Root exploits
metall0id opened this issue · comments
Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html
| Exploit | Reference | Possible to port to drozer? | Comment |
|---|---|---|---|
| Exploid | CVE-2009-1185 | Yes | |
| Gingerbreak | CVE-2011-1823 | Yes | Requires drozer with READ_LOGS permission |
| Mempodroid | CVE-2012-0056 | Yes | Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app |
| Wunderbar | CVE-2009-2692 | Yes | |
| ZergRush | CVE-2011-3874 | Yes | Requires drozer with READ_LOGS permission |
| Zimperlich / Zygote | c-skills blog | Yes | Exploits the zygote setuid() bug |
| Exynos | CVE-2012-6422 | Yes | Done - testing completed on Galaxy S3 + S2 |
| ZTE sync_agent | CVE-2012-2949 | Yes | Done - still requires testing |
| cmdclient | xdadevelopers / Dan Rosenburg | Yes | Done - still requires testing |
| HTC Butterfly diag | Yes | ||
| Levitator | CVE-2011-1352 | Unclear | Requires access to /dev/pvrsrvkm - what are the permissions on this? |
| Thinkpad Tablet | Dan Rosenburg | Unclear | Runs thinkpwn binary |
| Droid 4 (motofail) | Dan Rosenburg | Unclear | Runs motofail binary |
| XYBoard/Xoom 2 | Dan Rosenburg | Unclear | Runs xyz binary |
| KillingInTheNameOf | CVE-2010-743C | No | Remap Android property space to writeable which gives root shell from shell user |
| rageagainstthecage | No | Exploits the adb setuid() bug | |
| psneuter | CVE-2011-1149 | No | Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off) |
| Samsung Admire | Dan Rosenburg | No | Requires privileges held by shell user |
| Droid 3 | Dan Rosenburg | No | Requires privileges held by shell user |
| LG Spectrum | Dan Rosenburg | No | Requires privileges held by shell user |
| LG Esteem | Dan Rosenburg | No | Requires privileges held by shell user |
| Sony Tablet S | Dan Rosenburg | No | Requires privileges held by shell user |
Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html
Exploit Reference Possible to port to drozer? Comment
Exploid CVE-2009-1185 Yes
Gingerbreak CVE-2011-1823 Yes Requires drozer with READ_LOGS permission
Mempodroid CVE-2012-0056 Yes Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app
Wunderbar CVE-2009-2692 Yes
ZergRush CVE-2011-3874 Yes Requires drozer with READ_LOGS permission
Zimperlich / Zygote c-skills blog Yes Exploits the zygote setuid() bug
Exynos CVE-2012-6422 Yes Done - testing completed on Galaxy S3 + S2
ZTE sync_agent CVE-2012-2949 Yes Done - still requires testing
cmdclient xdadevelopers / Dan Rosenburg Yes Done - still requires testing
HTC Butterfly diag Yes
Levitator CVE-2011-1352 Unclear Requires access to /dev/pvrsrvkm - what are the permissions on this?
Thinkpad Tablet Dan Rosenburg Unclear Runs thinkpwn binary
Droid 4 (motofail) Dan Rosenburg Unclear Runs motofail binary
XYBoard/Xoom 2 Dan Rosenburg Unclear Runs xyz binary
KillingInTheNameOf CVE-2010-743C No Remap Android property space to writeable which gives root shell from shell user
rageagainstthecage No Exploits the adb setuid() bug
psneuter CVE-2011-1149 No Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off)
Samsung Admire Dan Rosenburg No Requires privileges held by shell user
Droid 3 Dan Rosenburg No Requires privileges held by shell user
LG Spectrum Dan Rosenburg No Requires privileges held by shell user
LG Esteem Dan Rosenburg No Requires privileges held by shell user
Sony Tablet S Dan Rosenburg No Requires privileges held by shell user
https://libsodium.gitbook.io/doc/bindings_for_other_languages
``[https://libsodium.gitbook.io/doc/bindings_for_other_languages]() Duplicate of #