Root tool DirtyCow Apk && adb

Search This thread
By:
Advanced…
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
@kryz

Ok here are two zips. One with a dmesg.txt before attempting the ./exploit.sh with 1 and after with 1. of note i could not post the onscreen results of the exploit running with the 1 added. the device went black screen and lost connection to it from shell had to reboot. but do have the dumps and the dmesg.txt maybe they will be helpful.
Click to expand...
Click to collapse

Thank you for the logs are helping a lot ;)

I see in your dmesg (without 1 param), that the exploit is loading the new sepolicy, these lines in dmesg confirms that:

Code: 
<7>[  420.215067] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[  420.227142] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[  420.227199] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[  420.227212] SELinux:  86 classes, 12560 rules

The first load sepolicy of the device is this:

Code: 
<7>[    2.747565] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[    2.753025] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[    2.753067] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[    2.753080] SELinux:  86 classes, 9071 rules
<7>[    2.755379] SELinux:  Completing initialization.

Also If you got this prompt is because the new selinux policy was loaded:
Code: 
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon

Well, now we know that we have injected code in init process and the shellcode was executed, but in your device the run-as binary has some restricted rule, maybe can't change to permissive, even when i added some rules that's the purpose of the shellcode.

We are close, just we need to adjust the selinux rules to give more permissions to run-as domain, i've updated the exploit ADB.

The exploit is basically the same, just ive added some more permissive rules to run-as and now install su in enforced mode that's not bad at all.

If you can do the same test, clean the /data/local/tmp/ foder and extract/execute the new exploit without 1 param.

After the exploit is finished and if you get this prompt:
Code: 
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon
Execute these commands:
Code: 
run-as -s1
id
run-as -s2
Wait 5 seconds and turn on/off bluetooth and do a dump of dmesg:
Code: 
dmesg > /data/local/tmp/dmesg.txt

And finally again attach the result files please.

I attach the new version here:
 

Attachments

  • EXPLOIT_ADB.rar
    1.3 MB · Views: 226
Last edited:
  • Like
Reactions: Curtis1973
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
kryz said:
Thank you for the logs are helping a lot ;)

I see in your dmesg (without 1 param), that the exploit is loading the new sepolicy, these lines in dmesg confirms that:

Code: 
<7>[  420.215067] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[  420.227142] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[  420.227199] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[  420.227212] SELinux:  86 classes, 12560 rules

The first load sepolicy of the device is this:

Code: 
<7>[    2.747565] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[    2.753025] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[    2.753067] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[    2.753080] SELinux:  86 classes, 9071 rules
<7>[    2.755379] SELinux:  Completing initialization.

Also If you got this prompt is because the new selinux policy was loaded:
Code: 
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon

Well, now we know that we have injected code in init process and the shellcode was executed, but in your device the run-as binary has some restricted rule, maybe can't change to permissive, even when i added some rules that's the purpose of the shellcode.

We are close, just we need to adjust the selinux rules to give more permissions to run-as domain, i've updated the exploit ADB.

The exploit is basically the same, just ive added some more permissive rules to run-as and now install su in enforced mode that's not bad at all.

If you can do the same test, clean the /data/local/tmp/ foder and extract the new exploit.

After the exploit is finished and if you get this prompt:
Code: 
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon
Execute these commands:
Code: 
run-as -s1
id
run-as -s2
Wait 5 seconds and turn on/off bluetooth and do a dump of dmesg:
Code: 
dmesg > /data/local/tmp/dmesg.txt

And finally again attach the result files please.

I attach the new version here:
Click to expand...
Click to collapse

Going to give it a try now and will report back. Would have posted sooner but was helping another user find firmware for an obscure device he owns.
 
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
@kryz

ok heres the dump. of note i did get a permission denied even though i had the pound symbol for root after running the -s1 and -s2 commands
Click to expand...
Click to collapse

The permission denied in the root prompt is because is a shell root with a init context, this context is very high but anyways have some restrictions, is normal to get "permission denied" listing files in /data/local/tmp/.

But with this shell you can do many things, anyways the non-restricted shell is su, that is given by run-as -s2

I see that all was all ok now, first you got a root shell with init context, can you confirm this executing this:

Code: 
run-as -s1
id

And also i see in dmesg logs that the su.img was mounted correctly:

Code: 
<6>[  306.342382] EXT4-fs (loop200): mounted filesystem with ordered data mode. Opts: 
<7>[  306.342416] SELinux: initialized (dev loop200, type ext4), uses xattr

So i guess the su binary is in:

Code: 
/system/xbin/su

Have you tried to execute su after run-as -s2?
Code: 
run-as -s2
Turn on/off bluettoth
wait 5 seconds
Code: 
su

I think the exploit worked this time, at least all the logs show the su was installed, can you confirm that please?

I have to say that the su installation is temporal when you reboot the device the su binary in /system/xbin/su will disappear.

Now i don't need the files just the output of the commands, will be good if su is not working that you attach a dmesg dump after.

Best regards
 
Last edited:
  • Like
Reactions: Curtis1973
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
Will check and report back on the id check and wherher or not su is in fact in xbin. if all is well I intend to get familiar with everything I can do with this as I am not to familiar with performing root functions from shell
 
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
Will check and report back on the id check and wherher or not su is in fact in xbin. if all is well I intend to get familiar with everything I can do with this as I am not to familiar with performing root functions from shell
Click to expand...
Click to collapse

I understand all this is a little bit confuse, because the exploit has 2 root methods:

run-as -s1
run-as -s2

The shell that you get with run-as -s1 is a root shell, with almost the most privileged context init, for normal users this root shell is useless.
But if you are researching how to break some kind of security in the Android is very useful even you can load new policies with this context, so this means bye bye Selinux->game over.

The second option run-as -s2 will execute a sudaemon, this means that you will have a normal rooted device, the only difference is that you don't have installed supersu.apk, and always you get su permission allowed.

If you install supersu.apk after the root, the device will have the same behavior that a permanent rooted device, asking you for su authorization when one apk or shell script requires it.

I think one of the next steps to do if you get root, is try if you can mount your system partition in write mode:
Code: 
su
mount -o remount,rw /system

You can get a reboot at this time, because some phones have a protection, but if you don't get reboot probably you can make your root permanent.
 
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
@kryz

ok heres my onscreen results although i will do a dmesg before exiting and upload it for review. su is in xbin. i can see it in root explorer as well. although it does appear that all of the bins that originally came with my device in xbin are no longer there. not sure of their use but i suspect a reboot will restore them. the result of running id should be in the command prompt. still getting a denied when running su.
 

Attachments

  • Untitled-1.png
    Untitled-1.png
    33.1 KB · Views: 204
  • Like
Reactions: jayzin13
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
@kryz

heres the dump from above comment
Click to expand...
Click to collapse

Well su is installed, can you try to execute su from the normal shell user?

I mean when you executed su you were in the shell obtained by run-as -s1 you have to exit of this shell:
Code: 
exit
And the user to execute su have to be this:
Code: 
id
uid=2000(shell) gid=2000(shell) groups=1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
su
root@A51:/ #

After to check if the daemon su is running can you search the process with this:

Code: 
ps | grep -i su

Also see the permissions of the /system

Code: 
ls -laZ /system

And see the permissions of /system/xbin/su

Code: 
ls -laZ /system/xbin/su

Another check more to set to permissive:

Code: 
run-as -s1
setenforce 0

Well to resume, your device is rooted, all was executed in kernel context that is the max high privileged context.

If you get still "Permission denied" executing su in a normal shell user, please just after execute su, make a dmesg please and post it.
 
Last edited:
  • Like
Reactions: Curtis1973
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
ok sounds good. i am about to run the checks you wanted. should be able to let you know more in about 5 minutes lol
Click to expand...
Click to collapse

I have already the update, to make a report /data/local/tmp/report.log

So when you finish to execute the exploit.sh just attach this report.log here.

Attach here the new version of exploit.
 

Attachments

  • EXPLOIT_ADB.rar
    1.3 MB · Views: 143
  • Like
Reactions: Curtis1973
K

kryz

Senior Member
Oct 25, 2009
110
129
Im going fast because tomorrow i have the flight and ill will be out for a 3 weeks yeaahhh ;)
 
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
@kryz


kryz said:
I have already the update, to make a report /data/local/tmp/report.log

So when you finish to execute the exploit.sh just attach this report.log here.

Attach here the new version of exploit.
Click to expand...
Click to collapse


heres the report log. was extremely quick this time around.

Code: 
----------REPORT LOG ---------------
# Process:

# System permissions:
 drwxr-xr-x root     root              u:object_r:system_file:s0 app
drwxr-xr-x root     shell             u:object_r:system_file:s0 bin
-rw-r--r-- root     root              u:object_r:system_file:s0 build.prop
drwxr-xr-x root     root              u:object_r:system_file:s0 com.touchtype
drwxr-xr-x root     root              u:object_r:system_file:s0 custpack
drwxr-xr-x root     root              u:object_r:system_file:s0 embms
drwxr-xr-x root     root              u:object_r:system_file:s0 etc
drwxr-xr-x root     root              u:object_r:system_file:s0 fonts
drwxr-xr-x root     root              u:object_r:system_file:s0 framework
drwxr-xr-x root     root              u:object_r:system_file:s0 lib
drwxr-xr-x root     root              u:object_r:system_file:s0 lib64
drwx------ root     root              u:object_r:system_file:s0 lost+found
drwxr-xr-x root     root              u:object_r:system_file:s0 media
drwxr-xr-x root     root              u:object_r:system_file:s0 priv-app
-rw-r--r-- root     root              u:object_r:system_file:s0 recovery-from-boot.p
drwxr-xr-x root     root              u:object_r:system_file:s0 tts
drwxr-xr-x root     root              u:object_r:system_file:s0 usr
drwxr-xr-x root     shell             u:object_r:system_file:s0 vendor
drwxr-xr-x root     shell             u:object_r:system_file:s0 xbin

# Su permissions:-rwx------ root     root              u:object_r:system_file:s0 su

# Su execution:

# Set enforce:

# Dmesg output
<7>[    3.205417] SELinux: initialized (dev mmcblk0p46, type ext4), uses xattr
<7>[    3.247554] SELinux: initialized (dev mmcblk0p46, type ext4), uses xattr
<7>[    3.252305] SELinux: initialized (dev mmcblk0p38, type ext4), uses xattr
<7>[    3.267625] SELinux: initialized (dev mmcblk0p31, type ext4), uses xattr
<7>[    3.284295] SELinux: initialized (dev mmcblk0p35, type ext4), uses xattr
<12>[    3.286134] SELinux: Could not set context for /tctkey:  Operation not supported on transport endpoint
<7>[    3.293762] SELinux: initialized (dev mmcblk0p1, type vfat), uses mountpoint labeling
<11>[    5.612283] init: Warning!  Service irsc_util needs a SELinux domain defined; please fix!
<7>[    6.219623] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
<7>[   19.905812] SELinux: initialized (dev mmcblk1p1, type vfat), uses genfs_contexts
<7>[   20.042533] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
<7>[  292.355436] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[  292.384916] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[  292.385006] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[  292.385022] SELinux:  86 classes, 12573 rules
<7>[  293.548156] SELinux: initialized (dev loop200, type ext4), uses xattr
 

Attachments

  • report.zip
    852 bytes · Views: 43
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
@kryz





heres the report log. was extremely quick this time around.

Code: 
----------REPORT LOG ---------------
# Process:

# System permissions:
 drwxr-xr-x root     root              u:object_r:system_file:s0 app
drwxr-xr-x root     shell             u:object_r:system_file:s0 bin
-rw-r--r-- root     root              u:object_r:system_file:s0 build.prop
drwxr-xr-x root     root              u:object_r:system_file:s0 com.touchtype
drwxr-xr-x root     root              u:object_r:system_file:s0 custpack
drwxr-xr-x root     root              u:object_r:system_file:s0 embms
drwxr-xr-x root     root              u:object_r:system_file:s0 etc
drwxr-xr-x root     root              u:object_r:system_file:s0 fonts
drwxr-xr-x root     root              u:object_r:system_file:s0 framework
drwxr-xr-x root     root              u:object_r:system_file:s0 lib
drwxr-xr-x root     root              u:object_r:system_file:s0 lib64
drwx------ root     root              u:object_r:system_file:s0 lost+found
drwxr-xr-x root     root              u:object_r:system_file:s0 media
drwxr-xr-x root     root              u:object_r:system_file:s0 priv-app
-rw-r--r-- root     root              u:object_r:system_file:s0 recovery-from-boot.p
drwxr-xr-x root     root              u:object_r:system_file:s0 tts
drwxr-xr-x root     root              u:object_r:system_file:s0 usr
drwxr-xr-x root     shell             u:object_r:system_file:s0 vendor
drwxr-xr-x root     shell             u:object_r:system_file:s0 xbin

# Su permissions:-rwx------ root     root              u:object_r:system_file:s0 su

# Su execution:

# Set enforce:

# Dmesg output
<7>[    3.205417] SELinux: initialized (dev mmcblk0p46, type ext4), uses xattr
<7>[    3.247554] SELinux: initialized (dev mmcblk0p46, type ext4), uses xattr
<7>[    3.252305] SELinux: initialized (dev mmcblk0p38, type ext4), uses xattr
<7>[    3.267625] SELinux: initialized (dev mmcblk0p31, type ext4), uses xattr
<7>[    3.284295] SELinux: initialized (dev mmcblk0p35, type ext4), uses xattr
<12>[    3.286134] SELinux: Could not set context for /tctkey:  Operation not supported on transport endpoint
<7>[    3.293762] SELinux: initialized (dev mmcblk0p1, type vfat), uses mountpoint labeling
<11>[    5.612283] init: Warning!  Service irsc_util needs a SELinux domain defined; please fix!
<7>[    6.219623] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
<7>[   19.905812] SELinux: initialized (dev mmcblk1p1, type vfat), uses genfs_contexts
<7>[   20.042533] SELinux: initialized (dev fuse, type fuse), uses genfs_contexts
<7>[  292.355436] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[  292.384916] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[  292.385006] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[  292.385022] SELinux:  86 classes, 12573 rules
<7>[  293.548156] SELinux: initialized (dev loop200, type ext4), uses xattr
Click to expand...
Click to collapse

Seems the permissions are wrong in the /system/xbin/su ....
Well new version to try attached:
 

Attachments

  • EXPLOIT_ADB.rar
    1.3 MB · Views: 110
Last edited:
  • Like
Reactions: Curtis1973
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
@kryz

ok heres log text output plus a zip of the dump files if needed for anything. seems permissions are still the issue. i did notice the folder tctkey listed in the last log. not sure what tcl/alcatel has in that directory but i have never been able to view the contents.

Code: 
----------REPORT LOG ---------------
# Process:

# System permissions:
 drwxr-xr-x root     root              u:object_r:system_file:s0 app
drwxr-xr-x root     shell             u:object_r:system_file:s0 bin
-rw-r--r-- root     root              u:object_r:system_file:s0 build.prop
drwxr-xr-x root     root              u:object_r:system_file:s0 com.touchtype
drwxr-xr-x root     root              u:object_r:system_file:s0 custpack
drwxr-xr-x root     root              u:object_r:system_file:s0 embms
drwxr-xr-x root     root              u:object_r:system_file:s0 etc
drwxr-xr-x root     root              u:object_r:system_file:s0 fonts
drwxr-xr-x root     root              u:object_r:system_file:s0 framework
drwxr-xr-x root     root              u:object_r:system_file:s0 lib
drwxr-xr-x root     root              u:object_r:system_file:s0 lib64
drwx------ root     root              u:object_r:system_file:s0 lost+found
drwxr-xr-x root     root              u:object_r:system_file:s0 media
drwxr-xr-x root     root              u:object_r:system_file:s0 priv-app
-rw-r--r-- root     root              u:object_r:system_file:s0 recovery-from-boot.p
drwxr-xr-x root     root              u:object_r:system_file:s0 tts
drwxr-xr-x root     root              u:object_r:system_file:s0 usr
drwxr-xr-x root     shell             u:object_r:system_file:s0 vendor
drwxr-xr-x root     shell             u:object_r:system_file:s0 xbin

# Su permissions:-rwx------ root     root              u:object_r:system_file:s0 su

# Su execution:

# Set enforce:

# Dmesg output
<7>[ 1795.137172] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[ 1795.149808] SELinux: 2048 avtab hash slots, 12573 rules.
<7>[ 1795.149861] SELinux:  1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[ 1795.149878] SELinux:  86 classes, 12573 rules
<7>[ 1797.232408] SELinux: initialized (dev loop200, type ext4), uses xattr
 

Attachments

  • tmp_dump_a621bl.zip
    465 KB · Views: 42
Curtis1973

Curtis1973

Senior Member
May 13, 2013
811
648
50
Greenville, S.C. USA
as for overwhelming me on this no worries. i am actually enjoying the attempt to thwart alcatel/tcl and straight talk carriers attempt to shut down everything on this device. leaving a user no options and then make us wait over a year before they are willing to even consider oem unlock...if they ever even intended on offering the unlock.
 
K

kryz

Senior Member
Oct 25, 2009
110
129
Curtis1973 said:
as for overwhelming me on this no worries. i am actually enjoying the attempt to thwart alcatel/tcl and straight talk carriers attempt to shut down everything on this device. leaving a user no options and then make us wait over a year before they are willing to even consider oem unlock...if they ever even intended on offering the unlock.
Click to expand...
Click to collapse

Can you make one test more:

what happens if after execute the exploit you do this:

run-as -s1
chmod 755 /system/xbin/su
ls -la /system/xbin
getenforce
/data/local/tmp/su -d
 
Last edited:
  • Like
Reactions: Curtis1973
You must log in or register to reply here.

Similar threads

Snoop05
[OFFICIAL][TOOL][WINDOWS] ADB, Fastboot and Drivers - 15 seconds ADB Installer v1.4.3
Replies
2K
Views
7M
abdulkareem786
abdulkareem786
shimp208
[TOOL]Minimal ADB and Fastboot [2-9-18]
Replies
982
Views
5M
sinommo
sinommo
Chainfire
[ROOT EXPLOIT+PATCH][2012.12.19] ExynosAbuse APK v1.40
Replies
1K
Views
2M
D
djanielle
B
[UTIL][WIN][MT65xx] MTK Droid Root & Tools | MediaTek Android Smartphone
Replies
2K
Views
3M
A
allyalla
L
[APK] Seeder 2.0.0 entropy generator to provide significant lag reduction
Replies
4K
Views
3M
ravingrabbid_
ravingrabbid_

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 48
    K
    kryz
    Hi,
    I have developed a tool to exploit the dirtycow vulnerability and get TEMPORAL ROOT
    It bypass the selinux in lollipop 32bits system only, we are working now in a 64bits and Marshmallow version and will be soon, have a lot of work to do it universal.
    Im bringing 2 tools, one apk (no computer required) and one rar for adb and linux.
    With this tool we will access to those partitions and start the attack there, but in the actual state if you have locked your bootloader a good choice is to have root even temporal one.

    ·APK
    Required: SDCARD
    The apk exploits this vuln in the vold context so, is necessary to have a sdcard and mount or extract it, when the app requires, one time per session.
    This tool has some utilities for flash boot and system partition, also for backup and 2 methods of root:
    ·Attack init process (lollipop 32 bits only)
    ·Attack app_process.(all devices, not really good)

    ·Get root
    Uninstall any supersu manager before root.
    The way to use this app is first click in check perms(optional) and you will see if you have permissions to /init file.
    If you have permisisons and lollipop 32 you can use the first method to get root.
    Also in check permissions you will see if you have rights to backup/flash boot and system partition.
    The process takes until 2 minutes to finish so wait please and watch the log window.
    # ISSUES #
    If you get reboot after get root you can:
    -Clean init (restore init process sometimes crash the device, but is safe)
    -Install selinux permissive (Set permanent the new selinux policy, not tested)
    The first option is safe you just can get a reboot.
    The second option is just tested in 3 devices(oppo,xperia,Moto E), so test it with a recovery system working, can break some selinux rule..


    ·ADB
    The adb rar contains some utilities to get root via run-as and init and is only working in Lollipop 32bits.
    To execute it:

    -Pass rar:"nox"
    -Extract the rar in /data/local/tmp/

    Code: 
    chmod 755 /data/local/tmp/exploit.sh
cd /data/local/tmp/
./exploit.sh

    This process take some time 1-2 minutes but you will see the progress in the console, please wait,
    After will ask to turn off bluetooth do even sometimes is not required, it can accelerate the process.
    It will ask to install selinux permissive, if you don't have reboot problems, don't install it, otherwise be sure you have a recovery system working and a stock rom ready to flash, this feature is stable but need more testing.
    if all is ok you will see this:

    Code: 
    #Type run-as -s1 to get a shell"
#Type run-as -s2 to execute su daemon"

    The run-as -s1 give you a shell with init context but some restrictions because selinux autotransfer domain to run-as
    The run-as -s2 will execute su dameon and a su init context with no restrictions.
    # ISSUES #
    If you get reboot after get root you can:
    ·mount system partition with flag abort:
    Code: 
    mount -o remount,abort /system
    You won't able to mount system in write mode.


    This app is in BETA BETA state for now, just 7/9 devices passed not bad at all ;)
    I'll add more devices in the list soon ;)

    List of rooted devices:
    Moto G 5.1 lollipop
    Xperia 5.1 lollipop
    Oppo 5.1 lollipop
    Emulator 5.1 lollipop
    XT1528 (MOTO E Verizon prepaid) 5.0.2 lollipop(reboot issues)
    Asus Zenfone Go ZB452KG Lollipop(5.1.1)
    Smartfren Andromax A / Haier a16c3h (Lollipop 5.1 Firmware 12.2)


    Version:0.4
    Adb:http://www.mediafire.com/file/r3i900n7jb2zfoo/EXPLOIT_ADB.rar
    Apk:http://www.mediafire.com/file/38tyscsaxms00sa/croowt%282%29.apk
    Implemented selinux pemissive after reboot.(adb,apk)
    Enforce mode working.(adb,apk)

    Version: 0.3
    Fixed bug creating bl instruction.

    Version: 0.2
    -Fix bug in apk for some devices

    Version: 0.1
    -More compatible adb with lollipop 32 bits
    -Fixed bug in the shellcode.
    -64 bits version of run-as-dirtycow.

    Todo:
    -Working in Marshmallow 32 bits.
    -Apk some fix.

    Thanks to n0x for his great help debugging the shellcode issue in Moto G
    View
    5
    K
    kryz
    jucaroba said:
    Can we have access to the run-as-dirtycow source code?

    Thanks.
    Click to expand...
    Click to collapse
    Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

    Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

    But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.
    View
    4
    CXZa
    CXZa
    Icesmash said:
    ADB Links worked for me but still waiting on getting the dirtycow apk.
    Click to expand...
    Click to collapse

    There is some places that has it. Here is one.
    (Haven't tried it. Don't know version or anything. Found from
    https://www.needrom.com/download/motorola-temporary-root/ )

    Just in case uploaded the other file as well. BTW, there seems to be
    some versions after the OP was last modified. Is this the last one?
    https://xdaforums.com/android/softw...ow-apk-adb-t3525120/post70553259#post70553259
    View
    3
    K
    kryz
    Curtis1973 said:
    @kryz


    ok heres the pulled files from data/local/tmp

    zip below
    Click to expand...
    Click to collapse

    Ok, the exploit adb is fixed now you will get root, i've updated the rar in the main thread.

    Delete all the old content from /data/local/tmp/

    Code: 
    rm /data/local/tmp/*

    The bug was a binary(init-patch) not updated in the rar package, your device was fixed 1 week ago but not updated the rar :laugh:

    Btw i hope this will work for you because i will be out for a 3 weeks, im in Nepal and leaving in 3 days i have a travel to other countries and i will restart the work is some place with a nice beach :cool:

    Best regards ;)
    View
    3
    K
    kryz
    Curtis1973 said:
    taking a break from it for the rest of the day. frustrated lol. but not giving up.
    Click to expand...
    Click to collapse

    Thank you for all the test, your device is rooted, just we need to install su in daemon.

    Ill go to rest as well tomorrow i have the flight.

    Best regards
    View

New posts