Need help with s8_2019_2215_poc?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

chompie1337
162 Stars 51 Forks 4 Commits 0 Opened issues

Description

PoC 2019-2215 exploit for S8/S8 active with DAC + SELinux + Knox/RKP bypass

Services available

!
?

Need anything else?

Contributors list

# 28,848
kali-li...
tpu
progres...
fronten...
1 commit

s820192215_poc

PoC 2019-2215 exploit for S8/S8 active with DAC + SELinux + Knox/RKP bypass

Tested on S8/S8 active Snapdragon device running vulnerable Oreo firmware. Needs modification (see

kernel_defs.h
) to run on other vulnerable Samsung devices. Let me know if you do this and it works for you!

usage: s8_poc [options]

-s        | pop a privileged shell

-p  | path of sepolicy to inject. if none, default policy is created

-r  | remount rootfs as r/w and copy file at , execute as root

Example usage:

./s8_poc -s

You will be dropped into a shell with all DAC permissions (NOT USER ROOT). A new SEpolicy is injected to give some permissions I needed to debug + the ability to load a new SEPolicy. From what I can tell, permissive policies/contexts aren't honored on these devices, so you do need to add a custom SEPolicy for specific permissions. A tool like

sepolicy-inject
is perfect for this, and is easy to use. Find it here: https://github.com/xmikos/setools-android. See pictures below for example use. Alternatively, recompile the POC with the needed permissions added to the function
add_rules_to_sepolicy
in
poc/selinux_bypass.c
. You can do pretty much anything with this shell.

./s8_poc -s -r 

Drops into a privileged shell, remounts rootfs as r/w, copies the file over, and executes the file at

 as root, in the kernel SELinux context. Keep in mind, you WILL kernel panic if you try to execute anything out of the 
/data/
partition as root. This part of the "Real Kernel Proctection" component of Samsung Knox. So if the ELF is a reverse shell type thing, and you choose to execute something out of
/data
, bad times will incur. Stick to the privileged shell to execute out of
/data
, or copy what you need over to rootfs.

./s8_poc -p 

Inject selinux policy at

. Note, you don't need to do this if you're already in a privileged shell using the default SELinux setting, as you will already have the permissions needed to do this. Just write your policy to 
/sys/fs/selinux/load
, or use a tool like
sepolicy-inject
to create a policy with the permissions you need and load it.

Known issues:

The kallsyms code is kind of slow. If you run the exploit and it seems like it's hanging, just give it a second, as it is probably just searching for a symbol. In a small percentage of test cases, there is a failure in finding the kallsyms table. If that's the case, just reboot the phone and try again.

It's pretty safe to run this, as the worst that can happen is a kernel panic and your phone reboots. But if your phone catchse fire, I am not responsible. Use this at your own risk.

The KNOX/RKP bypass can be repurposed to remount any r/o partitions mounted with

MNT_LOCK_READONLY
. It would be an interesting experiment to see what can be done with this and how far this temp root can be taken. If you do something cool, let me know! If you do try this, you had better know what you are doing. You CAN brick your phone if you're not careful, and again, I am not resposible! All in the name of research, right? ;)

Shown in action:

Alt text Alt text Alt text

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.