In this paper, we present our research on properly exploiting one of Android’s most notorious vulnerabilities Stagefright a feat previously considered incredibly difficult to reliably perform. Our research is largely based on exploit38226 by Google and the research blogpost in Google 2 Project Zero: Stagefrightened . 3
This paper presents our research results, further details the vulnerability’s limitations and depicts a way to bypass ASLR as well as future research suggestions.
The team here at NorthBit has built a working exploit affecting Android versions 2.2 4.0 and 5.0 5.1, while bypassing ASLR on versions 5.0 5.1 (as Android versions 2.2 4.0 do not implement ASLR).
Stagefright is an Android multimedia library. It didn’t get much attention until July 27 th 2015, when several of its critical heap overflow vulnerabilities were discovered and disclosed. The original vulnerability was found by Joshua Drake from Zimperium , affecting Android versions 1.0 5.1.
4 From here on we shall refer to the library as “libstagefright” and to the bug itself simply as “stagefright”.
Although the bug exists in many versions (nearly a 1,000,000,000 devices) it was claimed impractical to exploit inthewild, mainly