Run-as binary without the suid bit set, is there solutions?

[Mera-balou]

Hi everyone,

What i have: Device : Samsung J3 2016 (SM-J320FN) Kernel : 5.1.1 (vulnerable to dcow, make test => Ok) ABI : v7a API : 22 Phone unroot, OEM locked

Compilation is working without problem but exploit failed :

shell@j3xnlte:/system/bin $ ./run-as                                           
WARNING: linker: ./run-as: unused DT entry: type 0x6ffffffe arg 0x934
WARNING: linker: ./run-as: unused DT entry: type 0x6fffffff arg 0x2
uid ./run-as 2000
**setresgid/setresuid failed**
uid 2000
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@j3xnlte:/system/bin $ id
uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

It seems that my /system/bin/run-as binary doesn't have the setuid set...

Well, i can flash a custom system partition (no integrity checked on this partition even if OEM is locked).

So my question is:

• can i replace the stock rom run-as binary with custom run-as binary with setuid flag set? This flag will be preserved after the flash boot? I just read my init.rc and no chown command is executed to change /system/bin permissions (but maybe another file just execute chown command to change /system/bin permissions...)
• if the answer is yes, where can i found a run-as binary with suid flag set?
• Is there another sucessfull strategy?

I have read many threads but maybe you have already answer it... Do i miss something??

Thanks

@timwr @naikel @droidvoider

[predbannikov]

Did you manage to solve this problem or get root in another way?

[timwr]

https://github.com/hyln9/VIKIROOT but it requires a vdso region.