I am working on my school thesis.
I am trying to inject some shellcode into a shared library using Dirty Cow vulnerability on Android x86.
My shellcode is written in asembly and only calls sys_execve
with an argument touch /sdcard/FILE.txt
. The shellcode should be OK, I am not using any absolute addresses for the string arguments - everything is created on the stack and addressed relatively to the stack pointer. I am trying to inject this shellcode into libc.so
(into the function time
), which I think succeeds - before this I tried some simpler shellcode that worked perfectly (xor eax, eax; ret
).
But right after the attack the program fails:
01-29 15:56:40.305 3255-3255/com.example.vitek.bakalarka A/libc: Fatal signal 11 (SIGSEGV) at 0x00000000 (code=128), thread 3255 (vitek.bakalarka)
And when I try to communicate with the device via adb
, I only get this:
$ adb shell ls -la /sdcard/
CANNOT LINK EXECUTABLE: could not load library "libcutils.so" needed by "/system/bin/touch"; caused by library "libcutils.so" not found
I don't understand why it fails. I thought that the syscall execve
creates a subprocess that executes whatever it gets as an argument.
Why does it not load the library libcutils.so
?
Can I add something to my shellcode in order for this attack to work? If not, is there any other suitable target that would be easier to attack?
I have seen some Dirty Cow PoC's that were attacking vDSO
, but in my case vDSO
is not used by the system - I tried to inject that as well, it worked perfectly (I saw that in objdump
and hexdump
of the vDSO
pages that I wrote into a file), but the function I attacked (clock_gettime
) seems not to be ever called (either by the system or by me directly).
Thank you for your answers.