I'm just gonna leave this here.
A few days ago, the source for the EoP (escalation of privilege) exploit, codenamed "Stack Clash," was released. If you don't already know, this exploit has the ability to elevate the user running the code to an administrator without any authentication. Now, this is bad for general Linux users, but for Android users with a locked bootloader and/or no way of rooting their device, this is actually pretty good.
There's only one problem: the security firm who released the code said that they haven't tested the code on Android devices, and, therefore, don't know if it works on the OS or not.
I have been trying to get the exploit to work on my OnePlus 3 phone, but with no luck. Here's what I have done so far, which you can see posted in the attachment below:
Ported the x86_64 setuid(0)/setgid(0)/execve() shellcode to aarch64/arm64 (la.c)
Changed the settings a bit to point to the /system partition
Created a Android 7.1.1 target for my OnePlus 3
This code does have a couple problems, however. First, the code utilizes the library ld.so for its exploit. Problem is, Android does not have this file, but instead has an executable called "linker" in /system/bin. And second, I'm not sure if I got the vDSO vvar right (can somebody check that?). I am somewhat of a newbie when it comes to this stuff, but I've been getting better!
If anyone wants to pick this up or help out, be my guest. Just keep in mind that it eventually may not work the way we want it too. I'm also not saying this is the new Dirty-COW as of now, but if we work on it some, maybe it'll get close.
I'm going to sleep now. Been working on this way too long. See y'all in the morning.
Have you reached out to @jcadunno? He was the founding author of dirty cow exploit
rickberg said:
Have you reached out to @jcadunno? He was the founding author of dirty cow exploit
Click to expand...
Click to collapse
False. He made recowvery but did not find the dirty cow exploit used in it.
---------- Post added at 11:11 PM ---------- Previous post was at 10:54 PM ----------
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
but then again not even sure if this vuln exists in Android
by the way you should read up on https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
V0idst4r said:
False. He made recowvery but did not find the dirty cow exploit used in it.
---------- Post added at 11:11 PM ---------- Previous post was at 10:54 PM ----------
but then again not even sure if stack clash exists in Android
Click to expand...
Click to collapse
Right he was the founder of using the exploit to gain root on the device. I apologize I wasn't technically correct
This might be better suited for the security board
I've been working with a few script programs as well, that may or may not use said exploit. I don't have links available, but google: LARE Exploit. I'm on an Amazon Fire HD 8 and I can pretty much get what I need using Termux, but it's a real pain figuring out what I need to compile through Termux to get LARE at least responsive.
I'm not sure if I was partially successful or if cooking around with trying to disable and break Amazon apps worked, but I ended up at a factory reset again. But all apps, system included were wiped to 0.00. If I went into all info, every number for data, scars and etc was 0.00. And it showed. In had only been using about 2.2 gigs after this, of space prior to reset. So nonetheless I've been able t9 wipe the data of every app in system and user, WITHOUT root, but I couldn't tell you how and I don't know if I'd be able to repeat it. There's not a lot of info on the web on why this happened. I got lucky. Most people suffered irreparable damage to internal storage. I'm there cases they also had 0.00, but their internal storage was actually maxed out. I actually managed to delete mine.
Related
Wasn't finding information directly in regards to any successful attempts to mod the splash screen other than a few whispers of success here and there.
When I found a method and found it successful... I figured I'd just post up a new thread to point anyone else wondering in the right direction =)
Just used this method w/ my Doubleshot, and it worked perfectly =)
http://forum.xda-developers.com/showthread.php?t=834267
Didn't feel like spending all night working on the perfect, cleanest splashscreen but I threw one together real quick. Not flawless or as clean as others I've seen on here, but I like it =)
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Which method did you use? That location doesn't show up when I look in Root Explorer.
IBtokin said:
Which method did you use? That location doesn't show up when I look in Root Explorer.
Click to expand...
Click to collapse
You'll have to fastboot flash the image as our partition setup is different.
Thanks for posting this. Haven't had the time to look into it yet, but the way-too-bright splash screen has been bugging me, and I can't wait to find a free hour to play with this.
I got tunnel vision working on one thing I couldn't get to work, and kinda put everything else on hold - way to toss me something to get started back up with!
this is way easier
this is pretty much newb proof to be honest check here--> http://forum.xda-developers.com/showthread.php?t=956434
hackulous said:
this is pretty much newb proof to be honest check here--> http://forum.xda-developers.com/showthread.php?t=956434
Click to expand...
Click to collapse
So this is what I ended up using to do this.
It literally took 3 minutes, including making the new graphic in photoshop.
Take the time to read through the OP and second posting for the tool, and it's a breeze.
Awesome! Thanks for this.
Here is mine.
That's pretty cool!
I was definitely seduced into this by the metroid teaser above, but i've got a soft spot for the little android guy - that's a fun picture and would make me smile every time I rebooted.
I think UndeadK9 should add it to his rom.
Techlvr said:
I think UndeadK9 should add it to his rom.
Click to expand...
Click to collapse
It's not something you can add to a ROM. You're better off just using a Linux distro and ffmpeg to convert the png file.
which is the partition containing the splash?
---------- Post added at 12:34 PM ---------- Previous post was at 12:11 PM ----------
Self answer: mmcblk0p14
can someone post the stock mt4gs image? Specifically for warranty exchanges. Would be nice to keep it safe up here.
I haven't flashed a new one on my device specifically for this reason. If this can be extracted from a device, i'd be happy to pull it from mine if someone can tell me how
nicholasb said:
can someone post the stock mt4gs image? Specifically for warranty exchanges. Would be nice to keep it safe up here.
I haven't flashed a new one on my device specifically for this reason. If this can be extracted from a device, i'd be happy to pull it from mine if someone can tell me how
Click to expand...
Click to collapse
If you flashed over using the method I quoted, without making a backup, then you lost yours.
Here is the image the program made of mine before I changed it. If you didn't go to the thread I quoted previously in this one, go there and get that program, then you should be able to use this backup image.
eck, okay - the image is 16 megs. How can I get it to you? PM me an email and i'll try and send it that way. Otherwise suggest a method of getting it to you.
I don't want to zip it in any fashion, don't want to risk messing up the file.
I have to leave for work in an hour - so if you don't get back to me by then it'll have to wait until tomorrow when I get home, probably be able to send it this time tomorrow.
I'll check this thread before I walk out the door today.
Gonna give this a go when I get home.
Sent from my SGH-I997 using XDA Premium App
to backup:
Code:
dd if=/dev/block/mmcblk0p14 of=/sdcard/original-image.img
This is the project thread for my own ROM that I'm going to work on. The idea is a completely TouchWiz-free ROM. Feel free to follow and try at your own risk blahblahblah you know the rules.
I'm doing this from a completely new install of Win7. Post 2 will be progress step-by-step so that I can remember what I've done in order to retrace my steps
Currently reading http://forum.xda-developers.com/showthread.php?t=1390903
Doing Nandroid backup.
Nandroid backup completed, moving entire contents of phone over to a folder on desktop.
Reading http://hotfile.com/dl/123907924/6ebd9fd/Dsixda_Kitchen_Install_Picture_Tutor.zip.html and installing CygWin according to this.
Downloading CygWin from here: http://www.mediafire.com/?cu9acc9pcjl3bwh
Installing Adobe CS5.5 in order to be able to read .pdf's.
Installing Cygwin and waiting on CS5.5 to install. Adobe=bloooooooat.
Chain-puffing from a vaporizer that I got from some friends. If you find any of this helpful and would like to quit smoking, please support them at http://www.naturevaper.com/
CS5.5 is installed and cracked. **** you, Adobe. Cygwin has been installed.
Extracted kitchen to c:\cygwin\kitchen
Installing Root Explorer. It's $3.99 and worth it.
Installing Samsung drivers from here: http://hotfile.com/dl/141326918/ca68c7d/Samsung_USB_Driver_for_Mobile_Phones_v1_3_2200_0.exe.html
Device name is SGH-I727. There's already an entry for it in the kitchen.
Currently looking into ROMs for the SGH-T989. Might be a good base.
Reading http://forum.xda-developers.com/showthread.php?t=1595229&highlight=t989+aosp+rom
Realized that all development for the T989 is based upon the ATT ICS leak.
Downloading ICS leak from here: http://forum.xda-developers.com/showthread.php?t=1570498
ICS leak downloaded, moved to c:\cygwin\kitchen\original_update\I727-ATT-UCLA4-ICS-stock-Rooted.zip
Opened kitchen, hit entered ./menu was given an error. Time to go back to reading.
Moved c:\cygwin\kitchen to c:\cygwin\home\JCE513\kitchen
Converted from Edify to Amend
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Added Bash
Built ROM, zipaligned.
Moved ROM to SD card.
Rebooted to CWM
wipe data/factory reset 3x
wipe cache 3x
wipe dalvik 3x
Flashing *fingers crossed*
IT BOOTS!
Concentration SHATTERED by misreading a situation. Remember kids, don't only look before you leap, but also apologize when you end up landing on somebody's toes.
Installing Linux in VMWare. Apparently the kitchen isn't going to cut it.
Restored Nandroid backup.
I'll just hold on to this spot right here.
Sent from my SAMSUNG-SGH-I727 using XDA
Probably should have started this thread in the general section untill you had a full booting rom ready, just saying since you might have people flaming you for this ....anyways good luck with it and i hope it all works out, would be nice to have a touchwiz free rom like the tmobile variant does
If it needs to get moved, it gets moved. I'm just keeping this here to organize my thoughts.
Haha, this should be moved. Good luck on your ROM man!
Sent from my SAMSUNG-SGH-I727 using Tapatalk 2
Good luck on this.
Sent from my SAMSUNG-SGH-I727 using xda premium
If u do this with no source. That will be very very impressive
U should probably read threads of the aosp builds currently underway
---------- Post added at 01:58 AM ---------- Previous post was at 01:57 AM ----------
And building aosp with no source. In the android kitchen aint happening . Just to warn ya before u get to ticked off with an attempt
---------- Post added at 02:03 AM ---------- Previous post was at 01:58 AM ----------
But good luck. And remember lol walk away when it makes ya angry lol and it will.
silver03wrx said:
If u do this with no source. That will be very very impressive
Click to expand...
Click to collapse
Do we have an ETA for source or are we going to have to wait for ATT to push ICS?
Edit: I can read, I swear. Trying to go off of this thread, now: http://forum.xda-developers.com/showthread.php?t=1484408
Ok simply XDA doesnt do Coming soon or WIP threads. Development is just for that Active development. And to be honest if you have to ask about needing the source then you may want to do alot more research. Making a custom rom is alot more then using the android kitchen. Roms made with the android kitchen are not even Development roms.
Thread closed
Hey there. I received the presumably 4.4.2 OTA push today. The AT&T S4 (SGH-I337 w/ MK2 installed) I am working on has its knox flag tripped, but I did save the fota download that was pushed
I'm not gonna blow smoke - I have no idea how to make use of this, other then I know that it is the 416MB OTA push that was sent. After copying it off to my host PC, I tried to let it install and it borked at 29%, presumably due to Knox being tripped on this device.
Here is the link to the files in the fota directory on /cache that presumably contains the 4.4.2 OTA update from AT&T: https://dl.dropboxusercontent.com/u/13837515/AT&T S4 MK2 to 4.4.2 fota.7z
Hope this helps the community. Good luck. Enjoy.
-t
That fota .cfg file looks to be an archive. Opening it with 7-zip's archive manager, yields the following. Drilling down into the hierarchy, leaves me wishing I new more about Linux, and android specifically...
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
If this is a mystery, you are probably new to Android. This is a very standard package layout, with a folder to describe the contents, the images of basis parts of the update (probably binary) and some ancillary scripts to make the thing install correctly.
You can compare with the layout of an apk (when you unzip it)
Sent from my SAMSUNG-SGH-I337 using Tapatalk
dkephart said:
If this is a mystery, you are probably new to Android.
Click to expand...
Click to collapse
Yep, no argument there. I am a hack scripter only familiar with stuffs in the Win32 domain. As it relates to Android, I know just enough to be dangerous, really dangerous...
The intent of providing the OTA files was really to provide something that might possibly be of use to those dev'g custom ROMs, or could possibly help with the whole effin locked bootloader BS that AT&T has (wrongfully imo) imputed onto their customers who purchased phones from them (vs. leasing the devices, which would be a scenario that is less offensive, I feel (AT&T locking down devices that they retained ownership of, that is)).
The post with the image was merely drawing reference to the fact that the .cfg file contains presumably useful content even though it was named with an extension that is (given my historical context) improbable to contain anything of value.
Thanks for the pointers, however. One is never too old to learn something new. Have a good one.
-t
EDIT: And this is why I am glad I am not an AT&T customer. I've got the device only because I am fixing a busted display for the owner (son of a friend). /me loves his d2spr and the ability I have to do whatever I want with it (sans warranty coverage, obviously).
The OTA has already been mirrored by me last week, and discussed.
You can find it here. http://forum.xda-developers.com/showthread.php?t=2662315
This thread has a bunch of useful information as well.
http://forum.xda-developers.com/showthread.php?t=2663545
Maribou said:
The OTA has already been mirrored by me last week, and discussed.
Click to expand...
Click to collapse
Hey there, Maribou. Nice. Thanks for the pointers to those threads. :good:
Regarding mirroring the OTA, yeah, it never hurts to have more than one mirror.
Have a good one.
-t
Starting yesterday I noticed twice that my phone running MF3, safestrap and graviton has ended up shut off. Could this have something to do with this update?
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Here is the link to the .IMG files here
I had to add the V10 as a device, but its for the V20.
This is the same stock TOT that was uploaded before by @meraz9000. I just extracted the files for those who were having issues like me. I hope this helps someone get root and other things working.
thanks to everyone who helped me get the files extracted.
If you like my work, feel free to donate and support my buddy
Or just hit the thanks button:victory:
Just to be clear, these files may not work. The stock TOT softbricks the device is you try and flash it so it could be a problem with these files.
Honestly Annoying said:
Just to be clear, these files may not work. The stock TOT softbricks the device is you try and flash it so it could be a problem with these files.
Click to expand...
Click to collapse
I was just using these for the system.img personally. I didnt know if these would help anyone else wanting to make something or help with root.
Im a themer, im not looking to make a whole rom myself. way too much work, did that before and dont have time to do it again.
yes, do not flash anything here...these files are only for those that know what to do with them
Flashable or not, it's good to have a place to turn for convenient, clean copies of files (like /system/bin/applypatch) that may or may not have been overwritten sans backup by silly users like myself. Thanks!
cbucz24 said:
I was just using these for the system.img personally. I didnt know if these would help anyone else wanting to make something or help with root.
Im a themer, im not looking to make a whole rom myself. way too much work, did that before and dont have time to do it again.
yes, do not flash anything here...these files are only for those that know what to do with them
Click to expand...
Click to collapse
Ah okay, just don't want anyone bricking anything Good luck with the theming!
bezeek said:
Flashable or not, it's good to have a place to turn for convenient, clean copies of files (like /system/bin/applypatch) that may or may not have been overwritten sans backup by silly users like myself. Thanks!
Click to expand...
Click to collapse
dirtycow by itself does not replace files on the mmc! those files are entirely original still, they're only replaced in your active memory.
you can simply reboot and everything will be back to normal.
that being said, I did find a way to actually write to recovery partitions with dirtycow...
So how do we test?
---------- Post added at 01:27 PM ---------- Previous post was at 01:24 PM ----------
jcadduono said:
dirtycow by itself does not replace files on the mmc! those files are entirely original still, they're only replaced in your active memory.
you can simply reboot and everything will be back to normal.
that being said, I did find a way to actually write to recovery partitions with dirtycow...
Click to expand...
Click to collapse
How would we test it
bambam126 said:
So how do we test?
---------- Post added at 01:27 PM ---------- Previous post was at 01:24 PM ----------
How would we test it
Click to expand...
Click to collapse
He's still working on perfecting the method. Running into some issues still.
OTA UPDATE ZIP AVAILABLE courtesy of @gokart2
Build: NPH25.200-22
https://forum.xda-developers.com/showpost.php?p=73958813&postcount=17
Just found this on Reddit.
https://dm.reddit.com/r/MotoX/comments/72ujed/our_prayers_have_been_answered_moto_x_pure_nougat/
Apparently it is happening, people are mentioning it in this thread as well...
https://forums.lenovo.com/t5/forums/v3_1/forumtopicpage/board-id/449/thread-id/15459/page/120
About time. Now the work to set my phone back to stock one last time.
GrandAdmiral said:
About time. Now the work to set my phone back to stock one last time.
Click to expand...
Click to collapse
I'm still waiting to see people reporting it on other carriers. I'm sure it's just a staged rollout.
Both of my Moto X Pure Editions received notification of the Android 7 update just after lunch today. I've updated my spare phone and have been making sure there are no issues. So far, so good. I'll let my main phone update later today.
I'm in Texas and my carrier is Ting (Sprint MVNO).
DC
GrandAdmiral said:
About time. Now the work to set my phone back to stock one last time.
Click to expand...
Click to collapse
Why, I feel like someone is bound to post a version of it that we can just flash via TWRP.
Not unless their bootloader is unlocked
Of course, and I just preordered my Moto G5S Plus.
What? It was $50 off and 5% off, I couldn't resist!
(now i just need to lower my unfortunately high standards for update timelyness)
The first person on stock that's rooted, when the notification comes, let it download, when it completes you'll get another notification asking to install. Do NOT. Go to /cache and the OTA zip will be there. Copy it immediately to your home folder or external sd and the upload it here ASAP!! We can all then upgrade without waiting if someone can upload the file.
Pulled SIM, rebooted, nothing. So far it looks like >80% in the Reddit thread report the same. With all we've been through, I'm not going to believe it until a lot more reports come in.
I received it today xt1575.
I got it 30 mins ago
{
"lightbox_close": "Close",
"lightbox_next": "Next",
"lightbox_previous": "Previous",
"lightbox_error": "The requested content cannot be loaded. Please try again later.",
"lightbox_start_slideshow": "Start slideshow",
"lightbox_stop_slideshow": "Stop slideshow",
"lightbox_full_screen": "Full screen",
"lightbox_thumbnails": "Thumbnails",
"lightbox_download": "Download",
"lightbox_share": "Share",
"lightbox_zoom": "Zoom",
"lightbox_new_window": "New window",
"lightbox_toggle_sidebar": "Toggle sidebar"
}
Sent from my XT1575 using Tapatalk
With Sprint SIM as well? Seems to be mainly the ones getting it.
I'm seeing more and more posts of people getting it in various outlets. I can't believe not 1 single person has root... Please rooted folks, it'll take you all of 1 min to copy the file and upload it. I'm rooted and ready to extract, but no ota notification yet.
Just got it. downloading now. Will upload ASAP.
---------- Post added at 09:29 PM ---------- Previous post was at 09:19 PM ----------
Think I found why, it's not in the normal location
---------- Post added at 09:34 PM ---------- Previous post was at 09:29 PM ----------
Found it. Uploading
Is everybody on build number MPHS24.49-18-16 ?
https://drive.google.com/file/d/0B3gPYUZ4nRLwOHJKQnNYczNEMHc/view?usp=sharing
MD5: 74d1a4b135200661cc4efd248f99ce33
This is the OTA!!! I haven't even flashed it yet. Need to be stock everything.
gokart2 said:
https://drive.google.com/file/d/0B3gPYUZ4nRLwOHJKQnNYczNEMHc/view?usp=sharing
MD5: 74d1a4b135200661cc4efd248f99ce33
Click to expand...
Click to collapse
You rock! Removing systemless xposed & magisk, flashing the stock recovery and sideloading this friggen thing....FINALLY!
annoyingduck said:
You rock! Removing systemless xposed & magisk, flashing the stock recovery and sideloading this friggen thing....FINALLY!
Click to expand...
Click to collapse
Dude, no kidding! Been waiting years it seems like. And super amazed nobody leaked the soak tests. Whoever those assholes are! LOL.:good:
---------- Post added at 10:00 PM ---------- Previous post was at 09:58 PM ----------
Hey, post that recovery will ya? Have everything on the device besides the stock recovery.....
gokart2 said:
https://drive.google.com/file/d/0B3gPYUZ4nRLwOHJKQnNYczNEMHc/view?usp=sharing
MD5: 74d1a4b135200661cc4efd248f99ce33
This is the OTA!!! I haven't even flashed it yet. Need to be stock everything.
Click to expand...
Click to collapse
Sweet. My wife was about to reformat her phone so now she will have a clean version of 7.0. Thanks!