Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GT-I9195 JDQ39.I9195XXUAMF5: getuid()==0 but execl fails #27

Open
lindi2 opened this issue Jun 3, 2014 · 4 comments
Open

GT-I9195 JDQ39.I9195XXUAMF5: getuid()==0 but execl fails #27

lindi2 opened this issue Jun 3, 2014 · 4 comments

Comments

@lindi2
Copy link

lindi2 commented Jun 3, 2014

Hi,

on GT-I9195 JDQ39.I9195XXUAMF5 the getuid() call returns 0 but system and execl fail (perror("execl") says "Permission denied"). Any idea what causes this?

I can get execl to work using the following workaround:

diff --git a/main.c b/main.c
index 60f5cc0..9156268 100644
--- a/main.c
+++ b/main.c
@@ -202,7 +202,9 @@ main(int argc, char **argv)
   if (command == NULL) {
     system("/system/bin/sh");
   } else {
-    execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL);
+    if (fork() == 0) {
+      execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL);
+    }
   }

   exit(EXIT_SUCCESS);

1|shell@android:/data/local/tmp $ ./run_root_shell -c id                       


Device detected: GT-I9195 (JDQ39.I9195XXUAMF5)

Attempt acdb exploit...
GT-I9195 (JDQ39.I9195XXUAMF5) is not supported.

Attempt fj_hdcp exploit...

Attempt msm_cameraconfig exploit...
Detected kernel physical address at 0x80208000 form iomem

Attempt put_user exploit...
shell@android:/data/local/tmp $ uid=0(root) gid=0(root) context=u:r:kernel:s0

shell@android:/data/local/tmp $
@fi01
Copy link
Member

fi01 commented Jun 3, 2014

It seems that some syscalls such as exec are restricted by Samsung's special kernel. Please check kernel source code related symbol SEC*.

@lindi2
Copy link
Author

lindi2 commented Jun 4, 2014

Thanks for the pointer! It seems that the fork() call causes the execve() to work because the process is now a child of the init process and that case is explicitly allowed in the Samsung patch:

        /* 1. Allowed case - init process. */
        if (current->pid == 1 || parent_tsk->pid == 1)
                goto out;

I'd like to run Debian in a chroot. I think I need to disable these restrictions before normal binaries like "su" can work in the chroot. Can't we just replace sec_restrict_fork and sec_restrict_uid with stubs that always return 0?

@hiikezoe
Copy link
Member

hiikezoe commented Jun 4, 2014

Yes sure.
I actually had a plan to implement such feature in this repository by a plugin system last year. But not done yet.
The plugin system has been already in public though.
https://github.com/hiikezoe/mole_plough_plugins

@lindi2
Copy link
Author

lindi2 commented Jun 6, 2014

Great. Would it make sense to modify get_essential_address to dump all symbols? It would certainly make it easier to debug memory dumps that I got from /dev/mem. Also, it seems that Samsung does some kernel memory verification. I got "detected an application attempting unpermitted actions" popup after some time when I neutralized sec_restrict_uid and sec_restrict_fork.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hiikezoe @lindi2 @fi01