rooting Every Android From extension to exploitation

More documents

Recommendations

Info

Case study 2 – kernel code execution • Copy shellcode to pages allocated in user space • Get the direct mapped address of these pages in kernel (ret2dir), pages are EXECUTABLE in kernel space on MTK devices • Overwrite plWlanRemove with kernel address of shellcode • Call Java API wifi.setWifiEnabled(false) so that system process “mtk_wmtd” may call plWlanRemove to execute shellcode in kernel space • Gain root and recover every modified global variables
Agenda • Overview • Wi-Fi chipsets for Android • WEXT Attack Surface Analysis • Use device specific vulnerabilities to root them all • Case Studies • Stack overflow vulnerability in Qualcomm WEXT • Data section overflow vulnerability in MTK WEXT • Use-After-Free vulnerability in Broadcom WEXT • Google’s latest mitigation • Conclusion
Page 1 and 2: Rooting Every Android : From extens
Page 3 and 4: Agenda • Overview • Wi-Fi chips
Page 5 and 6: WEXT Attack Surface Analysis • Wi
Page 7 and 8: WEXT Attack Surface Analysis (cont.
Page 11 and 12: Wait a Minute! • Don’t we have
Page 13 and 14: How to Exploit • Data flow is ver
Page 17 and 18: Case study 2 - The overflow • No
Page 19: Case study 2 - Leaking the value
Page 23 and 24: Case study 3 - Discover the bug •
Page 25 and 26: First issue: Expose a surface for a
Page 27 and 28: Android-ID-24739315 • The patch i
Page 29 and 30: How to trigger • Unfortunately tw
Page 31 and 32: ATTACKER Binder IPC Binder thread o
Page 33 and 34: But how small the window is! • Fr
Page 35 and 36: Heap spraying by sendmmsg • Creat
Page 37 and 38: Happy rooting • Now you have kern
Page 39 and 40: Google’s latest mitigation • CV

Rooting Every Android From extension to exploitation

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?