This is a CVE-2016-5195 PoC for 64-bit Android 6.0.1 Marshmallow (perhaps 7.0 ?), as well as an universal & stable temporal root tool. It does not require a SUID executable or any filesystem changes.
- SELinux bypass
- Memory-only: does not modify the filesystem or need special executable
- Stable: does not affect stability of your device
- Scalable: easy to add new kernel and/or new devices
- Reversible: the backdoor is cleared automatically after the root shell ends, which means no reboot is required after usage
- I, Robot by Isaac Asimov.
- "dirtycow-capable" device.
Pre-built binaries are available on the release page. Otherwise, just run make in a native aarch64 debian. Currently it won't work if built with NDK.
You may run it through an adb shell (place it under /data/local/tmp) and get a root shell either in the built-in terminal or a remote terminal server such as nc. For details, run it without any parameters.
- "insufficient place for payload": a reboot is required
- "waiting for reverse connect shell": please wake up your device, open the clock/alarm app or toggle the bluetooth switch in order to trigger the backdoor
@scumjr for the vDSO patching method.
- Turn it into a SuperSU installer.
- Enrich the kernel database for 32-bit support (not likely) and so on.
- Test it on Android 7 Nougat (help wanted!).