search

jcadduono / android_external_dirtycow

CVE-2016-5195 (dirtycow/dirtyc0w) - recowvery fork
https://build.nethunter.com/android-tools/dirtycow/
146 stars 37 forks source link

recowvery: Ramdisk decompression failed! #1

Open Titokhan opened 7 years ago

Titokhan commented 7 years ago

Device: Asus ZenFone 2 Laser (ZE550KL) (2 GB RAM/16 GB ROM variant) OS; Stock Asus Zen UI Marshmallow Build: WW_21.40.1220.1794 Bootloader Status: Locked

Logs:

$ ls
dirtycow
recowvery-app_process64
recowvery-applypatch
recowvery-run-as

$ ./dirtycow /system/bin/applypatch recowvery-applypatch                         
warning: new file size (18472) and file old size (66512) differ

size 66512

[*] mmap 0x7fb5f44000
[*] exploit (patch)
[*] currently 0x7fb5f44000=10102464c457f
[*] madvise = 0x7fb5f44000 66512
[*] madvise = 0 1048576
[*] /proc/self/mem 1023410176 1048576
[*] exploited 0x7fb5f44000=10102464c457f

$ ./dirtycow /system/bin/app_process64 recowvery-app_process64                   
warning: new file size (10200) and file old size (22456) differ

size 22456

[*] mmap 0x7f80e75000
[*] exploit (patch)
[*] currently 0x7f80e75000=10102464c457f
[*] madvise = 0x7f80e75000 22456
[*] madvise = 0 1048576
[*] /proc/self/mem 2071986176 1048576
[*] exploited 0x7f80e75000=10102464c457f

$ exit

adb logcat -s recowvery
--------- beginning of system
--------- beginning of main
--------- beginning of crash
12-02 15:31:50.894 11760 11760 I recowvery: Welcome to recowvery! (applypatch)
12-02 15:31:50.894 11760 11760 I recowvery: ------------
12-02 15:31:50.894 11760 11760 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'...
12-02 15:31:51.233 11760 11760 I recowvery: Loaded boot image!
12-02 15:31:51.233 11760 11760 I recowvery: ------------
12-02 15:31:51.233 11760 11760 I recowvery: Saving old ramdisk to file
12-02 15:31:51.242 11760 11760 I recowvery: Decompressing ramdisk (gzip -d)
12-02 15:31:51.353 11760 11760 I recowvery: Checking '/cache/ramdisk.cpio' for validity (size >= 4194304 bytes)
12-02 15:31:51.353 11760 11760 I recowvery: '/cache/ramdisk.cpio': 3419904 bytes
12-02 15:31:51.353 11760 11760 E recowvery: File is not at least 4194304 bytes, must not be valid
12-02 15:31:51.353 11760 11760 E recowvery: Ramdisk decompression failed!
12-02 15:31:51.358 11760 11760 E recowvery: Error 22: Invalid argument
12-02 15:31:51.358 11760 11760 E recowvery: Exiting...

The last segment continues to run & throws same error. Is it due to different compression scheme of the boot image?

jcadduono commented 7 years ago

probably not just need to adjust the minimum size in the code

https://github.com/jcadduono/android_external_dirtycow/blob/android-6.0/recowvery-applypatch.c#L227

https://github.com/jcadduono/android_external_dirtycow/blob/android-6.0/recowvery-applypatch.c#L252

i added those for safety. you can set them both to 2*MiB

jcadduono commented 7 years ago

By the way if your bootloader is locked it won't do anything, it will write to recovery but just reboot into system how it was and system will flash stock recovery back again

Titokhan commented 7 years ago

Sounds great; I'll change them & try again.

I know that, but the idea is to unlock the bootloader (unofficially) after spawning a root shell. That can now be achieved by flashing a pre-rooted image but I'm looking for an alternate approach.

See these for the background story:

elichai commented 7 years ago

Same problem here. with OnePlus One Android 6.0.1

elichai commented 7 years ago

@jcadduono anything?