Thursday, February 24, 2011

Zimperlich sources

Since there were some requests I made the source of
the zygote jailbreak, zimperlich, available here.


Its straight forward code just like the adb setuid() one.
Most of the time I spent getting the Makefile right and
tricking zygote to spawn the right amount of processes and
calling setuid() once more when we are already running.
Keeping in mind that I dont like Java.


I solved this with a ContentProvider and giving it a new
process name in AndroidManifest.xml, so the ContentProvider
is guaranteed to be invoked as a new process.
If the NPROC limit is reached this will be the root
process.


Also, we want some native code carried along with the .apk
for convenient purposes. The Android ABI requires that
it must be named libNAME.so but in fact it is of
type ET_EXEC and not ET_DYN so we can execute it as
binary.


If you look at the Makefile you can imagine that this
was a horror. You require a complete Android build in
$AROOT to succeed.


Of course you could also mis-use the RageAgainstTheCage
binary to exploit zygote (and not adb) if called from
an .apk like the z4root did. But I think nobody noticed
or cared that a different setuid() bug was actually exploited.
Thats at least what my short analysis showed. If I am wrong
I will remove this paragraph. So, only use the original
old but gold code on the commandline as proposed
to get the real deal! :)







17 comments:

Tyra said...

Thanks a lot. Really interesting.
Unfortunately my LG E720 received an upgrade to 2.2.1 and I did not succeed in rooting it again :-(
all known exploits fail now.

Bytec0d3 said...

Thanks you.
Just a question: after an application has successfully performed the rageagainstthecage exploit, how can i connect to the adb daemon to open a root shell from the application?

I'm not making a maleware but just a thesis on the Android Security :P

Icke said...

That was also my question.
The trick is that such apps
do not exploit adb. Zygote has
got the same bug and the uid
that runs rageagainstthecage
also runs out of NPROC.
So basically the next process
slot demanded from zygote will
automatically run as root.
You dont really need adb running,
unless you softbreak from a adb shell itself.

Bytec0d3 said...

Thank you very much Icke.
Tomorrow i'll try to edit rageagainstthecage to exploit Zygote and try to gain a root shell from the application.

Joshua Wise said...

Very interesting. I'll publish the Unrevoked Zysploit sources in the next few days, too, which was based off a similar idea. In particular, on this iteration, we used spawn() instead of fork() to speed things up drastically -- on a quiescent system, the exploit takes only a few seconds.

Anonymous said...

Can you please release Gingerbreak now? I really want to upgrade to 2.3.3 but I will not do so until I can easily root it without flashing any recoveries or unlocking the bootloader.

Joshua Wise said...

I've released our version now: http://github.com/unrevoked/zysploit . It's very similar to yours, I suspect, though I haven't read yours yet.

Anonymous said...

I can't root this device. Xperia 10

Anonymous said...

I need help rooting my huawei m380

zte warp n860 said...

Has anybody rooted zte warp n860 boost mobile? My first android phone and i want more control and performance. I don't know where to start with the rooting process...

Steven Pihl said...

has anyone been able to root a good brand new razrs? I tried every program I can come up with and have yet to find 1 that works.

Anonymous said...

HTC salsa root anyone

Anonymous said...

Help me root my cherry mobile amber w380 amdriod phone..

Anonymous said...

Root my phone pls..

Anonymous said...

How to do root for Samsung. Galaxy. S4

Anonymous said...

Pls hw can i root my Lg optimus2x lge-lgsu660

James Burcker said...

How can I Root ZTE Z669?