I am working on my school thesis.
I am trying to inject some shellcode into a shared library using Dirty Cow vulnerability on Android x86.
My shellcode is written in asembly and only calls sys_execve with an argument touch /sdcard/FILE.txt. The shellcode should be OK, I am not using any absolute addresses for the string arguments - everything is created on the stack and addressed relatively to the stack pointer. I am trying to inject this shellcode into libc.so (into the function time), which I think succeeds - before this I tried some simpler shellcode that worked perfectly (xor eax, eax; ret).
But right after the attack the program fails:
01-29 15:56:40.305 3255-3255/com.example.vitek.bakalarka A/libc: Fatal signal 11 (SIGSEGV) at 0x00000000 (code=128), thread 3255 (vitek.bakalarka)
And when I try to communicate with the device via adb, I only get this:
$ adb shell ls -la /sdcard/
CANNOT LINK EXECUTABLE: could not load library "libcutils.so" needed by "/system/bin/touch"; caused by library "libcutils.so" not found
I don't understand why it fails. I thought that the syscall execve creates a subprocess that executes whatever it gets as an argument.
Why does it not load the library libcutils.so?
Can I add something to my shellcode in order for this attack to work? If not, is there any other suitable target that would be easier to attack?
I have seen some Dirty Cow PoC's that were attacking vDSO, but in my case vDSO is not used by the system - I tried to inject that as well, it worked perfectly (I saw that in objdump and hexdump of the vDSO pages that I wrote into a file), but the function I attacked (clock_gettime) seems not to be ever called (either by the system or by me directly).
Thank you for your answers.
