How to Get Root with Dirty Cow exploit, should work on all Android devices

Dirty Cow, a Linux kernel vulnerability discovered only a week ago can be potentially used to root any Android device released till date until a a security patch update to fix the Linux kernel bug is released.

Dirty Cow is a privilege-escalation bug that has been present on the Linux kernel code for about 9 years, but was discovered only now. And although it has been patched on the mainline Linux kernel, but the vulnerability is present on almost every modern operating system that is built on top of the Linux kernel.

The vulnerability is present on every Linux system that uses a Linux kernel version greater than 2.6.22, which means every Android version (from Android 1.0 to 7.1.1 Nougat) can be exploited using Dirty Cow vulnerability to get root access.

Developer Arinerron over at github has created a simple root.sh script using the Dirty Cow exploit which you can run on any Android device to get root access. The script creates a ‘run-as’ binary on the device that can execute packages as root. The script is not a permanent root solution, but shows how easy it’s to root Android devices with Dirty Cow exploit.

[icon name=”download” class=”” unprefixed_class=””] Download Dirty Cow root.sh script

How to Root Android using Dirty Cow Exploit

  1. Get to a PC that runs on a Linux OS and has Android NDK installed.
  2. Download and unzip the root.zip file from the download link above. You’ll get a root.sh file.
  3. Enable Developer options and USB debugging on your Android device.
  4. Connect your device the Linux PC.
  5. Run the root.sh script file on the PC and it’ll install a ‘run-as’ binary on the device which you can use to execute packages with root access.

That’s all. We hope the folks over at xda or other Android communities fire up a quick tool that can properly root Android devices using the Dirty Cow exploit.

Happy Androiding! 

Posted by
Shivam Malani

Shivam is our resident designer and web developer who also enjoys writing. He loves to meditate, drive on the freeways and hunt for snipers during his Call Of Duty playtime. Email: [email protected]

23 Comments

  1. How much you want to bet this is what kingroot has been using since King root can pretty much root any device and add spyware

    1. Saddly this is not what they use. Since they can only Root the most used phones witch are like 4 brands and not even the newest once.

      With this however you can root everything.

  2. How much you want to bet this is what kingroot has been using since King root can pretty much root any device and add spyware

    1. Saddly this is not what they use. Since they can only Root the most used phones witch are like 4 brands and not even the newest once.

      With this however you can root everything.

  3. How much you want to bet this is what kingroot has been using since King root can pretty much root any device and add spyware

  4. How much you want to bet this is what kingroot has been using since King root can pretty much root any device and add spyware

  5. The “run-as” binary that gets installed is only a proof-of-concept whose only function is to print a message showing that it’s running as the root user.

    I was able to compile a modified version of the binary and I gained a root shell, but the built-in SELinux security prevents me from doing anything useful with the shell – essentially, without also having a way to bypass SELinux, this particular implementation of the exploit is just a curiosity and nothing else.

    1. Can you put a github gist of the source code for the binary?

    2. one Command, mate: setenforce 0

      1. It’s not quite as easy as that, the default SELinux policy forbids most contexts from calling setenforce(), even as uid 0…

  6. The “run-as” binary that gets installed is only a proof-of-concept whose only function is to print a message showing that it’s running as the root user.

    I was able to compile a modified version of the binary and I gained a root shell, but the built-in SELinux security prevents me from doing anything useful with the shell – essentially, without also having a way to bypass SELinux, this particular implementation of the exploit is just a curiosity and nothing else.

    1. Can you put a github gist of the source code for the binary?

    2. one Command, mate: setenforce 0

    3. It’s not quite as easy as that, the default SELinux policy forbids most contexts from calling setenforce(), even as uid 0…

  7. The “run-as” binary that gets installed is only a proof-of-concept whose only function is to print a message showing that it’s running as the root user.

    I was able to compile a modified version of the binary and I gained a root shell, but the built-in SELinux security prevents me from doing anything useful with the shell – essentially, without also having a way to bypass SELinux, this particular implementation of the exploit is just a curiosity and nothing else.

  8. This seems to work great for a 32 bit ARM abi but not for a 64 bit one like my Samsung Galaxy S6 Edge + as there is some kind of issue with the exploits ability to escalate privileges. This is currently being discussed on the Git https://github.com/timwr/CVE-2016-5195/issues/7#issuecomment-256190198 and I am wondering if anyone has modified this script(s) to active the same on a 64-bit device?

  9. This seems to work great for a 32 bit ARM abi but not for a 64 bit one like my Samsung Galaxy S6 Edge + as there is some kind of issue with the exploits ability to escalate privileges. This is currently being discussed on the Git https://github.com/timwr/CVE-2016-5195/issues/7#issuecomment-256190198 and I am wondering if anyone has modified this script(s) to active the same on a 64-bit device?

  10. This seems to work great for a 32 bit ARM abi but not for a 64 bit one like my Samsung Galaxy S6 Edge + as there is some kind of issue with the exploits ability to escalate privileges. This is currently being discussed on the Git https://github.com/timwr/CVE-2016-5195/issues/7#issuecomment-256190198 and I am wondering if anyone has modified this script(s) to active the same on a 64-bit device?

  11. The “run-as” binary that gets installed is only a proof-of-concept whose only function is to print a message showing that it’s running as the root user.

    I was able to compile a modified version of the binary and I gained a root shell, but the built-in SELinux security prevents me from doing anything useful with the shell – essentially, without also having a way to bypass SELinux, this particular implementation of the exploit is just a curiosity and nothing else.

  12. This seems to work great for a 32 bit ARM abi but not for a 64 bit one like my Samsung Galaxy S6 Edge + as there is some kind of issue with the exploits ability to escalate privileges. This is currently being discussed on the Git https://github.com/timwr/CVE-2016-5195/issues/7#issuecomment-256190198 and I am wondering if anyone has modified this script(s) to active the same on a 64-bit device?

  13. did someone ever done this on a windows OS?

  14. did someone ever done this on a windows OS?

  15. did someone ever done this on a windows OS?

Comments are closed.