Exploring Android Vulnerabilities and Binder: Part II

This blog continues Part I of the android vulnerabilities exploitation experiment. We will build a proof-of-concept code with an Android NDK toolset.

Special compiler sets are used for binaries compiled to run on Android systems. We will use the package we named Android NDK here. It contains compilers for different architectures and different android versions. We will compile POC code using these compilers and run it using adb in vulnerable environment. Let’s download POC code with the help of the link below.

POC Code

The NDK package we downloaded with the help of Android Studio is located under the “~/Android/Sdk/ndk/ndk_version” directory.

We use NDK toolchains to compile POC code or any native C/C++ code for Android platform. NDK offers us different compiler options in this regard. You can find these compiler options under “~/Android/Sdk/ndk/ndk_version/toolchains/llvm/prebuilt/linux-x86_64/bin“.

Since Android 10 is API 29 and emulator has x86_64 architecture, the compiler we will use here will be “x86_64-linux-android29-clang“.

Let’s compile the POC code

Now, it’s time to try the POC code on the custom vulnerable kernel.

Running the POC

Let’s run the following commands in the following order.

emulator @POC -no-snapshot -verbose -kernel "bzImage_directory" -show-kernel

After the emulator is launched successfully, the screen should display this.

Following this step, all that remains is to install the POC binary on the emulator with adb and run it. Then, it will be possible to see the USE AFTER FREE in the kernel message outputs.

We are done! 

VerSprite research articles are for educational purposes for coding professionals and enthusiasts. Our research team of experts shares their knowledge and expertise to advance the IT industry.

For more code-related articles, check out our research blog posts here.