Better runtime configuration and more patches#2
Conversation
Configure spray size and dump options at runtime Test more physical addresses Patch avc_denied instead of selinux_state by default Optional audit removal patch Detect if ksma alreay set up Only run shell after changes applied an syscalls work
| return false; | ||
| } | ||
|
|
||
| static void stupid_flush_cache(void) |
There was a problem hiding this comment.
I fixed the issue that was causing cache flush to not work (I was setting the wrong value for MT_NORMAL in the pagetable entry)
In my current version, regular __builtin__clear_cache is enough to flush instruction + data caches, so you probably don't need to do stuff in a loop anymore.
zhuowei
left a comment
zhuowei
left a comment
There was a problem hiding this comment.
Thank you so much! I really appreciate your help in getting this working.
I ended up fixing the broken kallsyms finder and the broken cache flushing. The existing patches might work on your device now, and you may not need your advanced patches anymore.
The spray size change + re-running with different addresses would probably still be needed for your device, though.
| fprintf(stderr, "%lx: %p\n", (kernel_selinux_state_addr - kernel_virtual_base), kernel_selinux_state_enforcing_ptr); | ||
| *kernel_selinux_state_enforcing_ptr = false; | ||
| fprintf(stderr, "set selinux enforcing ptr...\n"); | ||
| // first field depends on kernel config, so disabled for now by default |
There was a problem hiding this comment.
first field depends on kernel config
In practice, these devices are all 5.10 kernels built with Clang (which doesn't support struct randomization), and without CONFIG_SECURITY_SELINUX_DISABLE.
So enforcing should be the first field.
My patchfinding was broken when CONFIG_KALLSYMS_ALL is not set; this is now fixed, so this code should work for most devices now.
Your more advanced patches might still be useful, since I still get some SELinux denials even with permissive . (Although Magisk's temp root script also patches and reloads the SELinux policies and fixes those...)
|
|
||
| stupid_setexeccon("u:r:shell:s0"); // otherwise binder doesn't work | ||
| execl("/system/bin/sh", "sh", NULL); | ||
| argv[0] = "sh"; |
There was a problem hiding this comment.
I wonder if we should also get the executable from the command line / path, in case someone wants to do /data/local/tmp/cheese /data/local/tmp/busybox sh myscript.sh or something.
(I can make that change if you want - whatever you prefer)
| // note: if selinux is enforcing and avc_denied patch failed, stderr does not work here... | ||
| // TODO: maybe, good place to dump pagemap here | ||
| // On devices where exploit works very rare and selinux bypass failed, pagemap will help to make it work again | ||
| // but how to write it without stdout/stderr? |
There was a problem hiding this comment.
how to write it without stdout/stderr?
Can you still write to a mmaped file after elevating?
If not, just write it into physical memory via ksma mapping, then run this again and grab it back out of the physical memory with the ksma mapping...
... although how do you read the pagemap file if the device is enforcing?
Anyways, I don't think this should be an issue now that cache flushing is fixed: your avc_denied patch should hopefully just work as soon as you __builtin___clear_cache
| void* ksma_mapping = (void*)(0xffffff8000000000ull + kKernelPageTableEntry * 0x40000000ull); | ||
| uint64_t ksma_physical_base = 0x80000000; | ||
| //sync_cache_from_gpu(ksma_mapping + 0x08000000, ksma_mapping + 0x08000000 + 0x1000); | ||
| signal(SIGSEGV, segv_cb); |
There was a problem hiding this comment.
Skipping GPU is probably less useful now that we checked Magisk's https://github.com/topjohnwu/Magisk/blob/master/scripts/live_setup.sh works from the temp root shell - that temporarily installs a su so you don't need to re-run the exploit to get another shell.
(Does Magisk work on your device?)
| npbufs = atoi(npbufs_env); | ||
| if(!npbufs) | ||
| npbufs = 256; | ||
| if(npbufs > 512) |
Inspired by #2 but also support changing the executable. Co-authored-by: mittorn <mittorn@sibmail.com>
Inspired by #2 Co-authored-by: mittorn <mittorn@sibmail.com>
Based on #2 Co-authored-by: mittorn <mittorn@sibmail.com>
|
小米机型 运行后 手机就重启了 |
…adless Implement Patches from zhuowei/cheese#2 and a headless option. Thanks @Henrry1887 !
3 participants
Configure spray size and dump options at runtime
Test more physical addresses
Patch
avc_deniedinstead ofselinux_stateby defaultOptional audit removal patch
Detect if ksma alreay set up
Only run shell after changes applied and syscalls working