Share
## https://sploitus.com/exploit?id=538B4663-FB38-5135-A173-EED0A5BCEA0A
# Samsung Exynos 4412 Kernel Exploits
**Device:** Samsung Galaxy Note II LTE (SGH-I317M / t0ltecan)
**Kernel:** 3.0.31 | **SoC:** Exynos 4412 (ARM Cortex-A9)
**Android:** 4.4.2 (I317MVLUDNF4)
## Verified Primitives
| Primitive | Status | Description |
|-----------|--------|-------------|
| CVE-2013-2094 (perf_swevent) | โ
| atomic_inc at ANY 4-byte aligned kernel address |
| ION alloc + mmap | โ
| All 4 heap types (SYSTEM, CONTIG, EXYNOS, EXYNOS_CONTIG) |
| ION physical address leak | โ
| EXYNOS_CONTIG: ION_EXYNOS_CUSTOM_PHYS ioctl |
| ION handle address leak | โ
| Kernel heap pointers exposed via ioctl return values |
| SELinux bypass | โ
| Via init.rc boot image modification (9 redundant write points) |
| Root shell via FIFO | โ
| modprobe_path โ payload โ FIFO helper โ uid=0 |
| check_uaccess restored | โ
| get_user/put_user bounds checking (Build #12+) |
## Key Files
- `exploit_toolkit/root_exploit.c` โ All-in-one verifier + FIFO root helper
- `exploit_toolkit/p1_exploit.c` โ CVE-2013-2094 + ION chain analysis
- `exploits/common/common.h` โ Verified kernel symbol addresses (Build #12)
- `exploits/*.c` โ Individual exploit PoCs (Dirty COW, ION UAF, UMP UAF, etc.)
## Building Exploits
```bash
arm-linux-gnueabi-gcc -static -march=armv7-a -O2 -o bin source.c
adb push bin /data/local/tmp/
adb shell /data/local/tmp/bin
```
## Security Posture
- No KASLR โ kernel base fixed at 0xC0008000
- No SMEP/SMAP โ ret2usr works natively
- ~300 CVEs unpatched (3.0.31 โ 3.0.101 gap)
- check_uaccess bounds checking restored
- SELinux permissive (via boot image modification)
See `docs/` for detailed analysis reports.