Could you please tell How can i get the Predictable heap spray address?

and why we the address is Predictable ?

Mostly thanks

Can this exploit be used on an Android device to gain root access?

logcat output:
D/MediaResourceGetter(19636): canonicalized file path: /data/data/com.android.browser/cache/.org.chromium.Chromium.t4IIzY
E/MediaResourceGetter(19636): Refusing to read from unsafe file location.
E/MediaResourceGetter(19636): Unable to configure metadata extractor

As you mentioned the method described to leak infomation cannot be used on SBrowser, maybe it's the same problem.

When looking into the MediaResourceGetter.java, I find a methord filePathAcceptable will check if the path is safe to read,and ("/data/data/" + PACKAGE_NAME + "/cache/") should be a safe place.But in our case,MediaResourceGetter refused to read from "/data/data/com.android.browser/cache/.org.chromium.Chromium.t4IIzY",that's weird.

How can I use this?
Can you please give me a example command?

when I run Metaphor, I find mp4 file in /data/data/com.android.chrome/cache is always start with '\x0a'. And then the chunk type become "�fty" instead of "ftyp".
Anyone help?

Hi, In the project running, I get an error from my web server which the rce and leaks folder at the server!!
I create two folder (rec and leaks) at the metaphor project at the server and after that i don't get that error.
Does anybody else have this error? I am worried that may be i run project in a wrong way and since i get this error

hello
please can someone tell us how to use it
my brain will explode and i didnt found anything in google
i wrote python metaphor.py -a leak -a 192.168.1.110 -o /root/Desktop
and nothing happen
please answer me
thank you

Hi,
I am going to use your methaphor implementation codes, I have run a web server and connect to that in my Nexus 5 using chrome, I have so many mp4 files in leak folder and in rce folder i have 2 mp4 files in each run respectively.
In my terminal i check the media server process ID and i see that has been crashed.
But I can not see any thing about exploit Output, In short I don't know what and where is the exploit output! I have read your paper many times.
If at the end, some data will be leaked from victim device, where these data will be saved? and how can i check this data are very from victim device?
Thanks in advance.

I am going to use Metaphor for another device instead of Nexus 5.
Which part of Metaphor source code must I change?
did someone done that before?
Thanks.

Hi
can i try that code using emulator .. instead of real Nexus 5 device ?

shellcode.s
.globl _start
.align 2
_start:
.code 32
adr r0,filename
adr r1,mode
mov r7, #39
swi #0 @mkdir(filename,mode)
mov r0, #0
mov r7, #1
swi #0 @EXIT(0)
mode:
.short 0x1ff
filename:
.asciz "/data/local/tmp/success"

shellcode disassemble:
.text:00008074 ; Segment type: Pure code
.text:00008074 AREA .text, CODE
.text:00008074 ; ORG 0x8074
.text:00008074 CODE32
.text:00008074
.text:00008074 EXPORT _start
.text:00008074 _start ; "/data/local/tmp/success"
.text:00008074 ADR R0, filename
.text:00008078 ADR R1, mode
.text:0000807C MOV R7, #0x27
.text:00008080 SVC 0
.text:00008084 MOV R0, #0
.text:00008088 MOV R7, #1
.text:0000808C SVC 0
.text:0000808C ; ---------------------------------------------------------------------------
.text:00008090 mode DCW 0x1FF ; DATA XREF: .text:00008078�o
.text:00008092 filename DCB "/data/local/tmp/success",0 ; DATA XREF: .text:_start�o
.text:000080AA DCW 0
.text:000080AA ; .text ends

shellcode.bin
16 00 8F E2 10 10 8F E2 27 70 A0 E3 00 00 00 EF
00 00 A0 E3 01 70 A0 E3 00 00 00 EF FF 01 2F 64
61 74 61 2F 6C 6F 63 61 6C 2F 74 6D 70 2F 73 75
63 63 65 73 73 00 00 00

could you tell me why my shellcode doesn't work? could you help me?

what does shellcode in this POC do?
and How can I write a shellcode for this POC?
and What is output of the POC?

hi
how reverse shell ????
i run cammand:
python ./metaphor.py -o nader.mp4 leak -a ????

what write -a arguments????
how reverse shell mp4 file?????

I get Unsupported! when I try to access index.html on Ubuntu Apache2 server

plz any one tell me how to use its very complicated,
to use
i have xampp installed in kali rolling
plz atleast some post some kind of video for starts. ...plz
give us step by step details plz
take some and try to help us