Dirty Cow

Search This thread

Matt07211

Senior Member
Jan 10, 2015
642
290
i tried but getting permission denied error
also tried with farm-root and VIKIROOT both not working.
So find a selinux context that has block_read/write access. For example the v20, the file context that had that permission was the ATD context.
Dump the contents of your sepolicy file and Search through the dump till you find what you need. I've post instructions on how to Dump earlier in this thread
 

tcpcd

Senior Member
Mar 13, 2017
220
40
So find a selinux context that has block_read/write access. For example the v20, the file context that had that permission was the ATD context.
Dump the contents of your sepolicy file and Search through the dump till you find what you need. I've post instructions on how to Dump earlier in this thread

can you give me post id where you explained
thanks
 

Matt07211

Senior Member
Jan 10, 2015
642
290
Do you have Chainfires supolicy tool?
Depends on if the tool path is in your terminals emulators PATH.

If you cant find it go
Code:
cd /su/bin/
Then run the command, cause that's where the supolicy tool is located if using Chainfires systemless root.
 

Matt07211

Senior Member
Jan 10, 2015
642
290
no my device is not rooted.
If you read the past original post I referred you to it said to copy the sepolicy of the device that you want to Dirty Cow and place it onto a device that is rooted (A physical device or emulator) so you can dump the contents.

Sorry I assumed you where running it on a second device that was rooted due to the fact that you had "#" in one of your replys (# = Usually signifys root).

Gimmie a moment to find you a link for how to do it on an emulator.

Edit:
https://forum.xda-developers.com/apps/supersu/patching-sepolicy-supolicy-tool-modifed-t3462922/
Here the thread that will help with using the supolicy tool with an emulator.

Code:
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push supolicy /data/local/tmp/supolicy
adb shell chmod 0755 /data/local/tmp/supolicy

adb push sepolicy /data/local/tmp/sepolicy 
adb shell 
cd /data/local/tmp 
chmod 0755 supolicy 
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy <Command Syntax Here>
 
Last edited:

tcpcd

Senior Member
Mar 13, 2017
220
40
If you read the past original post I referred you to it said to copy the sepolicy of the device that you want to Dirty Cow and place it onto a device that is rooted (A physical device or emulator) so you can dump the contents.

Sorry I assumed you where running it on a second device that was rooted due to the fact that you had "#" in one of your replys (# = Usually signifys root).

Gimmie a moment to find you a link for how to do it on an emulator.

Edit:
https://forum.xda-developers.com/apps/supersu/patching-sepolicy-supolicy-tool-modifed-t3462922/
Here the thread that will help with using the supolicy tool with an emulator.

Code:
adb push libsupol.so /system/lib/libsupol.so
adb shell chmod 0644 /system/lib/libsupol.so
adb push /system/xbin/supolicy
adb shell chmod 0755 /system/xbin/supolicy
adb push supolicy /data/local/tmp/supolicy
adb shell chmod 0755 /data/local/tmp/supolicy

adb push sepolicy /data/local/tmp/sepolicy 
adb shell 
cd /data/local/tmp 
chmod 0755 supolicy 
LD_LIBRARY_PATH=/data/local/tmp:$LD_LIBRARY_PATH ./supolicy <Command Syntax Here>
okay checking
anyway is this possible to obtain root in my device>> https://forum.xda-developers.com/general/rooting-roms/modify-ota-zip-to-gain-root-access-t3572202
 

Matt07211

Senior Member
Jan 10, 2015
642
290
If you read the past original post I referred you to it said to copy the sepolicy of the device that you want to Dirty Cow and place it onto a device that is rooted (A physical device or emulator) so you can dump the contents.

Sorry I assumed you where running it on a second device that was rooted due to the fact that you had "#" in one of your replys (# = Usually signifys root).

Gimmie a moment to find you a link for how to do it on an emulator.

Edit:
https://forum.xda-developers.com/apps/supersu/patching-sepolicy-supolicy-tool-modifed-t3462922/
Here the thread that will help with using the supolicy tool with an emulator.


okay checking
anyway is this possible to obtain root in my device>> https://forum.xda-developers.com/general/rooting-roms/modify-ota-zip-to-gain-root-access-t3572202
Let's move this conversation to your Thread
 
  • Like
Reactions: tcpcd

billydroid

Senior Member
Jun 24, 2010
1,599
481
I've not been following this thread. And I'm sorry if I'm butting in on actual development of dirty cow as viable exploit.

But is it possible to gain temp root with dirty cow? I have an S8+. Just trying to find a path to full root.
 

elliwigy

Retired Forum Moderator / Recognized Developer
XDA App Taskforce
I've not been following this thread. And I'm sorry if I'm butting in on actual development of dirty cow as viable exploit.

But is it possible to gain temp root with dirty cow? I have an S8+. Just trying to find a path to full root.

no... lol dirty cow has been patched since i think Dec. or Jan.
 

vampirefo

Senior Member
Apr 3, 2010
3,243
1,640
How to add the code to return to caller sir?

I patched the init according to your instructions, I got only 4 NOP's against your patched init which has 5 NOP's. I started adding the shellcode in HEXVIEW just after the line "PUSH.W {R4-R11, LR}" or shall I start adding the shell code from the line just after "loc_91B0"?

Capture.png


My patched init: https://drive.google.com/open?id=0B9ZHDklJCY7DQlE1dWpYbmNWWFk
What program is this? I need a free arm disassembler.

Sent from my Life Max using Tapatalk
 

Top Liked Posts

  • There are no posts matching your filters.
  • 7
    Would you be willing to explain this, no one seems to want to help, just state what they can do, great for them.

    A simple root shell or ability to pull recovery or boot from device is all that's needed, but to get someone who knows how to do it to explain how to do it is impossible.

    Sure, but it is already mid-night in my time zone and the development machines and source codes are not with me right now, I hope I can share it on GitHub in daytime.

    I cann't disclosure my device model, but I can say its specification instead.

    Spec
    SoC: QCOM Snapdragon 430 msm8937
    OS: Android 6.0.1
    Storage: 2GB RAM+16GB eMMC
    External MicroSD card slot, hotpluggable (don't need to take battery out)

    Draft step:
    1. Prepare a MicroSD card with 2 partitions, the first one is exFAT, and the second one is for write(), like "dd" does, my MicroSD 16GB card is partitioned to 512MB(exFAT)+15GB, partitioned by "fdisk" on Mac OSX


    2. Compiled CVW-2016-5195

    3. A "fake-fsck.c" program that is used to replace "/system/bin/fsck_exfat", setresgid()/setresuid() are not needed! because "fsck_exfat" will be ran as root by default, and it is still readable on uid2000 , so contexts of setresgid/setresuid are no longer painful, just focus on the BLOCKS. I will release the source code once it is ready.

    Code:
    It is allowed from[I] scontext=u:r:vold:s0[/I] -> [I] tcontext=u:object_r:block_device:s0[/I]
    [   47.357248] type=1400 audit(1477829349.300:123): avc: granted { read open } for pid=3629 comm="fsck_exfat" path="/dev/block/mmcblk0p27" dev="tmpfs" ino=12129 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file
    [   47.357821] type=1400 audit(1477829349.300:124): avc: granted { read } for pid=3629 comm="fsck_exfat" name="mmcblk0p29" dev="tmpfs" ino=12137 scontext=u:r:vold:s0 tcontext=u:object_r:block_device:s0 tclass=blk_file

    Since the context (I forgot the names) of "fsck_exfat" is only allowed to perform block-level actions, EVEN /data/local/tmp/ won't be writable, so you need to read() the boot/recovery partition and write() to the second partition of microSD card, it is something like "/dev/block/vold/public:166,56" on my device, didn't remember the exact value.

    4. Make it on the Android device
    Code:
    adb push libs/armeabi/fake-fsck /data/local/tmp/fake-fsck 
    adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
    adb shell chmod 777 /data/local/tmp/fake-fsck 
    adb shell chmod 777 /data/local/tmp/dirtycow
    adb shell /data/local/tmp/dirtycow /system/bin/fsck_exfat  /data/local/tmp/fake-fsck

    This step is finished, don't manually run "/system/bin/fsck_exfat", it is not "run-as"

    5. To let "/system/bin/fsck_exfat"(replaced by "fake-fsck") ran, just insert the MicroSD card prepared on Step 1, the process of a card inserted event is likely to be:
    • Card inserted, the system will read partition table
    • exFAT detected, than perform fsck_exfat before mounting
    • /system/bin/fsck_exfat is ran, this is the trick

    Although the above steps are quite unorganized, but I still hope that can bring some insights to those who are working on it
    7
    OK,

    I achieved root with selinux bypass on a galaxy note 4, marshmallow, arm 32 bit.

    Writing the shellcode was a pain.

    Tomorrow if you want I'll post the full details, I'm too tired now.

    Matteo
    6
    Dirty cow is sufficient to circumvent SEAndroid.
    https://www.redtile.io/security/galaxy
    shows how to get temp root on the galaxy s7 active and arbitrarily change sepolicies.
    6
    Here are my results so far:

    I can start a root shell by overwriting dnsmasq and enabling wifi tethering

    I can start android apps in a different selinux context by modifying seapps_contexts

    Now I'll try patching /sepolicy on the fly to add a super permissive rule
    5
    I assume the debug firmware was a leak from LG or some such thing? In that without it, DC alone wouldn't have been enough to unlock the bootloader?

    dirty cow alone isnt enough to root any phone let alone unlock the BL.. However, it can be used towards root or unlocked BL. With that I mean with dirtycow, you can attack pretty much anything you want..

    for example, you can use dirtycow to say gain access to init and in theory reload an sepolicy to set the device to permissive and/or disable secure boot. You could in theory attack the bootloader or even overwrite it if you find any exploits to use with dirtycow.. it opens the doors for many things.. on the v20 for example we used a modified run as which we used dirtycow to overwrite the existing one to spawn a root shell then used that shell to dirtycow another process which we then used that process to dirtycow atd process which is able to write to the aboot blk file.. we at this point were able to overwrite existing aboot with the debug aboot which was unlocked by default and since it was signed by LG the phone accepted it and disabled secure boot as well as was unlocked and fastboot enabled..

    and the v20 debug firmware was on a us996 v20 that someone was able to buy before it was even launched.. not sure if it was a lg employee or where it originally came from but you can say we got lucked out lol