FORUMS
Remove All Ads from XDA

Root tool DirtyCow Apk && adb

109 posts
Thanks Meter: 126
 
By kryz, Senior Member on 24th December 2016, 03:21 PM
Post Reply Email Thread
26th December 2016, 02:23 PM |#21  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by norberto_

Hi kryz,

Please find the /init from 32bit 6.0.1
It is from Xperia Z2 with custom rooted rom (Mx ROM v8.6.0)

How can i copy /init from my boot locked, unrooted, stock 6.0.1 64bit X Performance?

With run-as-dirticow but i didn't compile for the 64bits, in my Xperia is working this method, but someone with Moto G is reporting no access with the exploit.

Wait im going to compile to 64 bits and just executing:

Code:
/data/local/tmp/run-as-dirtycow /system/bin/run-as /data/local/tmp/run-as-dirticow
run-as /init > /data/local/tmp/init.dmp
Can you tell me the size of the file /system/bin/run-as in 64 bits please?
26th December 2016, 02:36 PM |#22  
Senior Member
Thanks Meter: 27
 
More
/system/bin/run-as in 64 bits size is 13.86K
26th December 2016, 07:20 PM |#23  
Junior Member
Thanks Meter: 2
 
More
Quote:
Originally Posted by jucaroba

Thanks for your answer.

I'm trying to use your exploit to be able to read my /data/misc/vold/expand_*.key file. My wife has a Moto G 2014 mobile with official (non rooted) Android 6 Marshmallow. The bootloader is locked. She has deleted accidentally all the pictures in her SD card, that is configured as adopted card (not portable). I have made a cloned copy of the SD in my linux laptop with dd command, but I can not mount the partitions in the SD because I have to know the encryption key.

I can not unlock the bootloader, because the phone will be reseted to factory and the encryption key will be deleted. And I can not read the key file without being root, because of the permissions of the file. I have tried your run-as-dirtycow trojan in the phone, and I can read files I have no permissions for, such as /init.rc. The only missing piece now is that I don't know the exact name of the key file. I only know that it is of the form "expand_*.key". Can your trojan run-as-dirtycow be modified to be able to read the files with this pattern name in a given directory?

Thanks in advance.

Jucaroba, any news on this matter?
26th December 2016, 09:30 PM |#24  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by Silver Surfer 2069

Jucaroba, any news on this matter?

Nope. It seems the exploit is not able to read the /data folder in Android Marshmallow.

Am I correct, kryz?
27th December 2016, 12:11 PM |#25  
Senior Member
Thanks Meter: 20
 
More
Can you give step by step instructions on how to use the adb.rar file.Do I need a computer?Can't find data/local/tmp folder on my phone!

Sent from my N9521 using Tapatalk
27th December 2016, 05:58 PM |#26  
Junior Member
Thanks Meter: 2
 
More
Quote:
Originally Posted by jucaroba

Nope. It seems the exploit is not able to read the /data folder in Android Marshmallow.

Am I correct, kryz?

Tks jucaroba.

btw, I'm getting an error when I'm trying to compile the code: non-system libraries in linker flags: lcutils.

Any idea to solve?

---------- Post added at 10:58 AM ---------- Previous post was at 10:35 AM ----------

Quote:
Originally Posted by tnomtlaw

Can you give step by step instructions on how to use the adb.rar file.Do I need a computer?Can't find data/local/tmp folder on my phone!

Sent from my N9521 using Tapatalk

Hi,

At first, for ADB.RAR option you need a computer and ADB Drivers.

http://forum.xda-developers.com/show....php?t=2588979

them, you have to push rar files (rar password is "nox") using:

Code:
adb push <RAR files location> /data/local/tmp/
The Following User Says Thank You to Silver Surfer 2069 For This Useful Post: [ View ] Gift Silver Surfer 2069 Ad-Free
27th December 2016, 06:17 PM |#27  
OP Senior Member
Thanks Meter: 126
 
More
run-as-dirtycow 64 bits
Quote:
Originally Posted by norberto_

/system/bin/run-as in 64 bits size is 13.86K

I attach the 64 bits run-as-dirtycow, try with this.
Attached Files
File Type: rar run-as-dirtycow.rar - [Click for QR Code] (3.1 KB, 514 views)
27th December 2016, 06:49 PM |#28  
Senior Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by kryz

I attach the 64 bits run-as-dirtycow, try with this.

It is creating a 0 size init.dmp file in the /data/local/tmp
I have used your commands:

/data/local/tmp/run-as-dirtycow /system/bin/run-as /data/local/tmp/run-as-dirtycow
run-as /init > /data/local/tmp/init.dmp

but chmod 755 the run-as-dirtycow before your commands. I think thats needed

There was no error with the commands.
Its just a 0 size init.dmp file at the end.
Any ideas?
27th December 2016, 07:23 PM |#29  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by jucaroba

Nope. It seems the exploit is not able to read the /data folder in Android Marshmallow.

Am I correct, kryz?

Yes the exploit just can see the folders seen by run-as user and context and /data, /sdcard and others have not read permissions.

But also in Lollipop, the use of the exploit is to dump /init.
27th December 2016, 07:30 PM |#30  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by norberto_

It is creating a 0 size init.dmp file in the /data/local/tmp
I have used your commands:

/data/local/tmp/run-as-dirtycow /system/bin/run-as /data/local/tmp/run-as-dirtycow
run-as /init > /data/local/tmp/init.dmp

but chmod 755 the run-as-dirtycow before your commands. I think thats needed

There was no error with the commands.
Its just a 0 size init.dmp file at the end.
Any ideas?

I think you are using the new 64 bits version, i didn't try because i have not 64bits devices.

With run-as /pathtofile you can dump to stdout any file(with run-as permissions), so to find out if is working in your device or is a permissions issue to /init try:

run-as /system/bin/sh
run-as /init.rc

try different files and see if you get the output in your console.

Also with:

run-as -f

You will get some information of files with size>= init.patch, for the exploit purposes.

Maybe the run-as user has not selinux permissions to dump init, which android are you using?
27th December 2016, 07:42 PM |#31  
Senior Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by kryz

I think you are using the new 64 bits version, i didn't try because i have not 64bits devices.

With run-as /pathtofile you can dump to stdout any file(with run-as permissions), so to find out if is working in your device or is a permissions issue to /init try:

run-as /system/bin/sh
run-as /init.rc

try different files and see if you get the output in your console.

Also with:

run-as -f

You will get some information of files with size>= init.patch, for the exploit purposes.

Maybe the run-as user has not selinux permissions to dump init, which android are you using?

I am running 6.0.1

only run-as /init.rc gives result
i see the content in the console
run-as -f gives:
Error, no read access to /init.

Do you know how can i patch the adbd? i have dumped the adbd with the run-as dirtycow.
Maybe we can try to do something with an insecure adbd.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes