Root exploits #56

Open
metall0id opened this Issue Jan 24, 2013 · 0 comments

Comments

Projects
None yet
1 participant
@metall0id
Contributor

metall0id commented Jan 24, 2013

Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html

Exploit Reference Possible to port to drozer? Comment
Exploid CVE-2009-1185 Yes
Gingerbreak CVE-2011-1823 Yes Requires drozer with READ_LOGS permission
Mempodroid CVE-2012-0056 Yes Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app
Wunderbar CVE-2009-2692 Yes
ZergRush CVE-2011-3874 Yes Requires drozer with READ_LOGS permission
Zimperlich / Zygote c-skills blog Yes Exploits the zygote setuid() bug
Exynos CVE-2012-6422 Yes Done - testing completed on Galaxy S3 + S2
ZTE sync_agent CVE-2012-2949 Yes Done - still requires testing
cmdclient xdadevelopers / Dan Rosenburg Yes Done - still requires testing
HTC Butterfly diag Yes
Levitator CVE-2011-1352 Unclear Requires access to /dev/pvrsrvkm - what are the permissions on this?
Thinkpad Tablet Dan Rosenburg Unclear Runs thinkpwn binary
Droid 4 (motofail) Dan Rosenburg Unclear Runs motofail binary
XYBoard/Xoom 2 Dan Rosenburg Unclear Runs xyz binary
KillingInTheNameOf CVE-2010-743C No Remap Android property space to writeable which gives root shell from shell user
rageagainstthecage No Exploits the adb setuid() bug
psneuter CVE-2011-1149 No Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off)
Samsung Admire Dan Rosenburg No Requires privileges held by shell user
Droid 3 Dan Rosenburg No Requires privileges held by shell user
LG Spectrum Dan Rosenburg No Requires privileges held by shell user
LG Esteem Dan Rosenburg No Requires privileges held by shell user
Sony Tablet S Dan Rosenburg No Requires privileges held by shell user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment