Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-5195 PoC — Linux kernel 竞争条件问题漏洞

Source
https://github.com/LiEnby/PSSRoot
Associated Vulnerability
Title:Linux kernel 竞争条件问题漏洞 (CVE-2016-5195)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 2.x至4.8.3之前的4.x版本中的mm/gup.c文件存在竞争条件问题漏洞,该漏洞源于程序没有正确处理copy-on-write(COW)功能写入只读内存映射。本地攻击者可利用该漏洞获取权限。
Description
One-Click-Root program based on CVE-2016-5195, that works on the old 'PlayStation Certified' android devices
Readme
One-Click-Root program based on CVE-2016-5195 or "[DirtyCOW](https://en.wikipedia.org/wiki/Dirty_COW)";

this should work with the PlayStation Certified devices, 
but it may come in handy for other old android devices too;

Tested on :

```
Xperia Play (Android 2.3; Kernel 2.6.32.9)
Xperia S (Android 4.1.2; Kernel 3.4.0+1.0.21100-313065)
Sony Tablet P (Android 3.2; Kernel 2.6.36.3)
```

you may need the adb drivers for your device, in the case of sony's one its:
https://developer.sony.com/open-source/aosp-on-xperia-open-devices/downloads/drivers
you will also need USB Debugging enabled;

CVE-2016-5195 lets you overwrite any file that you have read access too, regardless of if it has write permission;
we use this to temporarily overwrite /system/bin/run-as which always runs as root, to then install su
for this reason its recommended to not close the application and ensure a good connection to ADB;

[LiveOverflow did a video on this particular vulnerability](https://www.youtube.com/watch?v=kEsshExn7aE)

reason this can't be its own standalone app is that /system/bin/run-as is the only SUID binary present in older android versions;
and it's only readable and executable from the 'shell' user, not within apps; meaning you have to trigger it from ADB Shell.

NOTE: Exploit relies on a race condition; please give it a few minutes to run

![PSS Root Success Output](https://silica.codes/Li/PSSRoot/raw/branch/main/PSSRootExploit.png)
File Snapshot

 [4.0K]  /data/pocs/d1730d0081411e52b0cee119717fa34a67dea6d6
├── [ 10K]  AdbHelper.cs
├── [5.5K]  CmdHelper.cs
├── [1.5K]  Constants.cs
├── [4.2K]  icon.ico
├── [2.7K]  LICENSE
├── [1.6K]  Log.cs
├── [4.0K]  native_c
│   ├── [ 364]  Android.mk
│   ├── [ 735]  dcow.c
│   ├── [7.8K]  dirtycow.c
│   ├── [ 232]  Makefile
│   ├── [2.3K]  README.md
│   └── [ 254]  run-as.c
├── [5.8K]  Program.cs
├── [4.0K]  Properties
│   └── [4.0K]  PublishProfiles
│       ├── [ 579]  Linux64.pubxml
│       ├── [ 577]  MacOS64.pubxml
│       ├── [ 581]  MacOSArm64.pubxml
│       └── [ 579]  Windows32.pubxml
├── [4.2K]  PSSRoot.csproj
├── [ 90K]  PSSRootExploit.png
├── [2.7K]  PSSRoot.sln
├── [1.4K]  README.md
└── [4.0K]  Resources
    ├── [3.3K]  AdbLinux.Designer.cs
    ├── [6.1K]  AdbLinux.resx
    ├── [3.3K]  AdbMac.Designer.cs
    ├── [6.1K]  AdbMac.resx
    ├── [3.7K]  AdbWin.Designer.cs
    ├── [6.4K]  AdbWin.resx
    ├── [4.0K]  android
    │   ├── [1.1M]  busybox
    │   ├── [8.3K]  exploit
    │   ├── [1.9K]  payload
    │   ├── [6.3M]  ssu.apk
    │   └── [ 74K]  su
    ├── [4.0K]  linux
    │   ├── [7.6M]  adb
    │   └── [1.4M]  libc++.so
    ├── [4.0K]  mac
    │   ├── [ 13M]  adb
    │   └── [2.4M]  libc++.dylib
    ├── [4.3K]  RootResources.Designer.cs
    ├── [6.8K]  RootResources.resx
    └── [4.0K]  windows
        ├── [5.7M]  adb.exe
        ├── [106K]  AdbWinApi.dll
        └── [ 72K]  AdbWinUsbApi.dll

8 directories, 41 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.