关联漏洞
标题:
Linux kernel 竞争条件问题漏洞
(CVE-2016-5195)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 2.x至4.8.3之前的4.x版本中的mm/gup.c文件存在竞争条件问题漏洞,该漏洞源于程序没有正确处理copy-on-write(COW)功能写入只读内存映射。本地攻击者可利用该漏洞获取权限。
描述
CVE-2016-5195 (Dirty COW) PoC for Android 6.0.1 Marshmallow
介绍
# VIKIROOT
This is a CVE-2016-5195 PoC for 64-bit Android 6.0.1 Marshmallow (perhaps 7.0 ?), as well as an universal & stable temporal root tool. It does not require a SUID executable or any filesystem changes.
## Features
- SELinux bypass (see below for details).
- Memory-only: does not modify the filesystem or need special executable.
- Stable: does not affect stability of your device.
- Scalable: easy to add new kernel and/or new devices.
- Reversible: the backdoor is cleared automatically after the root shell ends, which means no reboot is required after usage.
## Attention
By "SELinux bypass" I mean the payload will run in init domian even if SELinux is in enforcing mode, however, a patch to sepolicy is still needed for making init domain unconfined. Usually this means a modified boot image is required.
## Prerequisite
- *I, Robot* by Isaac Asimov.
- "dirtycow-capable" device.
- patched sepolicy.
## Building
Pre-built binaries are available on the release page. Otherwise, just add NDK standalone toolchain into `PATH` and run `make`.
## Usage
You may run it through an adb shell (place it under /data/local/tmp) and get a root shell either in the built-in terminal or a remote terminal server such as nc. For details, run it without any parameters.
## Troubleshooting
- firstly please read through the "Attention" part above.
- "insufficient place for payload" or "unknown kernel": a reboot is required.
- "waiting for reverse connect shell": please wake up your device, open the clock/alarm app or toggle the bluetooth switch in order to trigger the backdoor.
- still no luck: please run the "dbg" version and send an e-mail to me with the generated files which are just dump of some part of kernel and don't contain any personal information.
## Credits
- scumjr for the vDSO patching method.
- Tzul for helping me debug the sepolicy problem.
- RenaKunisaki for making it work with bionic.
## TODO
- Enrich the kernel database for x86 support and so on.
- Test it on Android 7 Nougat (help wanted!).
文件快照
[4.0K] /data/pocs/7629e7c5df24cddf6625ac018af9ff991aa2193d
├── [ 16K] exploit.c
├── [ 34K] LICENSE
├── [ 470] Makefile
├── [4.4K] payload.s
└── [2.0K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。