关联漏洞
标题:
Linux kernel 竞争条件问题漏洞
(CVE-2016-5195)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 2.x至4.8.3之前的4.x版本中的mm/gup.c文件存在竞争条件问题漏洞,该漏洞源于程序没有正确处理copy-on-write(COW)功能写入只读内存映射。本地攻击者可利用该漏洞获取权限。
描述
One-Click-Root program based on CVE-2016-5195, that works on the old 'PlayStation Certified' android devices
介绍
One-Click-Root program based on CVE-2016-5195 or "[DirtyCOW](https://en.wikipedia.org/wiki/Dirty_COW)";
this should work with the PlayStation Certified devices,
but it may come in handy for other old android devices too;
Tested on :
```
Xperia Play (Android 2.3; Kernel 2.6.32.9)
Xperia S (Android 4.1.2; Kernel 3.4.0+1.0.21100-313065)
Sony Tablet P (Android 3.2; Kernel 2.6.36.3)
```
you may need the adb drivers for your device, in the case of sony's one its:
https://developer.sony.com/open-source/aosp-on-xperia-open-devices/downloads/drivers
you will also need USB Debugging enabled;
CVE-2016-5195 lets you overwrite any file that you have read access too, regardless of if it has write permission;
we use this to temporarily overwrite /system/bin/run-as which always runs as root, to then install su
for this reason its recommended to not close the application and ensure a good connection to ADB;
[LiveOverflow did a video on this particular vulnerability](https://www.youtube.com/watch?v=kEsshExn7aE)
reason this can't be its own standalone app is that /system/bin/run-as is the only SUID binary present in older android versions;
and it's only readable and executable from the 'shell' user, not within apps; meaning you have to trigger it from ADB Shell.
NOTE: Exploit relies on a race condition; please give it a few minutes to run

文件快照
[4.0K] /data/pocs/d1730d0081411e52b0cee119717fa34a67dea6d6
├── [ 10K] AdbHelper.cs
├── [5.5K] CmdHelper.cs
├── [1.5K] Constants.cs
├── [4.2K] icon.ico
├── [2.7K] LICENSE
├── [1.6K] Log.cs
├── [4.0K] native_c
│ ├── [ 364] Android.mk
│ ├── [ 735] dcow.c
│ ├── [7.8K] dirtycow.c
│ ├── [ 232] Makefile
│ ├── [2.3K] README.md
│ └── [ 254] run-as.c
├── [5.8K] Program.cs
├── [4.0K] Properties
│ └── [4.0K] PublishProfiles
│ ├── [ 579] Linux64.pubxml
│ ├── [ 577] MacOS64.pubxml
│ ├── [ 581] MacOSArm64.pubxml
│ └── [ 579] Windows32.pubxml
├── [4.2K] PSSRoot.csproj
├── [ 90K] PSSRootExploit.png
├── [2.7K] PSSRoot.sln
├── [1.4K] README.md
└── [4.0K] Resources
├── [3.3K] AdbLinux.Designer.cs
├── [6.1K] AdbLinux.resx
├── [3.3K] AdbMac.Designer.cs
├── [6.1K] AdbMac.resx
├── [3.7K] AdbWin.Designer.cs
├── [6.4K] AdbWin.resx
├── [4.0K] android
│ ├── [1.1M] busybox
│ ├── [8.3K] exploit
│ ├── [1.9K] payload
│ ├── [6.3M] ssu.apk
│ └── [ 74K] su
├── [4.0K] linux
│ ├── [7.6M] adb
│ └── [1.4M] libc++.so
├── [4.0K] mac
│ ├── [ 13M] adb
│ └── [2.4M] libc++.dylib
├── [4.3K] RootResources.Designer.cs
├── [6.8K] RootResources.resx
└── [4.0K] windows
├── [5.7M] adb.exe
├── [106K] AdbWinApi.dll
└── [ 72K] AdbWinUsbApi.dll
8 directories, 41 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。