FORUMS
Remove All Ads from XDA

Root tool DirtyCow Apk && adb

109 posts
Thanks Meter: 126
 
By kryz, Senior Member on 24th December 2016, 03:21 PM
Post Reply Email Thread
27th December 2016, 07:42 PM |#31  
Senior Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by kryz

I think you are using the new 64 bits version, i didn't try because i have not 64bits devices.

With run-as /pathtofile you can dump to stdout any file(with run-as permissions), so to find out if is working in your device or is a permissions issue to /init try:

run-as /system/bin/sh
run-as /init.rc

try different files and see if you get the output in your console.

Also with:

run-as -f

You will get some information of files with size>= init.patch, for the exploit purposes.

Maybe the run-as user has not selinux permissions to dump init, which android are you using?

I am running 6.0.1

only run-as /init.rc gives result
i see the content in the console
run-as -f gives:
Error, no read access to /init.

Do you know how can i patch the adbd? i have dumped the adbd with the run-as dirtycow.
Maybe we can try to do something with an insecure adbd.
27th December 2016, 10:58 PM |#32  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by norberto_

I am running 6.0.1

only run-as /init.rc gives result
i see the content in the console
run-as -f gives:
Error, no read access to /init.

Do you know how can i patch the adbd? i have dumped the adbd with the run-as dirtycow.
Maybe we can try to do something with an insecure adbd.

Yes i have realized that /init is not read access for run-as in some devices, so im thinking also in adbd.

Do you say you have permissions to read it right, we will open that way, can you post your adbd please?
27th December 2016, 10:59 PM |#33  
OP Senior Member
Thanks Meter: 126
 
More
Good news
Another device Moto G lollipop 32 bits has been rooted with adb because has not sdcard option.
27th December 2016, 11:36 PM |#34  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by kryz

Yes i have realized that /init is not read access for run-as in some devices, so im thinking also in adbd.

Do you say you have permissions to read it right, we will open that way, can you post your adbd please?

I have no permissions to read that file. I am also using Android Marshmallow 6.0.

I have no permissions to read anything in /sbin/ folder.

By the way, what's the purpose of the -f option?

---------- Post added at 11:36 PM ---------- Previous post was at 11:11 PM ----------

Ups!! I have no permission to read anything in /sbin/, but I can use the trojan to copy /sbin/adbd.

Here it is the adbd binary of my Moto G 2014 (Marshmallow):
http://bit.do/cXrva
28th December 2016, 01:06 AM |#35  
Senior Member
Thanks Meter: 27
 
More
Quote:
Originally Posted by kryz

Yes i have realized that /init is not read access for run-as in some devices, so im thinking also in adbd.

Do you say you have permissions to read it right, we will open that way, can you post your adbd please?

Attached my adbd dump.
Attached Files
File Type: zip adbd.zip - [Click for QR Code] (398.7 KB, 150 views)
The Following User Says Thank You to norberto_ For This Useful Post: [ View ] Gift norberto_ Ad-Free
28th December 2016, 04:17 PM |#36  
Member
Thanks Meter: 16
 
More
By the way, how is it possible that the trojanized run-as survive reboots in my Moto G 2014 with stock Marshmallow???!!! Am I missing anything?
29th December 2016, 05:00 PM |#37  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by jucaroba

By the way, how is it possible that the trojanized run-as survive reboots in my Moto G 2014 with stock Marshmallow???!!! Am I missing anything?

The changes in run-as are restored in the boot, the run-as is only overwritten in memory not in disk.

If you achieve root DON'T mount /system as write and modify it you can get stuck at boot because dm-verity possibly is checking it.

Be sure what's security implementation before make a permanent root specially if you are in Android>=6.
29th December 2016, 05:50 PM |#38  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by kryz

The changes in run-as are restored in the boot, the run-as is only overwritten in memory not in disk.

If you achieve root DON'T mount /system as write and modify it you can get stuck at boot because dm-verity possibly is checking it.

Be sure what's security implementation before make a permanent root specially if you are in Android>=6.

I think you don't understand me: in my case run-as is not restored to the original file after reboot!! That's why I'm asking what's happening!!
29th December 2016, 06:23 PM |#39  
mrmazak's Avatar
Senior Member
Thanks Meter: 1,230
 
More
Quote:
Originally Posted by jucaroba

I think you don't understand me: in my case run-as is not restored to the original file after reboot!! That's why I'm asking what's happening!!

I may be mistaken, but I remember reading that dirty cowing does actually write to disk. But usually in android the /system in written through cache, not directly. That is why usually on Android changes are reverted on reboot. But, on my test device I did dirty cow writes to /data ,which is not written through cache, and changes remain though a reboot. So your device may have direct "disk" writeting and not cache writeing. .
29th December 2016, 07:09 PM |#40  
Member
Thanks Meter: 16
 
More
Quote:
Originally Posted by mrmazak

I may be mistaken, but I remember reading that dirty cowing does actually write to disk. But usually in android the /system in written through cache, not directly. That is why usually on Android changes are reverted on reboot. But, on my test device I did dirty cow writes to /data ,which is not written through cache, and changes remain though a reboot. So your device may have direct "disk" writeting and not cache writeing. .

I'm dirtycowing /system/bin/run-as with a file in /data/local/tmp. I don't know of that explains something.
29th December 2016, 07:20 PM |#41  
OP Senior Member
Thanks Meter: 126
 
More
Quote:
Originally Posted by jucaroba

I think you don't understand me: in my case run-as is not restored to the original file after reboot!! That's why I'm asking what's happening!!

I didn't get it, is so strange, i know in Android /system is in read mode and as someone said maybe is written to the journaling, or some cache i don't know sure, is possible before reboot this cache is dumped to the disk?

First time that i see the changes are persistent after reboot, so i don't know if is good or not but so rare.
Post Reply Subscribe to Thread

Guest Quick Reply (no urls or BBcode)
Message:
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes