Monday, November 28, 2016

Porting iovyroot to Samsung Galaxy S5


I somehow got a Samsung S5 cell phone at hand, with the rom version G9006VZNU1BOJ4. The iovyroot vulnerability is not fixed in it, so I guess there is a chance to exploit it with iovyroot. However, there is no S5 support in offsets.c file. So, Time to get hands dirty again.

About the iovyroot, it is an open-sourced exploit for CVE-2015-1805. I've also wrote a writeup about it in one of my previous posts. (Sorry for the Chinese :P)

First trying to play by the book, I fill in the offsets struct according to my phone. The header file offsets.h and getroot.c give out comprehensive comments to help me walk through this.




My version of offsets struct looks like this:


However, simply run this code didn't end up well. As is also reported in iovyroot issues. S5 has troubles in jumping back to userland exploiting code because of PXN (even though it has a 32bit processor). So JOP gadgets are required.

My JOP gadgets and preparejop() ended up like this:

jop_1 is the address to overwrite the check_flags function pointer. jop_2 leaks out the stack register, and then jumps back to the fcntl syscall routine.

Everything is ready now. It's time to fire up. A weird thing occurs to me is that the system() doesn't work any more after the rooting. I tried to spawn /system/bin/sh but nothing happened. However, after I replaced the system() call to a read to the previlieged file 'init.rc', it worked flawlessly! So, work's done!

Posted by at

7 comments:

  1. UnknownMarch 22, 2017 at 2:27 AM

    been reading your article, what approach did you use to get CHECK_FLAGS_OFFSET?

    ReplyDelete
    Replies
    1. HighW4y2H3llMarch 27, 2017 at 10:35 PM

      First got ptmx_fops address, then the check_flags offset through reversing fcntl syscall

      Delete
  2. geneblueApril 26, 2017 at 12:37 AM

    Hi , do your device have knox? My galaxy s5(android5.0) have knox2.3, tima3.0. I found some gadgets to adapt iovyroot, then successfully patch addr_limit ,disable selinux by patching selinux_enabled and selinux_enforcing address. However, i can't patch cred. The cred structure should not be protect by searching [sourcecode](https://github.com/exynosS5/android_kernel_samsung_exynos5422), so weird……

    ReplyDelete
    Replies
    1. HighW4y2H3llApril 27, 2017 at 9:35 AM

      Nop... my device don't have KNOX RKP. So... I haven't tested this, but have you tried this?
      https://media.wix.com/ugd/4e84e6_668d564cc447434a9a8fda3c13a63f6a.pdf

      Delete
  3. dadreamerJuly 28, 2017 at 3:12 AM

    This comment has been removed by the author.

    ReplyDelete
  4. dadreamerJuly 28, 2017 at 3:15 AM

    Hello, HighW4y2H3ll !

    I have a similar device on 32-bit arch (armv7l, armeabi-v7a) with PXN enabled. It's Docomo Fujitsu Arrows NX F-01F (Android 4.4.2, build # V10R22A). Now I'm trying to adapt iovyroot to gain root privileges. I'd like to ask about it...
    1) Could I look at your modified codes somehow? I can't find it on GitHub or somewhere else.
    2) Are these changes, you've done to the original sources, the only or there are the others? I mean, the original iovyroot checks, either 32- or 64-bit platform is used, and if it's on x32 then it doesn't use jopret / joploc.
    3) Does void *e match to void* jopret? Why is it not used in the func later?
    4) Why jop_1 is not used in the func? It seems to be a global, so where is it used then?

    I could send you my kernel dump and kallsyms, if you don't mind. I also have some difficulties with finding selinux_enforcing, but I hope to figure it out.

    Thanks in advance.

    ReplyDelete
    Replies
    1. dadreamerJuly 29, 2017 at 3:59 AM

      Here are my kernel and kallsyms: https://github.com/dosomder/iovyroot/issues/48

      Delete

Subscribe to: Post Comments (Atom)