This repository contains the artifacts of the Exploiting Android's Hardened Memory Allocator paper.
The gdb-plugin folder contains the gdb plugin which helps analyzing the scudo heap state.
The plugin is designed to be used for gef
.
To use the plugin please install gef from: https://github.com/hugsy/gef
There is also a port for pwndbg
at gdb-plugin/scudo-pwndbg.py
. (Thanks to @ju256)
A python3 library which allows to conveniently compute a chunk's checksum or bruteforce the cookie given a chunk's address and header.
Installation:
cd scudocookie && sudo python3 setup.py install
A vulnerable heap menu program along with pwntools python3 scripts that
showcase our exploitation techniques forged CommitBase
and safe unlink
.
In order to run the scripts please install scudocookie (you also need pwntools to run the python scripts).
Forged CommitBase exploit:
cd exploits && python3 forged_commitbase.py GDB
Safe Unlink exploit:
cd exploits && python3 safe_unlink.py GDB
Alternatively you can use the provided Dockerfile and run the exploits inside the docker with all dependencies.
cd exploits && ./build_docker.sh && ./run_docker.sh
The artifacts used in our exploitation case study, in which we backported CVE-2015-1528
and exploited the
system server on Android 14.
For details on how to run it check the README.md
in the case-study folder.