This is a duplicate:
https://code.google.com/p/android/issues/detail?id=182559

Public now, unrestricting. http://blog.exodusintel.com/2015/08/13/stagefright-mission-accomplished/

Might as well unrestrict 182559 then...

nice

Updating with a proof-of-concept exploit by Mark Brand. See the Project Zero blog for more details.

mp4_stagefright_release.py 10.9 KB View Download

Could you please tell me that where i can get the "shellcode.bin" in the Exp file mp4_stagefright_release.py?

jiangsha,

You can use any shellcode, either build from scratch or take an existing one.

You can use Zimpirium's remote shell, that was originally taken from Linux ARMLE 'shell_reverse_tcp' then modified to pass environment and fork + exit:

https://blog.zimperium.com/the-latest-on-stagefright-cve-2015-1538-exploit-is-now-available-for-testing-purposes

Good luck!

BTW, anyone knows the exact version of Android 5.x that works with Google's security research exploit? It crashes my LG-G2 (5.0.2) and Samsung S4 (5.0.1).

Does the exploit work?
You make the assumption that the spray_address is the vtable pointer, which is 0x1c bytes ahead of the virtual function "readAt"(actually stack pivot address),but later when you copy the shellcode, you ignore the offset and just copy from spray_address - 0xed0 to your buffer:

  page += p32(mmap_address)             # r0 = dst
  page += p32(spray_address - 0xed0)    # r1 = src
  page += p32(0xed0)                    # r2 = size
  page += p32(0x33333333)               # r3
  page += p32(ldr_lr_bx_lr)             # pc


this is not correct. You need to copy from spray_address - 0xed0 - 0x1c actually.

Hope you can clarify this as you are Project Zero!

In my test machine only to crash. Output MP4 file has 16M. EXP there may be a problem, right? Thank you ~~~ hope to get help

I am seriously wondering if there is a reliably-working exploit against libstagefright. anyone knows?