Gros - exynos

We have access to QEMU box with ARM cpu and setuid binary - exynos-mem.

Only one function inside the binary:

int main(int argc, char const *argv[])
    if(argc < 4) {
        printf("usage : exynos-mem [phyaddr] [bytesize] [mode(R/W-0/1)]\n");
        return 0;

    int devmem_fd = open("/dev/mem", 2);

    int phyaddr = atoi(argv[1]);
    int bytesize = atoi(argv[]);
    int mode = atoi(argv[3]);

    lseek(devmem_fd, phyaddr, 0);

    char *buf = malloc(bytesize);
    int result = 0;

    if(mode == 0) {
        read(devmem_fd, buf, bytesize);
        result = write(1, buf, bytesize);
    } else {
        if(mode == 1) {
            read(0, buf, bytesize);
            result = write(devmem_fd, buf, bytesize);
        } else {
            fwrite("wrong mode. 0:read, 1:write\n", 1, 0x1c);

    fprintf(stderr, "processed %d bytes\n", result);

    return 0;

It allows us to read/write to special /dev/mem file, that is to access physical memory.

Searching for exynos exploit quickly yields xda-developers site with exploit for samsung phones which suffered from exactly the same vuln as we have here - the kernel memory was readable and writable via /dev/exynos-mem device.

There is an exploit code provided in C, but because it’s time consuming to write cross-process communication in C, I decided to repeat all exploit steps in the shell.