From f2a1ee406b3215b08681faa7fd34c862cc57e5a4 Mon Sep 17 00:00:00 2001 From: flankerhqd Date: Sat, 28 Sep 2019 22:54:28 +0800 Subject: [PATCH] Update README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8f1c579..1ff2b04 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ +# What's Bindump4j for + Vendor binder services proved to be an interesting part of android devices nature. They usually remains close-source, but sometimes open attack surface for privilege escalation. Namely examples like SVE-2016-7114 (By @laginimaineb), CVE-2018-9143 and CVE-2018-9139 (By @flanker_hqd) and so on, which are all memory corruption vulnerabilities. -# Locating interesting binder service processes +## Locating interesting binder service processes Before Android N, all binder services were registered to `servicemanager`, and communicated with each other under `/dev/binder`. After Android N, binder domains are splitted to normal domain under `/dev/binder`, vendor domain under `/dev/vndbinder`, and hardware domain under `/dev/hwbinder`. Normal untrusted_app access is restricted to `/dev/binder`. @@ -32,4 +34,4 @@ If you would like to craft your own binary, just refer to `compile.sh`. Note to On Windows CMD sometimes the console display messed up. Maybe because windows console cannot property handle `\t` # Usage In Action -In a following post I'll describe how we analyze and fuzz vendor binder services to find various vulnerabilities, e.g. CVEs mentioned above. \ No newline at end of file +In a following post I'll describe how we analyze and fuzz vendor binder services to find various vulnerabilities, e.g. CVEs mentioned above.