Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- From:
- Diego Giubertoni (d.giubertoni@hackingteam.com)
- Subject:
- Exploit local-to-root Android completed
- From You:
- 06/06/2015 05:24:58
- To:
- Alberto Pelliccione <a.pelliccione@hackingteam.com>; Fabrizio Cornelli <f.cornelli@hackingteam.it>; Marco Valleri <m.valleri@hackingteam.com>; Ivan Speziale <i.speziale@hackingteam.com>;
- CC:
- Marco Valleri; Ivan Speziale
- 
- Hello everyone.
- With some delay I completed the exploit local-to-root Android. It took a little longer than expected because it was not easy to make it more or less "universal" of all devices. In particular, I implemented two methods of exploits based on the kernel symbols exported (not export all the same, so sometimes you have to go parallel roads). Also when I integrated an apk noticed that the S4 via KNOX adds a new sandbox that brings up the popup to the user if the application behaves "strange".
- To summarize the protections to bypass these are:
- - Sandbox KNOX on zygote
- - Samsung rooting features
- - SELinux policy
- the apk file that will contain 4 cache: the exploit, the executable to be launched as Shell server, the client part of the shell and a script to run at boot
- EXPLOIT:
- - The application launches the exploit simply by using a system of its cache so that it created a new process in its own right. If the application it becomes the root KNOX killa and exits the popup.
- - The exploit ForKa immediately and the father comes out. This allows us to get init as a father that will be critical as we shall see.
- - The exploit dumps the kernel using the search vuln and symbols needed to run code
- - According to the symbols found using one of two methods to get the root through the vuln:
- - If symbol is ptmx_fops overwrites ptmx_fsync with a pointer to the shellcode directly in the process and running a fsync on device / dev / ptmx
- - Otherwise patcha directly a syscall in memory and triggers (then put it back in place)
- - At this point we are both children of init, both root and we can execute code without being intercepted by Samsung Rooting Feature. They are copied to the server and the client shell in / system / bin and the script sh to start on boot in / system / etc
- - The exploit ends launching the shell process
- When you first start the shell and kernel context will the next reboot context init. This allows us to execute commands bypassing SELinux.
Add Comment
Please, Sign In to add comment