New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit Output #6
Comments
You need to read carefully enough to understand the whole exploit,then you'll find out how the leaked libc.so base address being used. |
Thanks rootkitor, I dont know what is the output of exploit yet! I know the exploit process and flow chart, but i do not understand at the end i will get how much data from the victim memmory and where this leaked data will saved? |
Hi,We can leak 8 bytes ( with some limits) from the mediaserver's memory by overwrite the MetaData object. Researchers from NorthBit choose to leak two values from ELF header to locate a library in memory. Due to the android aslr slide,we can calculate the libc.so address. It's very smart because there are many restrictions they have to bypass.Once you got libc.so base address, you can generate and deliver the final rce mp4 file. This exploit use the leaked data immediately,and will not save it because the base address changed every time the mediaserver restart. |
Hi rootkitor, I read the document again and run the Metaphor for my Nexus 5 device, now i see at the end that the PC (program counter) is set to 3700! |
You can replace the shellcode with your own by editing rce.php. |
Hi, I also have a problem with the shellcode. |
Hi, I tried to use Metaphor. I use a Xampp server.
I have created the rce and leaks folders, with correct permissions, and the leaks videos and the 2 rce videos are generated. However, it seems the bx_0x3700.bin has no effect.
Might you explain me how I could see the PC (program counter), please ? Thank you in advance for your response. |
Hi SolineBlanc, You can use adb logcat command to see your device logcat. In the logs content you can see your PC is changed to 0x3700. |
Thank you very much :D It does not work yet (adb logcat | grep 0x3700 does not return anything), but this command line will be useful to find out why. I hope to come back soon, with more questions, or an answer ;) Thank you again ! |
Hi All, 08-20 16:41:17.682 31502-31854/? I/NuCachedSource2: ERROR_END_OF_STREAM i also couldn't get pc from logcat Thanks |
Hi,
I am going to use your methaphor implementation codes, I have run a web server and connect to that in my Nexus 5 using chrome, I have so many mp4 files in leak folder and in rce folder i have 2 mp4 files in each run respectively.
In my terminal i check the media server process ID and i see that has been crashed.
But I can not see any thing about exploit Output, In short I don't know what and where is the exploit output! I have read your paper many times.
If at the end, some data will be leaked from victim device, where these data will be saved? and how can i check this data are very from victim device?
Thanks in advance.
The text was updated successfully, but these errors were encountered: