Share
## https://sploitus.com/exploit?id=538B4663-FB38-5135-A173-EED0A5BCEA0A
# Samsung Exynos 4412 Kernel Exploits

**Device:** Samsung Galaxy Note II LTE (SGH-I317M / t0ltecan)  
**Kernel:** 3.0.31 | **SoC:** Exynos 4412 (ARM Cortex-A9)  
**Android:** 4.4.2 (I317MVLUDNF4)

## Verified Primitives

| Primitive | Status | Description |
|-----------|--------|-------------|
| CVE-2013-2094 (perf_swevent) | โœ… | atomic_inc at ANY 4-byte aligned kernel address |
| ION alloc + mmap | โœ… | All 4 heap types (SYSTEM, CONTIG, EXYNOS, EXYNOS_CONTIG) |
| ION physical address leak | โœ… | EXYNOS_CONTIG: ION_EXYNOS_CUSTOM_PHYS ioctl |
| ION handle address leak | โœ… | Kernel heap pointers exposed via ioctl return values |
| SELinux bypass | โœ… | Via init.rc boot image modification (9 redundant write points) |
| Root shell via FIFO | โœ… | modprobe_path โ†’ payload โ†’ FIFO helper โ†’ uid=0 |
| check_uaccess restored | โœ… | get_user/put_user bounds checking (Build #12+) |

## Key Files

- `exploit_toolkit/root_exploit.c` โ€” All-in-one verifier + FIFO root helper
- `exploit_toolkit/p1_exploit.c` โ€” CVE-2013-2094 + ION chain analysis
- `exploits/common/common.h` โ€” Verified kernel symbol addresses (Build #12)
- `exploits/*.c` โ€” Individual exploit PoCs (Dirty COW, ION UAF, UMP UAF, etc.)

## Building Exploits

```bash
arm-linux-gnueabi-gcc -static -march=armv7-a -O2 -o bin source.c
adb push bin /data/local/tmp/
adb shell /data/local/tmp/bin
```

## Security Posture

- No KASLR โ€” kernel base fixed at 0xC0008000
- No SMEP/SMAP โ€” ret2usr works natively
- ~300 CVEs unpatched (3.0.31 โ†’ 3.0.101 gap)
- check_uaccess bounds checking restored
- SELinux permissive (via boot image modification)
See `docs/` for detailed analysis reports.