snorez / exploits Goto Github PK

hi !

hoping you could help out a noob here...

own a couple of androids running 4.4.2 (kernel 3.4.67) and i compiled and ran cve-2015-1805/exp.c from this repo on one of 'em.

(noobish question) : output looks promising, but i'm unsure if it runs fully (to end) ?

shell@Pixi3-4:/data/local/tmp/cve-2015-1805 $ ./cve-2015-1805
spray_pipes: 0x780
spray done...
stop_send: 706d742f
race done, we are lucky

shell@Pixi3-4:/data/local/tmp/cve-2015-1805 $ su -
Permission denied

13|shell@Pixi3-4:/data/local/tmp/cve-2015-1805 $ /tmp/getroot
/system/bin/sh: /tmp/getroot: not found

127|shell@Pixi3-4:/data/local/tmp/cve-2015-1805 $ ls -al /tmp
/tmp: No such file or directory

.... which either means get_root executable should already exist under /tmp - or (unlikely, from my limited understanding of the code) this file should appear after running this ... ? The file should probably exist beforehand, so i'm asking myself (1) where to get that, and (2) would some 'su' binary do ?
@ (1):is xfrm_poc_RE_challenge/get_root.c expected to compile and run under android also ? see some strong references to a specific linux distro...

i've noticed in the other open issue that you've mentioned about following stuff, so i put these here as well:

1|shell@Pixi3-4:/ $ grep modprobe_path /proc/kallsyms

1|shell@Pixi3-4:/ $ cat /proc/sys/kernel/modprobe
/sbin/modprobe

could you please provide some directions here what to do to have the exploit run to 'it's full' - which i presume would mean i would be able to copy some 'su' binary under /sbin or so...

Totally as a side note: i want to root this phone to be able to use it as a hotspot (Te.hering) but restrict outgoing connections to specific ip addresses only , which afaik requires access to ipTables

Thanks for you time !

为什么这个编译各种错误 求教

What value should be used for INIT_TASK_ADDR?

cve-2017-2636.c:122:25: error: stray ‘`’ in program
 #define INIT_TASK_ADDR `<todo>`

How long the exploit should take?

It never completes even i leave it 48 hours

~/exploit $ ./exploit
WARNING: linker: /data/data/com.termux/files/home/exploit/poc3: unsupported flags DT_FLAGS_1=0x8000001
spray_pipes: 0x780
spray done... 

its stuck here for very long time(also i ignore the linker warning its will disappear after stripping the binary)
htop report the exploit does doing processing (sometime its in interruptible sleep)

compile command: ~/Android/Sdk/ndk/23.1.7779620/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android24-clang exploit.c -o exploit then i transfer the executable to my android phone

uname -a: Linux localhost 3.18.31-perf-g810e576 #1 SMP PREEMPT Mon Aug 10 11:41:32 CST 2020 aarch64 Android

Android 7.1.1 CHP1801

Also its exploit for CVE-2015-1805

你的poc里面没有命名空间的部分

hi, snorez, what is the usage of cve-2017-7184? Is it sudo setcap cap_net_raw,cap_net_admin=eip ./xxx? but it didn't work.