Remote memory write `corruption` bug

[scottishdeveloper]

• eg. "/data/local/tmp/libhook.so" = 26 bytes + (align remaining bytes) = malloc(28)
• malloc does not initialize the bytes to 0, therefore when you (https://github.com/evilsocket/arminject/blob/master/jni/injector/traced.hpp#L146):

/*
You copy 26 bytes, the remaining alignment bytes bytes are junk (not \0\0),
PTRACE_POKETEXT will write those 2 junk bytes from malloc(28)!
*/
memcpy(ptr, buf, blen);

• The remote write then becomes "/data/local/tmp/libhook.so??" instead of "/data/local/tmp/libhook.so\0\0"
• Finally, when the remote dlopen is called, it's looking up a bad filename and thus fails to inject

Solution:

Use calloc() instead of malloc() (https://github.com/evilsocket/arminject/blob/master/jni/injector/traced.hpp#L144)

char *ptr = (char *)calloc(blen + blen % sizeof(size_t),1);

PS. Sometimes you'll get real lucky and malloc actually returns 0 initialized bytes in the alignment area, masking this elusive issue! ;)

Cheers!

Martin Alexander

[scottishdeveloper]

Or alternatively:

write( mem, (unsigned char *)s, strlen(s) + 1); //+1 to capture the \0