Wednesday, June 29, 2016

Exploiting Futex Bug (a.k.a TowelRoot)


These three blogs from nativeflow is very helpful in learning the futex bug, but details in how to exploit is not mentioned.
http://blog.nativeflow.com/the-futex-vulnerability
http://blog.nativeflow.com/escalating-futex
http://blog.nativeflow.com/pwning-the-kernel-root

My code here at github tries to fill this blank. I wrote detailed comments in the code, so it should be quite self-explanatory.  There are also scripts I used to run the emulator, and build the code. I also attached my debugging script. I think this should be helpful to anyone learning this futex bug. My exploit stopped at the full kernel r/w to keep the code clean. To further exploit and gain root should be very easy ( since we already get full kernel r/w ).

I do exactly what these blogs said on environment setup, but there are some discrepancy. When I sendmmsg to override the rt_mutex_waiter struct, it is the iovstack[6] and iovstack[7] override the plist_node struct of the rt_mutex_waiter. So, some tricks should be used to bypass the checks related to the iovstack. Comments in the code should explain this well.

Again, you can check my code at : https://github.com/HighW4y2H3ll/exploitingFutex

2 comments:

  1. A very awesome blog post. We are really grateful for your blog post. You will find a lot of approaches after visiting your post. towelroot

    ReplyDelete
  2. The original website went down, so I edited all the post and uploaded to github-io (with new graphics!):
    https://appdome.github.io/2017/11/23/towelroot.html

    ReplyDelete