A few words about rooting Android. Paying tribute to old school hackers. Towelroot, Rage Against The Cage, rooting G1 with just typing in right command using keyboard.
Linux distribution, i.e. Debian • install Android build from AOSP • customize boot image • create full backups • create custom ROMs • install apps on SD Card • use phone as a tether or wireless router
bootloader • and install new boot image • after starting with crafted boot image • some files are changes ◦ SELinux policies ◦ su • recovery is not changed
was needed • but easily can flash it back if has newer one • start the phone, and… • … type in: <enter> <enter> t e l n e t d • telnet deamon was just started • can connect using terminal program from Market
itself to deplete available system resources causing resource starvation and slowing or crashing the system • in 1978 an early variant of a fork bomb called wabbit was reported to run on a System/360 • before in 1969 a RABBITS reported on a Burroughs 5500
run as root if we are running in secure mode */ if (secure) { ... /* then switch user and group to "shell" */ setgid(AID_SHELL); setuid(AID_SHELL); ... } not checking return value
count • and increases shell user count • all that within global Android process limit RLIMIT_NPROC • spawn many shell user processes to reach the limit • and then do yet another adb call • … to see setuid failing • and adbd being run as root user
run as root if we are running in secure mode */ if (should_drop_privileges()) { drop_capabilities_bounding_set_if_needed(); /* then switch user and group to "shell" */ if (setgid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setgid"; } if (setuid(AID_SHELL) != 0) { PLOG(FATAL) << "Could not setuid"; }
*uaddr2, int nr_wake, int nr_requeue, u32 *cmpval, int requeue_pi) { union futex_key key1 = FUTEX_KEY_INIT, key2 = FUTEX_KEY_INIT; int drop_count = 0, task_count = 0, ret; struct futex_pi_state *pi_state = NULL; struct futex_hash_bucket *hb1, *hb2; struct futex_q *this, *next; if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL;
a super smart way to exploit it • some structure in kernel that we can tweak a bit • a syscall to connect kernel space with userland • payload to be executed