4e3947178d
10 new exploits
LG G4 MRA58K - 'liblg_parser_mkv.so' Bad Allocation Calls
LG G4 MRA58K - 'mkvparser::Tracks constructor' Failure to Initialise Pointers
LG G4 MRA58K - 'mkvparser::Block::Block' Heap Buffer Overflows
wolfSSL 3.10.2 - x509 Certificate Text Parsing Off-by-One
Microsoft Windows 8 / 8.1 / 10 / Windows Server / SCEP_ Microsoft Security Essentials - 'MsMpEng' Remotely Exploitable Type Confusion
Oracle GoldenGate 12.1.2.0.0 - Unauthenticated Remote Code Execution
Crypttech CryptoLog - Remote Code Execution (Metasploit)
BSD/x86 - portbind port 31337 Shellcode (83 bytes)
BSD/x86 - portbind port random Shellcode (143 bytes)
BSD/x86 - Portbind Port 31337 Shellcode (83 bytes)
BSD/x86 - Portbind Random Port Shellcode (143 bytes)
BSD/x86 - execve /bin/sh Crypt /bin/sh Shellcode (49 bytes)
BSD/x86 - execve /bin/sh Crypt Shellcode (49 bytes)
BSD/x86 - reverse 6969 portbind Shellcode (129 bytes)
BSD/x86 - Portbind Reverse 6969 Shellcode (129 bytes)
FreeBSD/x86 - /bin/cat /etc/master.passwd Null Free Shellcode (65 bytes)
FreeBSD/x86 - reverse portbind 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)
FreeBSD/x86 - /bin/cat /etc/master.passwd Null-Free Shellcode (65 bytes)
FreeBSD/x86 - Rortbind Reverse 127.0.0.1:8000 /bin/sh Shellcode (89 bytes)
FreeBSD/x86 - portbind 4883 with auth Shellcode (222 bytes)
FreeBSD/x86 - Portbind Port 4883 with Auth Shellcode (222 bytes)
FreeBSD/x86 - connect (Port 31337) Shellcode (102 bytes)
FreeBSD/x86 - Connect Port 31337 Shellcode (102 bytes)
Linux/x86 - execve Null Free Shellcode (Generator)
Linux/x86 - Portbind Payload Shellcode (Generator)
Windows XP SP1 - Portbind Payload Shellcode (Generator)
Linux/x86 - execve Null-Free Shellcode (Generator)
Linux/x86 - Portbind Shellcode (Generator)
Windows XP SP1 - Portbind Shellcode (Generator)
Linux/x86 - cmd Null Free Shellcode (Generator)
Linux/x86 - cmd Null-Free Shellcode (Generator)
Cisco IOS - Connectback (Port 21) Shellcode
Cisco IOS - Connectback Port 21 Shellcode
Linux/MIPS (Linksys WRT54G/GL) - 4919 port bind Shellcode (276 bytes)
Linux/MIPS (Linksys WRT54G/GL) - Bind Port 4919 Shellcode (276 bytes)
Linux/SPARC - portbind port 8975 Shellcode (284 bytes)
Linux/SPARC - Portbind Port 8975 Shellcode (284 bytes)
Linux/x86 - 4444 Port Binding Shellcode (xor-encoded) (152 bytes)
Linux/x86 - Binding Port 4444 Shellcode (xor-encoded) (152 bytes)
Linux/x86 - bindport 8000 & execve iptables -F Shellcode (176 bytes)
Linux/x86 - bindport 8000 & add user with root access Shellcode (225+ bytes)
Linux/x86 - 8000 Bind Port ASM Code Linux Shellcode (179 bytes)
Linux/x86 - Bind Port 8000 & Execve Iptables -F Shellcode (176 bytes)
Linux/x86 - Bind Port 8000 & Add User with Root Access Shellcode (225+ bytes)
Linux/x86 - Bind Port 8000 ASM Code Linux Shellcode (179 bytes)
Linux/x86 - connect-back port UDP/54321 live packet capture Shellcode (151 bytes)
Linux/x86 - append rsa key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Connectback Port 54321/UDP Live Packet Capture Shellcode (151 bytes)
Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Connect Back Port 8192.send.exit /etc/shadow Shellcode (155 bytes)
Linux/x86 - Connectback Port 8192.send.exit /etc/shadow Shellcode (155 bytes)
Linux/x86 - setuid/portbind (Port 31337) Shellcode (96 bytes)
Linux/x86 - portbind (2707) Shellcode (84 bytes)
Linux/x86 - setuid/portbind Port 31337 Shellcode (96 bytes)
Linux/x86 - Portbind 2707 Shellcode (84 bytes)
Linux/x86 - SET_PORT() portbind 31337/TCP Shellcode (100 bytes)
Linux/x86 - SET_PORT() Portbind 31337/TCP Shellcode (100 bytes)
Linux/x86 - Password Authentication portbind (64713) Shellcode (166 bytes)
Linux/x86 - portbind (port 64713) Shellcode (86 bytes)
Linux/x86 - Password Authentication Portbind 64713 Shellcode (166 bytes)
Linux/x86 - Portbind Port 64713 Shellcode (86 bytes)
Linux/x86 - portbind port 5074 toupper Shellcode (226 bytes)
Linux/x86 - Add user 't00r' encrypt Shellcode (116 bytes)
Linux/x86 - Portbind Port 5074 toupper Shellcode (226 bytes)
Linux/x86 - Add User 't00r' encrypt Shellcode (116 bytes)
Linux/x86 - portbind port 5074 Shellcode (92 bytes)
Linux/x86 - portbind port 5074 + fork() Shellcode (130 bytes)
Linux/x86 - Add user 't00r' Shellcode (82 bytes)
Linux/x86 - Portbind Port 5074 Shellcode (92 bytes)
Linux/x86 - Portbind Port 5074 + fork() Shellcode (130 bytes)
Linux/x86 - Add User 't00r' Shellcode (82 bytes)
Linux/x86-64 - bindshell port 4444 Shellcode (132 bytes)
Linux/x86-64 - Bindshell Port 4444 Shellcode (132 bytes)
NetBSD/x86 - callback Shellcode (port 6666) (83 bytes)
NetBSD/x86 - Callback Port 6666 Shellcode (83 bytes)
OpenBSD/x86 - portbind port 6969 Shellcode (148 bytes)
OpenBSD/x86 - Portbind Port 6969 Shellcode (148 bytes)
Solaris/SPARC - portbind (port 6666) Shellcode (240 bytes)
Solaris/SPARC - Portbind Port 6666 Shellcode (240 bytes)
Solaris/SPARC - portbind port 6789 Shellcode (228 bytes)
Solaris/SPARC - Portbind Port 6789 Shellcode (228 bytes)
Solaris/SPARC - portbinding Shellcode (240 bytes)
Solaris/x86 - portbind/TCP Shellcode (Generator)
Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null Free Shellcode (39 bytes)
Solaris/SPARC - Portbind Shellcode (240 bytes)
Solaris/x86 - Portbind TCP Shellcode (Generator)
Solaris/x86 - setuid(0)_ execve(//bin/sh); exit(0) Null-Free Shellcode (39 bytes)
Windows 5.0 < 7.0 x86 - Null Free bindshell port 28876 Shellcode
Windows 5.0 < 7.0 x86 - Bind Shell Port 28876 Null-Free Shellcode
Win32 - telnetbind by Winexec 23 port Shellcode (111 bytes)
Win32 - Winexec Telnet Bind 23 Port Shellcode (111 bytes)
Win32 XP SP2 FR - Sellcode cmd.exe Shellcode (32 bytes)
Win32 XP SP2 (FR) - Sellcode cmd.exe Shellcode (32 bytes)
Win32 - Download and Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)
Win32 - Download & Execute Shellcode (Generator) (Browsers Edition) (275+ bytes)
Win32 - download and execute Shellcode (124 bytes)
Win32 - Download & Execute Shellcode (124 bytes)
Windows NT/2000/XP (Russian) - Add User _slim_ Shellcode (318 bytes)
Windows NT/2000/XP (Russian) - Add User 'slim' Shellcode (318 bytes)
Windows XP - download and exec source Shellcode
Windows XP SP1 - Portshell on port 58821 Shellcode (116 bytes)
Windows XP - Download & Exec Shellcode
Windows XP SP1 - Portshell Port 58821 Shellcode (116 bytes)
Win64 - (URLDownloadToFileA) download and execute Shellcode (218+ bytes)
Win64 - (URLDownloadToFileA) Download & Execute Shellcode (218+ bytes)
Win32 XP SP3 - Add Firewall Rule to allow TCP traffic on port 445 Shellcode
FreeBSD/x86 - portbind (Port 1337) Shellcode (167 bytes)
Win32 XP SP3 - Add Firewall Rule to Allow TCP Traffic on Port 445 Shellcode
FreeBSD/x86 - Portbind Port 1337 Shellcode (167 bytes)
Windows XP Pro SP2 English - _Message-Box_ Null Free Shellcode (16 bytes)
Windows XP Pro SP2 English - _Wordpad_ Null Free Shellcode (12 bytes)
Windows XP Professional SP2 (English) - Message Box Null-Free Shellcode (16 bytes)
Windows XP Professional SP2 (English) - Wordpad Null-Free Shellcode (12 bytes)
Win32 XP SP2 FR - calc Shellcode (19 bytes)
Win32 XP SP2 (FR) - calc Shellcode (19 bytes)
Win32 XP SP3 English - cmd.exe Shellcode (26 bytes)
Win32 XP SP2 Turkish - cmd.exe Shellcode (26 bytes)
Win32 XP SP3 (English) - cmd.exe Shellcode (26 bytes)
Win32 XP SP2 (Turkish) - cmd.exe Shellcode (26 bytes)
Windows XP Home Edition SP2 English - calc.exe Shellcode (37 bytes)
Windows XP Home Edition SP3 English - calc.exe Shellcode (37 bytes)
Windows XP Home SP2 (English) - calc.exe Shellcode (37 bytes)
Windows XP Home SP3 (English) - calc.exe Shellcode (37 bytes)
Windows XP Professional SP2 ITA - calc.exe Shellcode (36 bytes)
Windows XP Professional SP2 (ITA) - calc.exe Shellcode (36 bytes)
Windows XP SP2 FR - Download and Exec Shellcode
Windows XP SP2 (FR) - Download & Exec Shellcode
Windows 7 Pro SP1 64 FR - (Beep) Shellcode (39 bytes)
Windows 7 Professional SP1 x64 (FR) - (Beep) Shellcode (39 bytes)
Linux/x86 - netcat connect back port 8080 Shellcode (76 bytes)
Linux/x86 - Netcat Connectback Port 8080 Shellcode (76 bytes)
Linux/x86-64 - Add root user _shell-storm_ with password _leet_ Shellcode (390 bytes)
Windows XP SP3 SPA - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86-64 - Add root user _shell-storm_ with password 'leet' Shellcode (390 bytes)
Windows XP SP3 (SPA) - URLDownloadToFileA + CreateProcessA + ExitProcess Shellcode (176+ bytes)
Linux/x86 - bind shell port 64533 Shellcode (97 bytes)
Linux/x86 - Bind Shell Port 64533 Shellcode (97 bytes)
Linux - 125 bind port to 6778 XOR encoded polymorphic Shellcode (125 bytes)
Linux - _nc -lp 31337 -e /bin//sh_ polymorphic Shellcode (91 bytes)
Linux - 125 Bind Port 6778 XOR Encoded Polymorphic Shellcode (125 bytes)
Linux - _nc -lp 31337 -e /bin//sh_ Polymorphic Shellcode (91 bytes)
Linux/x86 - netcat bindshell port 8080 Shellcode (75 bytes)
Linux/x86 - /bin/sh Polymorphic Null Free Shellcode (46 bytes)
Linux/x86 - Netcat BindShell Port 8080 Shellcode (75 bytes)
Linux/x86 - /bin/sh Polymorphic Null-Free Shellcode (46 bytes)
BSD/x86 - bindshell on port 2525 Shellcode (167 bytes)
BSD/x86 - Bindshell Port 2525 Shellcode (167 bytes)
Win32/XP SP3 (TR) - Add Admin _zrl_ Account Shellcode (127 bytes)
Win32/XP SP3 (TR) - Add Administrator 'zrl' Shellcode (127 bytes)
Win32/XP Pro SP3 (EN) x86 - Add new local administrator _secuid0_ Shellcode (113 bytes)
Win32 - Add New Local Administrator _secuid0_ Shellcode (326 bytes)
ARM - Bindshell port 0x1337 Shellcode
Win32/XP Professional SP3 (EN) x86 - Add New Local Administrator 'secuid0' Shellcode (113 bytes)
Win32 - Add New Local Administrator 'secuid0' Shellcode (326 bytes)
ARM - Bindshell Port 0x1337 Shellcode
OSX/Intel (x86-64) - setuid shell Shellcode (51 bytes)
OSX/Intel x86-64 - setuid shell Shellcode (51 bytes)
Win32 - speaking Shellcode
Win32 - Speaking 'You got pwned!' Shellcode
BSD/x86 - 31337 portbind + fork Shellcode (111 bytes)
BSD/x86 - 31337 Portbind + fork Shellcode (111 bytes)
Linux/x86 - netcat bindshell port 6666 Shellcode (69 bytes)
Linux/x86 - Netcat BindShell Port 6666 Shellcode (69 bytes)
Windows - WinExec add new local administrator _RubberDuck_ + ExitProcess Shellcode (279 bytes)
Windows - WinExec Add New Local Administrator 'RubberDuck' + ExitProcess Shellcode (279 bytes)
Win32/PerfectXp-pc1/SP3 TR - Add Admin _kpss_ Shellcode (112 bytes)
Win32/PerfectXp-pc1/SP3 (TR) - Add Administrator 'kpss' Shellcode (112 bytes)
Linux/MIPS - connect back Shellcode (port 0x7a69) (168 bytes)
Linux/MIPS - Connectback Shellcode (port 0x7a69) (168 bytes)
Windows XP Pro SP3 - Full ROP calc Shellcode (428 bytes)
Windows XP Professional SP3 - Full ROP calc Shellcode (428 bytes)
Windows RT ARM - Bind Shell (Port 4444) Shellcode
Windows RT ARM - Bind Shell Port 4444 Shellcode
Windows - Add Admin User _BroK3n_ Shellcode (194 bytes)
Windows - Add Administrator 'BroK3n' Shellcode (194 bytes)
Linux/x86 - Obfuscated Shellcode chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User _ALI_ & Execute /bin/bash (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) & Add New Root User 'ALI' & Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86-64 - Bind 4444/TCP Port Shellcode (81 bytes / 96 bytes with password)
Linux/x86-64 - Bind Port 4444/TCP Shellcode (81 bytes / 96 bytes with password)
Windows x86 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)
Windows x64 - Obfuscated Shellcode Add Administrator _ALI_ & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service (1218 bytes)
Windows x86 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows x64 - Add Administrator 'ALI' & Add ALI To RDP Group & Enable RDP From Registry & STOP Firewall & Auto Start Terminal Service Obfuscated Shellcode (1218 bytes)
Windows XP x86-64 - Download & execute Shellcode (Generator)
Windows XP x86-64 - Download & Execute Shellcode (Generator)
Linux/x86 - Bind Shell 33333/TCP Port Shellcode (96 bytes)
Linux/x86 - Bind Shell Port 33333/TCP Shellcode (96 bytes)
Win32/XP SP3 - Create (_file.txt_) Shellcode (83 bytes)
Win32/XP SP3 - Create ('file.txt') Shellcode (83 bytes)
Windows x86 - user32!MessageBox _Hello World!_ Null Free Shellcode (199 bytes)
Windows x86 - user32!MessageBox 'Hello World!' Null-Free Shellcode (199 bytes)
OSX/x86-64 - /bin/sh Null Free Shellcode (34 bytes)
OSX/x86-64 - /bin/sh Null-Free Shellcode (34 bytes)
OSX/x86-64 - 4444/TPC port bind Nullfree Shellcode (144 bytes)
OSX/x86-64 - Bind Port 4444/TPC Null-free Shellcode (144 bytes)
Google Android - Telnetd (Port 1035) with Parameters Shellcode (248 bytes)
Google Android - Telnetd Port 1035 with Parameters Shellcode (248 bytes)
Linux/x86-64 - Bindshell 31173 port with Password Shellcode (92 bytes)
Linux/x86-64 - Bindshell Port 31173 with Password Shellcode (92 bytes)
Windows XP < 10 - WinExec Null Free Shellcode (Python) (Generator)
Windows XP < 10 - WinExec Null-Free Shellcode (Python) (Generator)
Linux/x86-64 - Bind 4444/TCP Port Shellcode (103 bytes)
Linux/x86-64 - Bind Port 4444/TCP Shellcode (103 bytes)
Linux x86/x86-64 - tcp_bind (Port 4444) Shellcode (251 bytes)
Linux x86/x86-64 - tcp_bind Port 4444 Shellcode (251 bytes)
Windows x86 - Download & Run via WebDAV Null Free Shellcode (96 bytes)
Windows x86 - Download & Run via WebDAV Null-Free Shellcode (96 bytes)
Linux/x86-64 - bindshell (Port 5600) Shellcode (81 bytes)
Linux/x86-64 - Bindshell Port 5600 Shellcode (81 bytes)
Linux/x86-64 - bindshell (Port 5600) Shellcode (86 bytes)
Linux/x86-64 - Bindshell Port 5600 Shellcode (86 bytes)
Linux/x86 - Bind TCP Port 1472 (IPv6) Shellcode (1250 bytes)
Linux/x86 - Bind Port 1472/TCP (IPv6) Shellcode (1250 bytes)
Windows - Primitive Keylogger to File Null Free Shellcode (431 (0x01AF) bytes)
Windows - Primitive Keylogger to File Null-Free Shellcode (431 (0x01AF) bytes)
Windows - Functional Keylogger to File Null Free Shellcode (601 (0x0259) bytes)
Windows - Functional Keylogger to File Null-Free Shellcode (601 (0x0259) bytes)
Linux/x86-64 - Reverse TCP Shell Null Free Shellcode (134 bytes)
Linux/x86-64 - Reverse TCP Shell Null-Free Shellcode (134 bytes)
Linux/x86 - NetCat Bind Shellcode with Port (44 / 52 bytes)
Linux/x86 - zsh TCP Port 9090 Bind Shellcode (96 bytes)
Linux/x86 - zsh Reverse TCP Shellcode port 9090 (80 bytes)
Linux/x86 - Netcat Bind Shellcode with Port (44 / 52 bytes)
Linux/x86 - zsh Bind Port 9090/TCP Shellcode (96 bytes)
Linux/x86 - zsh Reverse Port 9090/TCP Shellcode (80 bytes)
Linux/x86-64 - Bind 5600 TCP Port - Shellcode (87 bytes)
Linux/x86-64 - Bind Port 5600/TCP - Shellcode (87 bytes)
LogRhythm Network Monitor - Authentication Bypass / Command Injection
I_ Librarian 4.6 / 4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting
56 lines
4.2 KiB
Text
Executable file
56 lines
4.2 KiB
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1117
|
|
|
|
Failure to initialise pointers in mkvparser::Tracks constructor
|
|
|
|
The constructor mkvparser::Tracks::Tracks() doesn't handle parsing failures correctly.
|
|
|
|
If we look at the function, it makes allocations in two places; the first where it allocates a temporary array, and the second, where we make the allocation of an array of Track* which we will store in the Tracks object. Note that there is no path in the function which can free the second allocation; if the parsing of the Track object fails in the subsequent code these pointers are left uninitialised.
|
|
|
|
Subsequent code will then dereference and use the uninitialised pointers. The results of this obviously depend on the state of the heap prior to parsing of the testcase - a commonly occuring crash where a vtable pointer has been read through the bad pointer during destruction of the Tracks object.
|
|
|
|
Build fingerprint: 'lge/p1_global_com/p1:6.0/MRA58K/1624210305d45:user/release-keys'
|
|
Revision: '11'
|
|
ABI: 'arm'
|
|
pid: 31956, tid: 31904, name: NuPlayerDriver >>> /system/bin/mediaserver <<<
|
|
signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0xf62c9880
|
|
r0 eee45000 r1 f62e4b60 r2 f62c9880 r3 eb1c08a0
|
|
AM write failed: Broken pipe
|
|
r4 f1859da0 r5 f15ce05c r6 f15ce060 r7 f62c9880
|
|
r8 fffdfc60 r9 efc3f5f4 sl 6175644e fp f6f50c11
|
|
ip eb1c0d18 sp efc3f4c0 lr eb1b19b5 pc f62c9880 cpsr a00f0010
|
|
|
|
backtrace:
|
|
#00 pc 00049880 [anon:libc_malloc]
|
|
#01 pc 0000c9b3 /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD1Ev+34)
|
|
#02 pc 0000c9cd /system/lib/liblg_parser_mkv.so (_ZN9mkvparser6TracksD0Ev+4)
|
|
#03 pc 0001150d /system/lib/liblg_parser_mkv.so (_ZN9mkvparser7SegmentD1Ev+60)
|
|
#04 pc 0000b015 /system/lib/liblg_parser_mkv.so (_ZN12MkvExtractorD1Ev+10)
|
|
#05 pc 00009449 /system/lib/liblg_parser_mkv.so (_ZN9MKVParser5CloseEv+24)
|
|
#06 pc 0002739b /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD1Ev+38)
|
|
#07 pc 00027425 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractorD0Ev+4)
|
|
#08 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#09 pc 00027481 /system/lib/libLGParserOSAL.so
|
|
#10 pc 000274d9 /system/lib/libLGParserOSAL.so (_ZN7android14LGMKVExtractor11LGMKVSourceD0Ev+4)
|
|
#11 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#12 pc 000329bd /system/lib/liblgesourceplugin.so (_ZN7android2spINS_3lge20StreamingBufferQueueEED1Ev+18)
|
|
#13 pc 0005997d /system/lib/liblgesourceplugin.so (_ZNK7android6VectorINS_2spINS_11MediaSourceEEEE10do_destroyEPvj+12)
|
|
#14 pc 00010b6d /system/lib/libutils.so (_ZN7android10VectorImpl15release_storageEv+28)
|
|
#15 pc 00010bd9 /system/lib/libutils.so (_ZN7android10VectorImpl13finish_vectorEv+4)
|
|
#16 pc 00058cb7 /system/lib/liblgesourceplugin.so
|
|
#17 pc 0005a695 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD1Ev+292)
|
|
#18 pc 0005a6d9 /system/lib/liblgesourceplugin.so (_ZN7android9PDSessionD0Ev+4)
|
|
#19 pc 0000e753 /system/lib/libutils.so (_ZNK7android7RefBase9decStrongEPKv+50)
|
|
#20 pc 00057f69 /system/lib/liblgesourceplugin.so (_ZN7android12HTTPPDSource4stopEv+72)
|
|
#21 pc 0006bc51 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer12performResetEv+168)
|
|
#22 pc 0006b103 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer22processDeferredActionsEv+90)
|
|
#23 pc 00069ca1 /system/lib/libmediaplayerservice.so (_ZN7android8NuPlayer17onMessageReceivedERKNS_2spINS_8AMessageEEE+4944)
|
|
#24 pc 0000b309 /system/lib/libstagefright_foundation.so (_ZN7android8AHandler14deliverMessageERKNS_2spINS_8AMessageEEE+16)
|
|
#25 pc 0000d2ef /system/lib/libstagefright_foundation.so (_ZN7android8AMessage7deliverEv+54)
|
|
#26 pc 0000bd15 /system/lib/libstagefright_foundation.so (_ZN7android7ALooper4loopEv+224)
|
|
#27 pc 000100d1 /system/lib/libutils.so (_ZN7android6Thread11_threadLoopEPv+112)
|
|
#28 pc 0003f9ab /system/lib/libc.so (_ZL15__pthread_startPv+30)
|
|
#29 pc 0001a0c5 /system/lib/libc.so (__start_thread+6)
|
|
|
|
|
|
Proof of Concept:
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41982.zip
|