Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Root exploits #56

Closed
metall0id opened this issue Jan 24, 2013 · 3 comments
Closed

Root exploits #56

metall0id opened this issue Jan 24, 2013 · 3 comments
Labels
Feature Module

Comments

@metall0id
Copy link
Contributor

Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html

Exploit Reference Possible to port to drozer? Comment
Exploid CVE-2009-1185 Yes
Gingerbreak CVE-2011-1823 Yes Requires drozer with READ_LOGS permission
Mempodroid CVE-2012-0056 Yes Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app
Wunderbar CVE-2009-2692 Yes
ZergRush CVE-2011-3874 Yes Requires drozer with READ_LOGS permission
Zimperlich / Zygote c-skills blog Yes Exploits the zygote setuid() bug
Exynos CVE-2012-6422 Yes Done - testing completed on Galaxy S3 + S2
ZTE sync_agent CVE-2012-2949 Yes Done - still requires testing
cmdclient xdadevelopers / Dan Rosenburg Yes Done - still requires testing
HTC Butterfly diag Yes
Levitator CVE-2011-1352 Unclear Requires access to /dev/pvrsrvkm - what are the permissions on this?
Thinkpad Tablet Dan Rosenburg Unclear Runs thinkpwn binary
Droid 4 (motofail) Dan Rosenburg Unclear Runs motofail binary
XYBoard/Xoom 2 Dan Rosenburg Unclear Runs xyz binary
KillingInTheNameOf CVE-2010-743C No Remap Android property space to writeable which gives root shell from shell user
rageagainstthecage No Exploits the adb setuid() bug
psneuter CVE-2011-1149 No Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off)
Samsung Admire Dan Rosenburg No Requires privileges held by shell user
Droid 3 Dan Rosenburg No Requires privileges held by shell user
LG Spectrum Dan Rosenburg No Requires privileges held by shell user
LG Esteem Dan Rosenburg No Requires privileges held by shell user
Sony Tablet S Dan Rosenburg No Requires privileges held by shell user
This was referenced Jan 24, 2013
Closed
Closed
Closed
@jessicam7
Copy link

Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html

Exploit Reference Possible to port to drozer? Comment
Exploid CVE-2009-1185 Yes
Gingerbreak CVE-2011-1823 Yes Requires drozer with READ_LOGS permission
Mempodroid CVE-2012-0056 Yes Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app
Wunderbar CVE-2009-2692 Yes
ZergRush CVE-2011-3874 Yes Requires drozer with READ_LOGS permission
Zimperlich / Zygote c-skills blog Yes Exploits the zygote setuid() bug
Exynos CVE-2012-6422 Yes Done - testing completed on Galaxy S3 + S2
ZTE sync_agent CVE-2012-2949 Yes Done - still requires testing
cmdclient xdadevelopers / Dan Rosenburg Yes Done - still requires testing
HTC Butterfly diag Yes
Levitator CVE-2011-1352 Unclear Requires access to /dev/pvrsrvkm - what are the permissions on this?
Thinkpad Tablet Dan Rosenburg Unclear Runs thinkpwn binary
Droid 4 (motofail) Dan Rosenburg Unclear Runs motofail binary
XYBoard/Xoom 2 Dan Rosenburg Unclear Runs xyz binary
KillingInTheNameOf CVE-2010-743C No Remap Android property space to writeable which gives root shell from shell user
rageagainstthecage No Exploits the adb setuid() bug
psneuter CVE-2011-1149 No Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off)
Samsung Admire Dan Rosenburg No Requires privileges held by shell user
Droid 3 Dan Rosenburg No Requires privileges held by shell user
LG Spectrum Dan Rosenburg No Requires privileges held by shell user
LG Esteem Dan Rosenburg No Requires privileges held by shell user
Sony Tablet S Dan Rosenburg No Requires privileges held by shell user

https://libsodium.gitbook.io/doc/bindings_for_other_languages

@jessicam7
Copy link 

``[https://libsodium.gitbook.io/doc/bindings_for_other_languages]()

@jessicam7
Copy link

Duplicate of #

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Module
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@metall0id @cyberMilosz @jessicam7