Skip to content

An exploit for CVE-2015-1538-1 - Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution

Notifications You must be signed in to change notification settings

oguzhantopgul/cve-2015-1538-1

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 

Repository files navigation

PLEASE DO NOT SHARE THIS WITH ANYONE. THIS CODE IS BEING PROVIDED TO YOU UNDER FrienNDA. PEOPLE VIOLATING THIS WILL NO LONGER BE CONSIDERED FRIENDS.

Included is a python script that generates an MP4 exploiting the ‘stsc’ vulnerability otherwise known as CVE-2015-1538 (#1). This is one of the most critical vulnerabilities I reported in the Stagefright library. The expected result of the exploit is a reverse shell as the media user. As detailed in my Black Hat and DEF CON presentations, this user also has access to quite a few groups such as inet, audio, camera, and mediadrm. These groups allow an attacker to take pictures or listen to the microphone remotely without exploiting additional vulnerabilities.

This exploit has several caveats. First, it is not a generic exploit. It's only been tested to work on a single device model. My target was the Galaxy Nexus device running Android 4.0.4 containing only a partial implementation of ASLR. Also, due to variances in heap layout, this is not a 100% reliable exploit by itself. However, I was able achieve 100% reliability when delivered through an attack vector that allowed multiple attempts. Finally, this vulnerability was one of several that was neutered by GCC 5.0’s ‘new[]’ integer overflow mitigation present on Android 5.0 and later.

Enjoy! Please consider contributing to Android security through research!

About

An exploit for CVE-2015-1538-1 - Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages