@kryz
Ok here are two zips. One with a dmesg.txt before attempting the ./exploit.sh with 1 and after with 1. of note i could not post the onscreen results of the exploit running with the 1 added. the device went black screen and lost connection to it from shell had to reboot. but do have the dumps and the dmesg.txt maybe they will be helpful.
Thank you for the logs are helping a lot
I see in your dmesg (without 1 param), that the exploit is loading the new sepolicy, these lines in dmesg confirms that:
Code:
<7>[ 420.215067] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[ 420.227142] SELinux: 2048 avtab hash slots, 12560 rules.
<7>[ 420.227199] SELinux: 1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[ 420.227212] SELinux: 86 classes, 12560 rules
The first load sepolicy of the device is this:
Code:
<7>[ 2.747565] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[ 2.753025] SELinux: 2048 avtab hash slots, 9071 rules.
<7>[ 2.753067] SELinux: 1 users, 2 roles, 743 types, 0 bools, 1 sens, 1024 cats
<7>[ 2.753080] SELinux: 86 classes, 9071 rules
<7>[ 2.755379] SELinux: Completing initialization.
Also If you got this prompt is because the new selinux policy was loaded:
Code:
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon
Well, now we know that we have injected code in init process and the shellcode was executed, but in your device the run-as binary has some restricted rule, maybe can't change to permissive, even when i added some rules that's the purpose of the shellcode.
We are close, just we need to adjust the selinux rules to give more permissions to run-as domain, i've updated the exploit ADB.
The exploit is basically the same, just ive added some more permissive rules to run-as and now install su in enforced mode that's not bad at all.
If you can do the same test, clean the /data/local/tmp/ foder and extract/execute the new exploit without 1 param.
After the exploit is finished and if you get this prompt:
Code:
# Type run-as -s1 to get a shell
# Type run-as -s2 to execute su daemon
Code:
run-as -s1
id
run-as -s2
Code:
dmesg > /data/local/tmp/dmesg.txt
And finally again attach the result files please.
I attach the new version here:
Attachments
Last edited: