CVE-2015-1805 root tool
A root tool based on the CVE-2015-1805 vulnerability
It supports 32 and 64bit but requires absolute kernel addresses (see offsets.c)
poc was done by idler1984 https://github.com/idl3r/testcode
jni/main.c: In function 'writemsg':
jni/main.c:88:9: error: variable 'msg' has initializer but incomplete type
jni/main.c:88:9: error: extra brace group at end of initializer
jni/main.c:88:9: error: (near initialization for 'msg')
jni/main.c:88:9: warning: excess elements in struct initializer [enabled by default]
jni/main.c:88:9: warning: (near initialization for 'msg') [enabled by default]
jni/main.c:88:9: warning: excess elements in struct initializer [enabled by default]
jni/main.c:88:9: warning: (near initialization for 'msg') [enabled by default]
jni/main.c:88:17: error: storage size of 'msg' isn't known
jni/main.c:89:9: warning: missing initializer [-Wmissing-field-initializers]
jni/main.c:89:9: warning: (near initialization for 'soaddr.sin_port') [-Wmissing-field-initializers]
jni/main.c:96:2: warning: implicit declaration of function 'socket' [-Wimplicit-function-declaration]
jni/main.c:96:27: error: 'SOCK_DGRAM' undeclared (first use in this function)
jni/main.c:96:27: note: each undeclared identifier is reported only once for each function it appears in
jni/main.c:103:2: warning: implicit declaration of function 'connect' [-Wimplicit-function-declaration]
jni/main.c:116:3: warning: implicit declaration of function 'sendmmsg' [-Wimplicit-function-declaration]
jni/main.c:88:17: warning: unused variable 'msg' [-Wunused-variable]
jni/main.c: In function 'getpipes':
jni/main.c:229:26: error: 'F_SETPIPE_SZ' undeclared (first use in this function)
make.exe: *** [obj/local/armeabi-v7a/objs/iovyroot/main.o] Error 1
make.exe: *** Waiting for unfinished jobs....
The Vzw HTC 10 has patch level 03-01 which if I read right is vulnerable to CVE-2015-1805, could this work here?
info:
28.0.D.6.136 with kernel 3.10.49-perf-geaad5d9 Mon Oct 19 17:21:43 2015
I build it with ndk-r10e and run with adb shell,but my phone always get crashed when
"[+] Removing JOP",then restart with red light.
So why does this happen?
thx
i try your code but when I execute in adb your code in Huawei G630, I get:
CANNOT LINK EXECUTABLE: cannot locate symbol "sendmmsg" referenced by "./iovyroot"...
How can I solve this?
I've tested on a Nexus 4 (4.4) and LG G3 (4.4), but on both shows Error: Device not supported
rhcps-Mac-Pro-2:jni rhcp$ ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk
[armeabi] Compile arm : iovyroot <= main.c
./main.c: In function 'writemsg':
./main.c:93:9: error: variable 'msg' has initializer but incomplete type
struct mmsghdr msg = {{ 0 }, 0 };
^
./main.c:93:9: error: extra brace group at end of initializer
./main.c:93:9: error: (near initialization for 'msg')
./main.c:93:9: warning: excess elements in struct initializer
./main.c:93:9: warning: (near initialization for 'msg')
./main.c:93:9: warning: excess elements in struct initializer
./main.c:93:9: warning: (near initialization for 'msg')
./main.c:93:17: error: storage size of 'msg' isn't known
struct mmsghdr msg = {{ 0 }, 0 };
^
./main.c:101:2: warning: implicit declaration of function 'socket' [-Wimplicit-function-declaration]
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
^
./main.c:101:27: error: 'SOCK_DGRAM' undeclared (first use in this function)
sockfd = socket(AF_INET, SOCK_DGRAM, 0);
^
./main.c:101:27: note: each undeclared identifier is reported only once for each function it appears in
./main.c:108:2: warning: implicit declaration of function 'connect' [-Wimplicit-function-declaration]
if (connect(sockfd, (struct sockaddr )&soaddr, sizeof(soaddr)) == -1)
^
./main.c:121:3: warning: implicit declaration of function 'sendmmsg' [-Wimplicit-function-declaration]
sendmmsg(sockfd, &msg, 1, 0);
^
./main.c:93:17: warning: unused variable 'msg' [-Wunused-variable]
struct mmsghdr msg = {{ 0 }, 0 };
^
./main.c: In function 'getpipes':
./main.c:234:26: error: 'F_SETPIPE_SZ' undeclared (first use in this function)
ret = (fcntl(pipefd[1], F_SETPIPE_SZ, PIPESZ) == PIPESZ) ? 0 : 1;
^
make: ** [obj/local/armeabi/objs/iovyroot/main.o] Error 1
Running kallsymsprint on certain targets (e.g. Lenovo TAB3 - 7, Android 5.1, 32-bit) generates a symbol list that is missing most offset names. No ptmx_fops, sidtab, policytab etc.
"selinux_is_enabled" is found as opposed to "selinux_enabled". I'm sure there is an obvious explanation for this, but I have no idea as to why. I have observed this for other ROM kernels, so this is not device specific.
Could someone enlighten me, and if possible provide a mechanism to get around this (assuming that this is not a result of some kernel patching to prevent precisely this)?
please add this
{ "Nexus 5", "Linux version 3.4.0-g88fbc66 ([email protected]) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Mon Oct 20 22:18:31 UTC 2014", { (void*)FSYNC_OFFSET(0xc1236cd8) }, (void*)0xc122ecc0, (void*)0xc122ebb0, (void*)0xc1076be0, (void*)0xc122d164 }
thanks
sorry for duplicate pull merge request
adb shell /data/local/tmp/iovyroot
soinfo_relocate(linker.cpp:975): cannot locate symbol "getline" referenced by "/
data/local/tmp/iovyroot"...CANNOT LINK EXECUTABLE
How to solve this problem?I want to root android 4.2 devices.
struct task_struct does not have this member variable. Even though it doesn't matter for this code.
Hello, my device is not supported by the exploit and I wanted to add compatibility using the offsets file. I just don't understand what addresses I should be using, I used kallsymsprint to get the symbol table.
How to get those offsets in offsets.c for my custom kernel image (Nexus 7) ?
Hi!
Would this tool work for ARMv7 arch (armv7l, armeabi-v7a)? I could try to recompile it but don't know if that makes any sense at all. Everytime when I execute iovyroot I'm getting
/system/bin/sh: /data/local/tmp/iovyroot: not executable: magic 7F45
Hi,
I wanna to use exploit,
I run the iovyroot in the my Nexus 5 device and every thing is OK and i get the got root lmao message!
But now I don't what I must do?
Can anyone please explain the tools using mechanism and how can I use this tool? I mean how can I use this for exploiting?
Thanks in advance.
I am going to run this exploit in other devices which are not mentioned in offset.c file.
But I do not know what I must do? Can anyone explain for me what is the requirements for this exploit in a new device?
thanks in advance.
Hi, @dosomder !
I have troubles with adapting iovyroot for Docomo Fujitsu Arrows NX F-01F, which has PXN enabled, even when it's on 32-bit arch. Okay, I've found ptmx_fops, sidtab, policydb and selinux_enabled from kallsyms. I can't find the pointer to selinux_enforcing. It seems, this parameter is hard-coded to 1:
.text:C0361214 ; =============== S U B R O U T I N E =======================================
.text:C0361214
.text:C0361214
.text:C0361214 sel_read_enforce ; DATA XREF: .text:C0A2BA94
.text:C0361214 ; .text:C0AC95E8
.text:C0361214
.text:C0361214 var_30 = -0x30
.text:C0361214 var_28 = -0x28
.text:C0361214 var_1C = -0x1C
.text:C0361214
.text:C0361214 STMFD SP!, {R4-R7,LR}
.text:C0361218 MOV R5, R3
.text:C036121C LDR R4, =__stack_chk_guard
.text:C0361220 SUB SP, SP, #0x1C
.text:C0361224 MOV R7, R1
.text:C0361228 MOV R6, R2
.text:C036122C MOV R1, #0xC
.text:C0361230 LDR R2, =0xC0D70ADD
.text:C0361234 ADD R0, SP, #0x30+var_28
.text:C0361238 LDR R3, [R4]
.text:C036123C STR R3, [SP,#0x30+var_1C]
.text:C0361240 MOV R3, #1
.text:C0361244 BL scnprintf
.text:C0361248 STR R0, [SP,#0x30+var_30]
.text:C036124C MOV R2, R5
.text:C0361250 ADD R3, SP, #0x30+var_28
.text:C0361254 MOV R0, R7
.text:C0361258 MOV R1, R6
.text:C036125C BL simple_read_from_buffer
.text:C0361260 LDR R2, [SP,#0x30+var_1C]
.text:C0361264 LDR R3, [R4]
.text:C0361268 CMP R2, R3
.text:C036126C BEQ loc_C0361274
.text:C0361270 BL __stack_chk_fail
.text:C0361274
.text:C0361274 loc_C0361274 ; CODE XREF: sel_read_enforce+58
.text:C0361274 ADD SP, SP, #0x1C
.text:C0361278 LDMFD SP!, {R4-R7,PC}
.text:C0361278 ; End of function sel_read_enforce
I also tried hard to find the suitable locations for joploc and jopret but still didn't succeed. Here you write, that setfl() is inside sys_fcntl, but in the source it is called from do_fcntl. Nevertheless I checked both sys_fcntl and do_fcntl in IDA and I didn't see anything, that looks like your patterns. Some googling gave me this article. There are the modifications to iovyroot for rooting Samsung Galaxy S5, which is also on x32 and has got PXN on. But I couldn't find those JOP patterns also.
Maybe you could take a look at my kernel dump and kallsyms and give me some advice on how to complete my offsets.
kernel
kallsyms
I already tried running without JOP locations and the exploit cannot finish. After some time my phone reboots.
Hello
with Samsung S5 it wait forever after the "Done" message:
...
[+] Changing fd limit from 1024 to 4096
[+] Changing process priority to highest
[+] Getting pipes
[+] Allocating memory
[+] Installing func ptr
[+] Patching address 0xc1343328
[+] Start map/unmap thread
[+] Start write thread
[+] Spraying kernel heap
[+] Start read thread
[+] Done
These are my device details:
[ro.build.version.release]: [5.0]
[ro.build.version.sdk]: [21]
[ro.build.version.sdl]: [2101]
[ro.com.google.gmsversion]: [5.0_r1]
"kltexx","Linux version 3.4.0-3416205 (dpi@SWDD6202) (gcc version 4.8 (GCC) ) #1 SMP PREEMPT Tue Dec 2 02:29:50 KST 2014"
Thanks
Hello!
I'm trying to have iovyroot working for an old Samsung device (Galaxy Core Prime). I was able to extract all the symbols needed from the kernel and the exploit seems working properly:
...
[+] Changing fd limit from 1024 to 4096
[+] Changing process priority to highest
[+] Getting pipes
[+] Allocating memory
[+] Installing func ptr
[+] Patching address 0xc0c78e58
[+] Start map/unmap thread
[+] Start write thread
[+] Spraying kernel heap
[+] Start read thread
[+] Done
[+] Got root!
SELinux is set in "Permessive" mode but still:
avc: denied { dac_override } for pid=4212 comm="touch" capability=1 scontext=u:r:shell:s0 tcontext=u:r:shell:s0 tclass=capability permissive=0
Do you guys know what's going on?
I know it is not really an issue but I'm writing just to report r12b works flawlessy
https://dl.google.com/android/repository/android-ndk-r12b-linux-x86_64.zip
https://dl.google.com/android/repository/android-ndk-r12b-darwin-x86_64.zip
https://dl.google.com/android/repository/android-ndk-r12b-windows-x86_64.zip
https://dl.google.com/android/repository/android-ndk-r12b-windows-x86.zip
just need to extract and moved to Android/Sdk/ folder, android studio automatically detects and will notify r13 update is avaliable
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.