Skip to content

face0xff/kindle-audible-exploit-chain

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
README.md
README.md
 
 
base_sample.aax
base_sample.aax
 
 
exploit-aax.py
exploit-aax.py
 
 
mp4.py
mp4.py
 
 
stage2.sh
stage2.sh
 
 

Repository files navigation

Kindle Audible exploit chain

Warning

This is not a jailbreak1, just a proof-of-concept. It only works on firmware versions below 5.18.1.

This is the source code for the "Don't judge an audiobook by its cover" vulnerability chain affecting the Amazon Kindle (please refer to the blog post for context and technical details).

The exploit-aax.py file contains the exploit for the Audible heap overflow bug found in the parsing of AAX audiobook files. It produces the malicious audiobook file (new.aax) to be sent to the target. Then, a second stage script (stage2.sh) is run, which contains the exploit for the com.lab126.keyboard LIPC service path traversal bug used for local privilege escalation. As proof of exploitation, a dynamic library is loaded to create a file as root.

Note: the offsets in the AAX exploit are hardcoded for firmware version 5.17.1.0.4.

Footnotes

  1. Well, technically it could be turned into a jailbreak, it just lacks the post-exploitation logic for it. But if you're looking for a < 5.18.1 jailbreak, there are better jailbreaks out there that are more stable (like WinterBreak or AdBreak). This one is here for educational purposes :)

About

Exploit for an Audible vulnerability chain targeting Kindle < 5.18.1

Resources

Readme
Activity

Stars

4 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages