Skip to content

HexHive/scudo-exploitation

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Scudo Exploitation

This repository contains the artifacts of the Exploiting Android's Hardened Memory Allocator paper.

gdb-plugin

The gdb-plugin folder contains the gdb plugin which helps analyzing the scudo heap state. The plugin is designed to be used for gef. To use the plugin please install gef from: https://github.com/hugsy/gef

There is also a port for pwndbg at gdb-plugin/scudo-pwndbg.py. (Thanks to @ju256)

scudocookie

A python3 library which allows to conveniently compute a chunk's checksum or bruteforce the cookie given a chunk's address and header.

Installation:

cd scudocookie && sudo python3 setup.py install

exploits

A vulnerable heap menu program along with pwntools python3 scripts that showcase our exploitation techniques forged CommitBase and safe unlink. In order to run the scripts please install scudocookie (you also need pwntools to run the python scripts).

Forged CommitBase exploit:

cd exploits && python3 forged_commitbase.py GDB

Safe Unlink exploit:

cd exploits && python3 safe_unlink.py GDB

Alternatively you can use the provided Dockerfile and run the exploits inside the docker with all dependencies.

cd exploits && ./build_docker.sh && ./run_docker.sh

case-study

The artifacts used in our exploitation case study, in which we backported CVE-2015-1528 and exploited the system server on Android 14. For details on how to run it check the README.md in the case-study folder.