search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
955 stars 392 forks source link

Read-only file system #74

Open MoranXiXi opened 7 years ago

MoranXiXi commented 7 years ago

![Uploading system.png…]()

adb shell /system/bin/run-as uid /system/bin/run-as 2000 uid 0 0 u:r:adbd:s0 context 0 u:r:shell:s0 root@Che1:/ #

flase root ?

timwr commented 7 years ago

?

MoranXiXi commented 7 years ago

root@Che1:/data # cp /data/local/tmp/1.apk /system/app cp /data/local/tmp/1.apk /system/app cp: /system/app/1.apk: Read-only file system 1|root@Che1:/data #

1|root@Che1:/data # id id uid=0(root) gid=0(root) groups=1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),

MoranXiXi commented 7 years ago

root@Che1:/data # ls -l ls -l opendir failed, Permission denied

MoranXiXi commented 7 years ago

Get root permissions: Although root, but still no permissions - do not know why?

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=19 adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow adb shell 'chmod 777 /data/local/tmp/dcow' adb push test.sh /data/local/tmp/test.sh adb shell 'chmod 777 /data/local/tmp/dcow' adb shell 'chmod 777 /data/local/tmp/test.sh' adb shell '/data/local/tmp/test.sh' adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2' adb shell 'cat /data/local/tmp/test2' adb shell 'cat /data/local/tmp/test2' | xxd adb shell 'chmod 777 /data/local/tmp/dcow' adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as' adb shell /system/bin/run-as

root@Che1:/data # id uid=0(root) gid=0(root) groups=1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0 root@Che1:/data # ls opendir failed, Permission denied

MoranXiXi commented 7 years ago

root@Che1:/data # run-as /system/bin/ run-as /system/bin/ uid run-as 0 uid 0 0 u:r:shell:s0 context 0 u:r:shell:s0

ohyeah521 commented 7 years ago

@MoranXiXi 我也遇到了这个问题,请问你解决了吗