Since there were some requests I made the source of
the zygote jailbreak, zimperlich, available here.
Its straight forward code just like the adb setuid() one.
Most of the time I spent getting the Makefile right and
tricking zygote to spawn the right amount of processes and
calling setuid() once more when we are already running.
Keeping in mind that I dont like Java.
I solved this with a ContentProvider and giving it a new
process name in AndroidManifest.xml, so the ContentProvider
is guaranteed to be invoked as a new process.
If the NPROC limit is reached this will be the root
process.
Also, we want some native code carried along with the .apk
for convenient purposes. The Android ABI requires that
it must be named libNAME.so but in fact it is of
type ET_EXEC and not ET_DYN so we can execute it as
binary.
If you look at the Makefile you can imagine that this
was a horror. You require a complete Android build in
$AROOT to succeed.
Of course you could also mis-use the RageAgainstTheCage
binary to exploit zygote (and not adb) if called from
an .apk like the z4root did. But I think nobody noticed
or cared that a different setuid() bug was actually exploited.
Thats at least what my short analysis showed. If I am wrong
I will remove this paragraph. So, only use the original
old but gold code on the commandline as proposed
to get the real deal! :)
Subscribe to:
Post Comments (Atom)
Posts
19 comments:
Thanks a lot. Really interesting.
Unfortunately my LG E720 received an upgrade to 2.2.1 and I did not succeed in rooting it again :-(
all known exploits fail now.
Thanks you.
Just a question: after an application has successfully performed the rageagainstthecage exploit, how can i connect to the adb daemon to open a root shell from the application?
I'm not making a maleware but just a thesis on the Android Security :P
That was also my question.
The trick is that such apps
do not exploit adb. Zygote has
got the same bug and the uid
that runs rageagainstthecage
also runs out of NPROC.
So basically the next process
slot demanded from zygote will
automatically run as root.
You dont really need adb running,
unless you softbreak from a adb shell itself.
Thank you very much Icke.
Tomorrow i'll try to edit rageagainstthecage to exploit Zygote and try to gain a root shell from the application.
Very interesting. I'll publish the Unrevoked Zysploit sources in the next few days, too, which was based off a similar idea. In particular, on this iteration, we used spawn() instead of fork() to speed things up drastically -- on a quiescent system, the exploit takes only a few seconds.
Can you please release Gingerbreak now? I really want to upgrade to 2.3.3 but I will not do so until I can easily root it without flashing any recoveries or unlocking the bootloader.
I've released our version now: http://github.com/unrevoked/zysploit . It's very similar to yours, I suspect, though I haven't read yours yet.
I can't root this device. Xperia 10
I need help rooting my huawei m380
Has anybody rooted zte warp n860 boost mobile? My first android phone and i want more control and performance. I don't know where to start with the rooting process...
has anyone been able to root a good brand new razrs? I tried every program I can come up with and have yet to find 1 that works.
HTC salsa root anyone
Help me root my cherry mobile amber w380 amdriod phone..
Root my phone pls..
How to do root for Samsung. Galaxy. S4
Pls hw can i root my Lg optimus2x lge-lgsu660
Hey there! I've been reading your website for a
long time now and finally got the courage to go ahead and give you a shout out from Porter Tx!
Just wanted to tell you keep up the great work!
This text is invaluable. How can I find out more?
Hello! Would ʏou mind if Ι share yoսr bllg wіth my facebook ցroup?
Тhere's a lot of people that I think w᧐uld rеally
enjoy your ϲontent. Ⲣlease let me know. Thanks
Post a Comment