POC详情: d1730d0081411e52b0cee119717fa34a67dea6d6

来源
关联漏洞
标题: Linux kernel 竞争条件问题漏洞 (CVE-2016-5195)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 2.x至4.8.3之前的4.x版本中的mm/gup.c文件存在竞争条件问题漏洞,该漏洞源于程序没有正确处理copy-on-write(COW)功能写入只读内存映射。本地攻击者可利用该漏洞获取权限。
描述
One-Click-Root program based on CVE-2016-5195, that works on the old 'PlayStation Certified' android devices
介绍
One-Click-Root program based on CVE-2016-5195 or "[DirtyCOW](https://en.wikipedia.org/wiki/Dirty_COW)";

this should work with the PlayStation Certified devices, 
but it may come in handy for other old android devices too;

Tested on :

```
Xperia Play (Android 2.3; Kernel 2.6.32.9)
Xperia S (Android 4.1.2; Kernel 3.4.0+1.0.21100-313065)
Sony Tablet P (Android 3.2; Kernel 2.6.36.3)
```

you may need the adb drivers for your device, in the case of sony's one its:
https://developer.sony.com/open-source/aosp-on-xperia-open-devices/downloads/drivers
you will also need USB Debugging enabled;

CVE-2016-5195 lets you overwrite any file that you have read access too, regardless of if it has write permission;
we use this to temporarily overwrite /system/bin/run-as which always runs as root, to then install su
for this reason its recommended to not close the application and ensure a good connection to ADB;

[LiveOverflow did a video on this particular vulnerability](https://www.youtube.com/watch?v=kEsshExn7aE)

reason this can't be its own standalone app is that /system/bin/run-as is the only SUID binary present in older android versions;
and it's only readable and executable from the 'shell' user, not within apps; meaning you have to trigger it from ADB Shell.

NOTE: Exploit relies on a race condition; please give it a few minutes to run

![PSS Root Success Output](https://silica.codes/Li/PSSRoot/raw/branch/main/PSSRootExploit.png)
文件快照

[4.0K] /data/pocs/d1730d0081411e52b0cee119717fa34a67dea6d6 ├── [ 10K] AdbHelper.cs ├── [5.5K] CmdHelper.cs ├── [1.5K] Constants.cs ├── [4.2K] icon.ico ├── [2.7K] LICENSE ├── [1.6K] Log.cs ├── [4.0K] native_c │   ├── [ 364] Android.mk │   ├── [ 735] dcow.c │   ├── [7.8K] dirtycow.c │   ├── [ 232] Makefile │   ├── [2.3K] README.md │   └── [ 254] run-as.c ├── [5.8K] Program.cs ├── [4.0K] Properties │   └── [4.0K] PublishProfiles │   ├── [ 579] Linux64.pubxml │   ├── [ 577] MacOS64.pubxml │   ├── [ 581] MacOSArm64.pubxml │   └── [ 579] Windows32.pubxml ├── [4.2K] PSSRoot.csproj ├── [ 90K] PSSRootExploit.png ├── [2.7K] PSSRoot.sln ├── [1.4K] README.md └── [4.0K] Resources ├── [3.3K] AdbLinux.Designer.cs ├── [6.1K] AdbLinux.resx ├── [3.3K] AdbMac.Designer.cs ├── [6.1K] AdbMac.resx ├── [3.7K] AdbWin.Designer.cs ├── [6.4K] AdbWin.resx ├── [4.0K] android │   ├── [1.1M] busybox │   ├── [8.3K] exploit │   ├── [1.9K] payload │   ├── [6.3M] ssu.apk │   └── [ 74K] su ├── [4.0K] linux │   ├── [7.6M] adb │   └── [1.4M] libc++.so ├── [4.0K] mac │   ├── [ 13M] adb │   └── [2.4M] libc++.dylib ├── [4.3K] RootResources.Designer.cs ├── [6.8K] RootResources.resx └── [4.0K] windows ├── [5.7M] adb.exe ├── [106K] AdbWinApi.dll └── [ 72K] AdbWinUsbApi.dll 8 directories, 41 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。