Incorrect Authorization in Qualcomm Graphics GPU Micronode

This repository is a full local Android privilege-escalation exploit for CVE-2025-21479, targeting a Samsung Galaxy Z Flip 5 configuration with an Adreno A7xx GPU. It is not a framework module; it consists of one large native exploit source file, one GPU helper header, and several shell scripts that operationalize post-exploitation. Structure: README.md documents the target device, firmware constraints, patch check, and usage. include/adrenaline.h provides KGSL/Adreno ioctl structures, enums, and PM4/GPU command builders used to interact with the GPU driver. src/exploit.c is the main exploit and contains the vulnerability chain: GPU arbitrary physical read/write, KASLR leak via _stext discovery, firmware-symbol verification, SELinux state overwrite to permissive, and an init-hook-based root command server bootstrap. The scripts directory contains operational wrappers: run.sh pushes and launches the exploit over adb; root_cmd.daemon creates a FIFO-backed resident root shell service; rootsh.sh sends commands to that service and retrieves output; rootbin.sh pushes a shared object and executes it as root via LD_PRELOAD into a stock binary to bypass DEFEX restrictions. Main capabilities: The exploit is designed for local exploitation with adb/device access, not remote delivery. It abuses the GPU/KGSL interface to gain arbitrary physical memory access, then uses that primitive to locate kernel text despite KASLR, resolve expected kernel symbols for the tested firmware, modify SELinux enforcement state, and patch/hook /system/bin/init to launch a resident root command runner. Post-exploitation, the operator can run arbitrary shell commands as root and also execute custom native payloads as root using a stock host binary and LD_PRELOAD. Notable targeting details visible in code include Samsung-specific kernel constants, firmware-specific virtual addresses (e.g., FW_STEXT_VA, FW_SWAPPER_PG_DIR_VA, FW_INIT_TASK_VA, FW_SELINUX_STATE_VA), and init binary patch/cave offsets tied to the tested firmware build. The README explicitly states the exploit is exact-device/firmware oriented and non-persistent across reboot. Overall, this is an operational local root exploit with built-in post-exploitation tooling rather than a mere proof-of-concept or detector.

This repository contains a sophisticated local privilege escalation exploit targeting Android devices with Qualcomm Adreno GPUs, specifically exploiting CVE-2025-21479. The main exploit logic resides in 'exploit.c', which orchestrates the attack by interacting with the GPU driver via /dev/kgsl-3d0, manipulating GPU memory, and patching kernel code to disable security checks and escalate privileges. The exploit includes routines for mapping user memory into GPU space, crafting GPU command buffers, and directly patching the kernel's __do_sys_capset function to bypass capability checks. Helper files ('helpers/analyze.c', 'helpers/extract-kallsyms.c', and 'kallsyms_lookup.c') are used for analyzing and extracting kernel symbols, which are critical for reliably locating and patching kernel functions. The exploit ultimately spawns a root shell if successful. The code is written in C and is operational, though the README notes it is a work in progress and may require adaptation for specific devices or kernel versions. No network endpoints are involved; the attack vector is purely local, requiring code execution on the target device.

This repository contains a local privilege escalation exploit targeting Meta Quest 3 and Quest 3S headsets running vulnerable firmware (prior to the August 10, 2025 patch) with Adreno A7xx GPUs. The exploit leverages CVE-2025-21479, a vulnerability in the Qualcomm Adreno GPU driver, to gain kernel memory access and escalate privileges to root. The main exploit logic is implemented in 'cheese.c', which interacts with the GPU via '/dev/kgsl-3d0', manipulates GPU command buffers, and ultimately patches the kernel's sys_capset function with custom shellcode to obtain a root shell. The repository also includes 'adrenaline.h' (helper routines for GPU command construction), 'kallsyms_lookup.c' (for resolving kernel symbols), and a build script. The exploit is operational and provides a root shell if successful, but is highly device- and version-specific. The README provides detailed background, usage instructions, and links to related research. No network endpoints are involved; the attack vector is local, requiring code execution on the target device.