logo

E²VA: Use After Free Write/Execute Module (Part 4)

Exploitation of Use - After - Free Modules

In this post we will be discussing how to exploit a Use - After - Free bug in both UseAfterFreeExecModule and UseAfterFreeWriteModule. As the names of the modules suggest, they differ in terms of the impact the bug has. To that end, in UseAfterFreeExecModule we will be able to control a function pointer, whereas in UseAfterFreeWriteModule we are given a Write - What - Where condition.

32 minutes to read
Pascal Kühnemann

E²VA: Stack Buffer Overflow Module (Part 3)

Exploitation of EasyStackBufferOverflowModule

This article describes exploitation of the EasyStackBufferOverflowModule. During exploitation, various Android - specific caveats are discussed.

Assumptions

We will assume that we have successfully grabbed a copy of the .apk file of damnvulnerableapp. Also, we will not discuss how to unpack an .apk file, but rather assume that we have access to libEasyStackBufferOverflowModule.so and the EasyStackBufferOverflowModule class. If it is unclear how to get access to these components when only given an .apk file, read the previous blog posts first!

9 minutes to read
Pascal Kühnemann

E²VA: Android Basics (Part 2)

Android Binary Exploitation

In this post, we will examine security mechanisms that Android 12 employs in order to make binary exploitation a bit harder. Also, we will discuss how to get to certain information like shared - object files that are necessary for successful exploitation. The latter will be generalized to getting limited source code access to an app given a corresponding .apk file.

Environment

Before diving into details, the technical setup has to be clarified. All of the following observations on security mechanisms were encountered on a x86_64 Pixel 3 emulator running Android 12 (build number is SE1A.220203.002.A1 ). When referencing source code from Android Open Source Project (AOSP), it will be w.r.t. Android 12.0.0_r31 . The build variant for damnvulnerableapp is currently only debug. Also there is no GooglePlay enabled as we require root on the device for debugging purposes only.

20 minutes to read
Pascal Kühnemann

Diving into the art of userspace exploitation under Android - Introducing E²VA (Part 1)

Investigating Binary Exploitation for JNI on Android

This post aims to be an introduction into a blog series about binary exploitation on Android. It tries to describe how the environment that runs vulnerable modules is set up and how the damnvulnerableapp supports the process of binary exploitation on Android.

Warning

The following app is intended to be vulnerable to specific attacks and can result in arbitrary code execution in the context of the app. Therefore, beware of this and do not use this app on a device/emulator that contains personal information whatsoever. Always launch the app in a controlled environment. No authentication is necessary to connect to the app and talk to vulnerable modules. Assuming the app is free of bugs, there is a guarantee that only one client can connect at a time.

8 minutes to read
Pascal Kühnemann and Daniel Baier