-
Notifications
You must be signed in to change notification settings - Fork 395
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How do you spawn a shell after exploit? #9
Comments
The setuid bit was changed in Android 4.3(?) to Linux capabilities. run-as has the Linux capability to set the UID to 0 (root), but in my experimenting, it seems to lack other useful capabilities, such as writing files. I would start by looking at the AOSP implementation of run-as and finding how it executes the packages and remove some safety checks. |
You need to disable SELinux first |
Not that trivial, to me at least. |
what do you mean? You didn't spawn a shell did you? check the binary - -rwxr-xr-x 1 root shell 18K 2009-01-01 03:00 app_process64 |
I can't spawn a shell from the run-as context. I have app_process32 (same thing). It has the zygote context. The one I pasted before was using the runas context. From that context I can't disable SELinux either:
|
what if we just use the exploit to replace install-recovery.sh with a script that paste su into it's folder then overwrites itself to the original superuser install recovery file then it'll load itself |
You can't. Remember the whole /system is reconstructed before boot. If you reboot you'll lose all your changes. |
what about using it to replace something like the reboot binary (that may be ran as root) with a binary that mount system as rw then paste everything needed by superuser |
The problem is the SELinux context. The best choice is replacing app_process32. You can get root, that's no problem. That's easy. But then you have a root that can't do anything. When you try to write a file it says denied, because you can only write files that the SELinux context allows you to. That is, for example, the dalvik cache. You can create a file there. Let's say you copy the su there. You run it: SAME PROBLEM. Now you have a shell, with the same SELinux context. What you want is:
So what else you can do? disable SELinux, so you can do all this. But if you could disable SELinux in a SELinux context, SELinux wouldn't exist in the first place.... I think I lost hope with dirty cow and Android >= 5. |
Jcase has rooted the latest HTC 10 running latest android using this. so i assume there is a way :) |
You can disable selinux in selinux. The init context can enable (or disable) it. |
|
The problem is this: shell@flo:/ $ run-as id That's a useless context. Can you execute something in, say, /data/local/tmp as root using that context? Or better yet, can you remount /system as rw? Because I couldn't. I can read files like you, but I can write/execute anything. Using the app_process32 (zygote) context I can do a little more, but at the end of the day they are still useless things. EDIT: Show me your selinux_android_setcontext() in your run-as.c ;) |
Pick a different target so the context isn't an issue anymore. The answer is here. https://source.android.com/security/selinux/implement.html |
So, how to bypass selinux? Could you give some hint? @Manouchehri |
can you post the source code of the run-as you are using to get root access? |
In my device these are the only targets I can pick:
The best context is zygote_exec, but still not very useful. |
You have access to way more files than just /system/bin/. run-as is just spawning toybox there, still limited by SELinux. |
We will need to kill SELinux though to get a real shell |
What about rewriting the SELinux files like /file_contexts and somehow running "restorecon"... that would "kill" it. The zygote process (app_process32) has a lot of privileges. Somebody could get an idea by just reading the zygote.te file (you can Google that if you don't want to download the whole Android source). Interesting things are:
And many many other things. |
can we replace kernel module and find a way to trigger insmod to bypass selinux?
only follow module inserted
|
@naikel I have an issue when I try to use app_process32 as target. I'm able to apply the "patch" but then, when I try to execute /system/bin/app_process32 I'm not able to become root:
This is weird! The zygote.pe file contains: |
Remember to always use logcat | grep audit to know exaclty what is going on. Same thing happens to me with app_process32, but then I can see in the logs that some other root process executes it... and then the phone GUI dies but the shell through adb shell still works. But I have other problems since zygote can't execute anything on /system/bin:
|
On the logcat, as soon as I "patch" app_process32, I can actually see several processes crashing (as normal to be) I suppose we need to use another process as target, but... which one? |
I'm getting permission denied on everything on Nexus 4 Android 5.0
|
@umntkid you should read the thread first before posting... We already stated u:r:runas:s0 context has no execute permission. You can't do anything in that context. |
Not 100% true. @naikel @umntkid this works just fine: #include <unistd.h> int main(int argc, char **argv) printf("running as uid %d\n", getuid()); memset(&capheader, 0, sizeof(capheader)); if(setresgid(0,0,0) || setresuid(0,0,0)) { if ((dir = opendir ("/sbin/")) != NULL) { |
Yes, you can read files in the runas context. |
You can use u:r:runas:s0 to run dirtycow recursively for fun, so you can
modify /init*rc files that way (but of course that isn't persistent,
probably not what you want).
|
Look at farm-root it is designed to pull / push boot images. (actually in the code it pushes recovery only but you can just edit it to be boot. (use my copy I updated it with newer dirtycow) I think it is imperative the file sizes are the same. Also there's a file recovery-from-boot.p which I think might need to be taken down also. |
@droidvoider Thanks but i think its not work, posting in issue on your repo (https://github.com/droidvoider/N920A-farm-root/issues/1) |
@TonyStark what device do you have? My v20 root method has access to abbot and boot images on stock device |
@me2151 i have coolpad arm64-v8a mashmellow, how did you access? |
@TonyStark daisychaining multiple dirtycow files together to get access to the atd file. Then dirtycowed a custom binary to atd that backup the aboot and boot images |
@me2151 do you have working dirtycow source code? so i can compile and test.... |
@TonyStark I do not have my source code anymore but I do have the compiled files that are needed to run the exploit. https://www.androidfilehost.com/?fid=457095661767122821 delete any .IMG files in the zip so you don't accidentally install them |
@TonyStark if you read the .bat files(right click then edit) you can see exactly which commands to do. |
@me2151 okay downloading and checking, thanks |
@TonyStark when going through everything after you finish everything in step 1 you need to type run-as con in your adb shell and it SHOULD give you a # that's only temporary then you need to chmod 0777 /storage/emulated/0/* This was developed for android 7.0 so it may not work on 6.0. If its a tablet you are using it may not have the atd file. You do not need to run step 2 or 3. The aboot and boot imaged will automatically backup to the /storage/emulated/0 directory. |
@TonyStark forgot to mention the apply patch command needs to be run from a terminal emulator on the device itself. |
Good luck |
@me2151 i successfully run step1.sh however |
@TonyStark can you go to the directory can confirm you actually have atd? Its caller I'd if I remember right so tablets may not have it |
Also did you run it from the device and not your adb shell? |
@me2151 |
@TonyStark well that sucks. You will have to go through your selinux contexts to see what has read access to aboot_block_file. Its probably because the device is marshmallow that is doesn't have the atd file. |
@me2151 hmm. okay |
hello all You guys can use it to verify dirtycow is usable on device or not with this app |
Google removed the app from playstore because of violating policy -they said- |
I am trying to root samsung galaxy o7 android version 6.0 [] size 17916 CVE-2016-5195-master$ adb shell It gives me this error "Package 'id' is unknown". Please help me if I am doing something wrong |
Try |
Thank you for reply me |
Hi guys, maybe this was answered above. I am gaining root in my process but SELinux does not allow me to drop to a shell as root. I have complete control over the selinux policy and can make any changes I want. What is/are the rule(s) that I need to add/remove for a Samsung KNOX 2.6 Android 6.0.1 to allow me to get a root shell? |
i need this tools |
I've tried execpl, system, even executing chmod(const char *pathname, mode_t mode) in the code but nothing seems to work.
I do get getuid() == 0, but I can't do anything with that privilege.
EDIT: My device does NOT have /system/bin/run-as with setuid and I have seen NO device that has it set.
The text was updated successfully, but these errors were encountered: