POC详情: 4e95adb8f5123e634238568a1dd06b75dd996c31

来源
https://github.com/llccd/TempRoot-Huawei
关联漏洞
标题: Android 资源管理错误漏洞 (CVE-2019-2215)
描述:Android是美国谷歌(Google)和开放手持设备联盟(简称OHA)的一套以Linux为基础的开源操作系统。 Android中的binder.c文件存在资源管理错误漏洞。攻击者可利用该漏洞提升权限。
描述
CVE-2019-2215 poc for Huawei hardened kernel
介绍
# TempRoot-Huawei

Temporary root for Huawei hardened kernel via CVE-2019-2215

This code is written for P20 Pro (CLT-AL00), and kernel offset is taken from firmware with build fingerprint: 'HUAWEI/CLT-AL00/HWCLT:8.1.0/HUAWEICLT-AL00/176(C00):user/release-keys'

## Background

Like Samsung's KNOX, Huawei added many mechanisms to prevent exploit from hackers and improve 'security'.

- enabled DEBUG_SPINLOCK which adds additional check on spainlock
- The kernel stack pointer in task struct has been obfuscated using a random offset `kti_offset` (like KASLR)
- get_fs() returns either `KERNEL_DS` or `USER_DS`, changing `current_thread_info()->addr_limit` will not work
- uid/gid/capabilities in cred struct has been protected by hypervisor (EL2), process will be immediately killed during access check if they become root without using `commit_creds()`
- CONFIG_SECURITY_SELINUX_DEVELOP is not set, SeLinux cannot put into global permissive state
- many critical variables are readonly after init or protected by hypervisor, including `ss_initialized` `policydb->permissive_map` `security_hook_heads`

These mechanisms make it hard to exploit old Huawei devices even if they are vulnerable to CVE-2019-2215.

## Usage

First, compile and run `patch_system.c`, this will nullify selinux by messing selinux mapping and calling `avc_ss_reset()`.

Next, compile and run `poc.c` to get root shell.

(Optional) Compile su daemon and start it by poc to allow other apps using root (see scripts/termux-boot).

## Notes

The su daemon is taken and modified from https://github.com/corellium/sud
文件快照

 [4.0K]  /data/pocs/4e95adb8f5123e634238568a1dd06b75dd996c31
├── [5.3K]  common.c
├── [ 228]  Makefile
├── [2.7K]  patch_system.c
├── [2.9K]  poc.c
├── [1.6K]  README.md
├── [4.0K]  screenshots
│   ├── [446K]  compile_run.jpg
│   ├── [325K]  devcheck.jpg
│   ├── [505K]  root_explorer.jpg
│   └── [639K]  su.jpg
├── [4.0K]  scripts
│   ├── [ 161]  root.sh
│   └── [ 268]  termux-boot
└── [4.0K]  sud
    ├── [ 15K]  daemon.c
    ├── [ 271]  Makefile
    ├── [7.5K]  pts.c
    ├── [2.8K]  pts.h
    ├── [ 10K]  su.c
    ├── [2.9K]  su.h
    └── [1010]  utils.h

3 directories, 18 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。