This is the source code of a Samsung Qmage MMS proof-of-concept exploit, targeting one of the memory corruption vulnerabilities collectively labeled as CVE-2020-8899. The bugs were reported in the Project Zero bug tracker as issue #2002, and disclosed in May 2020 when Samsung released a fix. The story of the codec discovery, fuzzing and exploit development is documented in a blog post series:
- Part 1: Introduction to the Samsung Qmage Codec and Remote Attack Surface
- Part 2: Effective Fuzzing of the Qmage Codec
- Part 3: Constructing the Memory Corruption Primitives
- Part 4: MMS Primer, Completing the ASLR Oracle
- Part 5: Defeating Android ASLR, Getting RCE
The exploit code is provided for reference and is especially relevant to Parts 3-5. It is written to run on Windows 10, and requires the following software to be locally installed:
- Python 3 and the intervaltree package,
- Netwide Assembler (nasm),
- NowSMS MMS Gateway with a correctly set up modem.
The script is mostly configured through the config.json file, but there are also some hardcoded values related to the libhwui.so and linker64 modules in exploit.py (see e.g. LIBHWUI_STEP_SIZE, LINKER64_SIZE and nearby constants).