Thursday, February 24, 2011

Zimperlich sources

Since there were some requests I made the source of
the zygote jailbreak, zimperlich, available here.

Its straight forward code just like the adb setuid() one.
Most of the time I spent getting the Makefile right and
tricking zygote to spawn the right amount of processes and
calling setuid() once more when we are already running.
Keeping in mind that I dont like Java.

I solved this with a ContentProvider and giving it a new
process name in AndroidManifest.xml, so the ContentProvider
is guaranteed to be invoked as a new process.
If the NPROC limit is reached this will be the root

Also, we want some native code carried along with the .apk
for convenient purposes. The Android ABI requires that
it must be named but in fact it is of
type ET_EXEC and not ET_DYN so we can execute it as

If you look at the Makefile you can imagine that this
was a horror. You require a complete Android build in
$AROOT to succeed.

Of course you could also mis-use the RageAgainstTheCage
binary to exploit zygote (and not adb) if called from
an .apk like the z4root did. But I think nobody noticed
or cared that a different setuid() bug was actually exploited.
Thats at least what my short analysis showed. If I am wrong
I will remove this paragraph. So, only use the original
old but gold code on the commandline as proposed
to get the real deal! :)

Friday, February 18, 2011

Cloud Clock trickery

I spent some time fumbling with HTTP again but not related
to Web 2.O. Rather I was interested in how HTTP could
replace NTP since web servers reply with a Date: string
upon each request. The result can be found here.
It is basically a daemon that fetches Date: of
pre-configured servers and tries to minimize RTT and
local I/O impact when setting the time. It also runs as
a user chrooted, keeping CAP_SYS_TIME.
It should also work with IPv6 nodes. If you want to use
my lophttpd web server along with httpdated, you need
to update it to the latest version.

Feel free to comment if you have ideas or see problems
but do not bother me with "NTP is much more better and
more correct". I know that :-)

Wednesday, February 2, 2011

ELF process dumping trickery

I made a small tool available here which allows to
dump ELF binaries from memory to disk in cases
where the original image has been altered/deleted/crypted
There is no way to make it 100% reliable as the state
of the program might not be the same as when just loaded
and therefore you can have dangling pointers etc.
in .data. However it works surprisingly well for a lot
of programs.
Some info is lost during loading anyway and has to be
restored heuristically. We rely on linear ascending
PLT jump-slots for example.

I only tested it on x86-64 but it has basic support
for x86 as well. The de-relocation of the image has
to be checked though. All other architectures like
PPC64 etc. can easily be added by adding appropriate
R_ types to the switch() clause.