Exploit code for CVE-2018-9411 for MediaCasService.
Note that this exploit is only provided for educational or defensive purposes; it is not intended for any malicious or offensive use.
Full write-up for the vulnerability and the exploit is available on the Zimperium blog.
If you have any questions, you are welcome to DM me on Twitter (@tamir_zb).
Note: this exploit is only intended to work on a specific device and build - Pixel 2 with the May 2018 security update (fingerprint:
In order to build this:
- Download the Android source code.
- Put this repository in
- Run the following commands:
cd AOSP source build/envsetup.sh make cas_exploit
A successful run of this exploit should obtain access to the TEE device, which will be demonstrated by getting the QSEOS version.
Example exploit output:
[+] Prepared descrambler object [+] Determined small heap address (address = 0xec9d8000) [+] Prepared remote threads [+] Found target thread (stack address = 0xeb42b000, libc address = 0xec51d000) [+] Copied data for ROP chain [+] ROP stack written [+] Running ROP chain... [+] QSEOS version = 0x14