API tools faq
paste
Guest User

hackingteamandroidexploit2

a guest
Jul 8th, 2015
235
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.34 KB | None | 0 0
raw download clone embed print report
  1. From:
  2. Diego Giubertoni (d.giubertoni@hackingteam.com)
  3. Subject:
  4. Exploit local-to-root Android completed
  5. From You:
  6. 06/06/2015 05:24:58
  7. To:
  8. Alberto Pelliccione <a.pelliccione@hackingteam.com>; Fabrizio Cornelli <f.cornelli@hackingteam.it>; Marco Valleri <m.valleri@hackingteam.com>; Ivan Speziale <i.speziale@hackingteam.com>;
  9. CC:
  10. Marco Valleri; Ivan Speziale
  12. Hello everyone.
  13.  
  14. With some delay I completed the exploit local-to-root Android. It took a little longer than expected because it was not easy to make it more or less "universal" of all devices. In particular, I implemented two methods of exploits based on the kernel symbols exported (not export all the same, so sometimes you have to go parallel roads). Also when I integrated an apk noticed that the S4 via KNOX adds a new sandbox that brings up the popup to the user if the application behaves "strange".
  15.  
  16. To summarize the protections to bypass these are:
  17.  
  18. - Sandbox KNOX on zygote
  19. - Samsung rooting features
  20. - SELinux policy
  21.  
  22. the apk file that will contain 4 cache: the exploit, the executable to be launched as Shell server, the client part of the shell and a script to run at boot
  23.  
  24. EXPLOIT:
  25.  
  26. - The application launches the exploit simply by using a system of its cache so that it created a new process in its own right. If the application it becomes the root KNOX killa and exits the popup.
  27.  
  28. - The exploit ForKa immediately and the father comes out. This allows us to get init as a father that will be critical as we shall see.
  29.  
  30. - The exploit dumps the kernel using the search vuln and symbols needed to run code
  31.  
  32. - According to the symbols found using one of two methods to get the root through the vuln:
  33. - If symbol is ptmx_fops overwrites ptmx_fsync with a pointer to the shellcode directly in the process and running a fsync on device / dev / ptmx
  34. - Otherwise patcha directly a syscall in memory and triggers (then put it back in place)
  35.  
  36. - At this point we are both children of init, both root and we can execute code without being intercepted by Samsung Rooting Feature. They are copied to the server and the client shell in / system / bin and the script sh to start on boot in / system / etc
  37.  
  38. - The exploit ends launching the shell process
  39.  
  40.  
  41. When you first start the shell and kernel context will the next reboot context init. This allows us to execute commands bypassing SELinux.
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!