Exploit code for CVE-2018-9411 for MediaCasService
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
.gitignore Initial commit Oct 18, 2018
Android.mk Add exploit code Oct 22, 2018
LICENSE Add license Oct 23, 2018
README.md Add link to blog post Oct 30, 2018
cas_exploit.cpp Add exploit code Oct 22, 2018
defs.h Add exploit code Oct 22, 2018
offsets.h Add exploit code Oct 22, 2018
qseecom.h Add exploit code Oct 22, 2018



Exploit code for CVE-2018-9411 for MediaCasService.

Note that this exploit is only provided for educational or defensive purposes; it is not intended for any malicious or offensive use.

Full write-up for the vulnerability and the exploit is available on the Zimperium blog.

If you have any questions, you are welcome to DM me on Twitter (@tamir_zb).


Note: this exploit is only intended to work on a specific device and build - Pixel 2 with the May 2018 security update (fingerprint: google/walleye/walleye:8.1.0/OPM2.171019.029.B1/4720900:user/release-keys).

In order to build this:

  1. Download the Android source code.
  2. Put this repository in AOSP/external.
  3. Run the following commands:
source build/envsetup.sh
make cas_exploit


A successful run of this exploit should obtain access to the TEE device, which will be demonstrated by getting the QSEOS version.

Example exploit output:

[+] Prepared descrambler object
[+] Determined small heap address (address = 0xec9d8000)
[+] Prepared remote threads
[+] Found target thread (stack address = 0xeb42b000, libc address = 0xec51d000)
[+] Copied data for ROP chain
[+] ROP stack written
[+] Running ROP chain...
[+] QSEOS version = 0x14