-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S22 #3
Comments
Basically it should work by similar procedure.
If there is a dev interested in that, I can help them. |
Im interesting to try it i have s22 kernel source as well as the firmware to extract libc++ however i would a good deal of guidance in this |
If would could chat on telegram or whats app that would be great |
if possible contact me please oakieville209@gmail.com |
s22 libc++.so 000403e1 w DF .text 00000030 Base std::__1::basic_streambuf<char, std::__1::char_traits >::basic_streambuf() |
Our schedules might not match for chat. I added auto detection of offset for libc++.so, so the remaining issues are kernel module and libstagefright_soft_mp3dec.so. Target vendor lib (in Pixel 6, libstagefright_soft_mp3dec.so) must have byte 0x57 at offset 0x1000 like following:
If you could get firmware image for the device, extract vendor.img on PC and find proper lib with following command:
If couldn't find proper lib, we should find other methods. |
After find lib:
You can also use /vendor/lib64/*.so, but 32bit lib should have small impact on the system. If you succeed, adb logcat looks like:
|
Not sure if it matters but you can run those commands from shell/on the device itself.. If you run:
and furthermore the other code returns a long list which I will provide shortly.. are we looking for something that contains this exactly:
|
Hey elliwigy how are you doing, ok i will check as you instructrd above i do see that libstagefright_soft_mp3dec.so on s22 doesnt seem to exist there other libstagefright libs there how i have not yet checked offset i will do so later today or tomorrow. |
These are all the ones it finds:
|
It does exist on s22 ultra (SM-S908U) which is what I posted above in /vendor/lib.. not sure why the S22 would be any different? |
You cannot run the command on device. You must extract firmware image on Linux PC like ubuntu. According to your output, we can choose lib for overwrite.
Download 1.0.2 from release page, then edit run.bat to append arguments like:
Then launch run.bat and check adb logcat. |
I will try this tonight and report back with logcat.. Just out of curiosity, why do you say you cannot run it on the device when the output I provided is from the device? lol In normal adb shell running as normal shell you cannot view vendor/lib as you get permission denied but if you run as "vendor_shell" you can view the vendor/lib files just fine and can run your commands you posted earlier as I did when sharing the output.. You can try it yourself.. from a regular terminal you simply type:
Then type:
and your output should show you are running as vendor_shell where you can then view vendor/lib directory no problem and without having to download firmware, unsparse super.img, lpunpack super.img and mount vendor which is a lot more work and space used lol.. just saying :-) |
run.bat logcat is here |
seems it cant access vendor/lib/* files |
The reason I believe it says the file is not found is because the file "/system/lib/libldacBT_enc.so" does not exist on the smasungs. My work around was (instead of compiling) It'll run but crashes my device almost immediately. It does work tho as I can use it to copy normally unreadable files and copy them to sdcard. I can use the vendor shell to look at the modules on vendor_dklh/lib/modules (I think?). I did see a file called something like "policy config.ko" but it doesn't look like it lines up with the "mymod.ko". That may be irrelevant tho. |
/system/lib/libldacBT_enc.so isnt what it was calling if you look at the code it print "Stage2 libname for kmod overwrite: /vendor/lib/libcamxifestriping.so" from same varible it loads lib from, i beleave as elliwigy explained it requires being /vender/bin/sh to access those libs correctly lib/libextmediaformatdef.so maybe this? |
The program writes to /system/lib/libldacBT_enc.so and then uses that to write to the vendor files. The Payload in libc++ mmaps libldacBT_enc.so for stage2 payload which is located in /system/lib/libldacBT_enc.so which the s22 ultra doesn't have. Edit the file and try it and it'll say it worked but reboots. You can edit startup root and have it copy files to the sdcard that you can't normally access. |
S22 Ultra does have it:
Of course its in lib64 not lib dir.. |
so maybe edit it to use the same so file but in lib64 |
That's absolutely right. My bad. |
There doesn't seem to be "/system/lib/libldacBT_enc.so" as @Dog10dogg said. stage2_lib ( |
So we should investigate what is causing this crash. |
Also if change that to a lib in system lib in the command it doesnt say file not found or atleast didnt when i tried it |
dirtypipe-android-1.0.3-debug1.zip Try this version.
In addition to logcat, paste output of run.bat here. If it still reboot, there is something wrong in stage1. Even if device doesn't reboot, please manually reboot after launch run.bat. Because it won't automatically restore file content. Reboot is required to restore original files. |
dirtypipe-android-1.0.3-debug2.zip Try second version if you got "libc : Fatal signal ..." in logcat. Run
When not exists (failed to call stage2), it says "No such file or directory" (or reboot):
|
dirtypipe-android-1.0.3-debug3.zip It will produce following logcat if modprobe was successfully launched:
If failed, it might reboot or doesn't output any log. |
dirtypipe-android-1.0.3-beta.zip Try this version if you succeeded to run debug1-3. |
Output of run.bat
It crashes before can check the /dev exists.. It does a kernel panic. |
Yep, kernel panic/crash on my S22 Ultra |
how please can u share @Tahadergan |
Sad, I updated to the version which disallow rolling back the kernel version |
Nice one! I'm on the same kernel with S22+ (S906B). Looking forward for the details about the method(s). |
Nice. Can you please share how? |
I highly doubt theyll share anything.. dunno y even post really as they have no intentions to share how |
Interesting his context is vender_modprobe |
So is the original poc lol if u look at screenshot on main screen you will see its also vendor_modprobe context |
So is that where its failing for us cause for me it is not vender_modprobe context when running commands in shell. The poc code runs as vender_modprobe to do the module but running uname is not |
Think i for most part lost interest in this sucks dude figured it out but didnt share and i simply lack the skill to do it im hoping on elliwigy figuring it out |
thats because it doesn't work/fully execute for us due to defex.. if it ran all the way through it would be in vendor_modprobe context.. with permissive you can change to that context but it doesnt do much for us unfortunately |
Yeah and not looking like he wants to share his trick either |
There was a new security breach discovered, apparently similar to Dirty Pipe, maybe this could be exploitable if someone finds more information on it? |
doesnt help much right now at all lol..probably be months before we see any details and its patched. |
Im intrested. ive actually started a thread on XDA here: https://forum.xda-developers.com/t/open-dev-bruteroot-a-collection-of-root-tactics-possibly-force-bootloader-unlock-on-na-samsung-s22.4468083/page-2#post-87167275 But im aiming to compile as many methods as possible to escalate priv into an apk. trying to drum up support and get help because apks arent my thing. |
Not sure how much you read so far but we already have a working version of this PoC. It sets permissive but after viewing logs it appears defex is preventing root. So the PoC works but in order to gain root we need to somehow stop defex or bypass it etc. to gain root. |
Can this work? DEFEX Bypass As we saw above part, just calling call_usermodehelper doesn't work due to newly updated DEFEX. But, ueventd is root privileged process and its parent process is init process. And also it is not protected by DEFEX. As similar to the way we bypass SELinux restriction, to bypass new DEFEX, all we need to do is calling call_usermodehelper's subroutines separately in ueventd process. Set call_usermodehelper_setup's arguments in kernel memory via arbitrary kernel write primitive. |
You try it yet? lol |
Ya got root, didn't you? Lol |
Taha Dergan, pls share with us your knowledge. You will be a legend |
I apologize, deleted |
Message me on Twitter |
So share bro or you just here to brag |
Lol no I didn't it was sarcasm
…On Tue., Aug. 16, 2022, 5:00 a.m. oakieville, ***@***.***> wrote:
Ya got root, didn't you? Lol
So share bro or you just here to brag
—
Reply to this email directly, view it on GitHub
<#3 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKBBZ5UQB3YGU7MS4H6XVPDVZN7F5ANCNFSM5RS3IWSA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Why? You don't ever respond... |
Curious - I can run the beta-4 release on my S22 Ultra and then I can subsequently run Traitor (https://github.com/liamg/traitor) which is then able to detect the dirty pipe vuln where it was not able to do so before. If I run the beta-4 release again, the unit will soft reboot and I will have to run it again before Traitor will recognize dirty pipe again. Running ./traitor-arm64 --exploit kernel:CVE-2022-0847 from an adb shell seems to work but states that 'Exploit failed: unexpected data in /etc/passwd' |
That is normal behavior (not sure about traitor) |
etc/passwd is for the linux version if you look at orig dirtypipe and android dirtypipe you see what i mean pc one uses etc/passwd android one overwrites a .so |
Are there any suid binaries on the S22?
On Thursday, September 29, 2022 at 07:42:48 AM CDT, oakieville ***@***.***> wrote:
Curious - I can run the beta-4 release on my S22 Ultra and then I can subsequently run Traitor (https://github.com/liamg/traitor) which is then able to detect the dirty pipe vuln where it was not able to do so before. If I run the beta-4 release again, the unit will soft reboot and I will have to run it again before Traitor will recognize dirty pipe again.
Running ./traitor-arm64 --exploit kernel:CVE-2022-0847 from an adb shell seems to work but states that 'Exploit failed: unexpected data in /etc/passwd'
etc/passwd is for the linux version if you look at orig dirtypipe and android dirtypipe you see what i mean pc one uses etc/passwd android one overwrites a .so
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you commented.Message ID: ***@***.***>
|
Anyone got root ? Or never finished? |
Could this same method work on s22, i assume it woukd require mymod.ko be built in s22 kernel source but can it work
The text was updated successfully, but these errors were encountered: