It's Bugs All the Way É餫¤¹¡¿·âÄƤ¹¤ë

Another silly ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë µö²Äs bug. At least the ³«È¯¡¿ÍøÍÑ of this one was a little bit more Íø±×¡¿¶½Ì£ing.

³«È¯¡¿ÍøÍÑ

The vulnerability in this »öÎã¡¿´µ¼Ô µö¤¹d me to chmod an ÆÈÃÇŪ¤Ê ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë or directory 0777 (world-writable). ÉáÄÌ¤Ï I’d go for /data/Ãϸµ¤Î.»Ù¤¨¡Ê¤ë¡Ë (if it already ¸ºß¤¹¤ës) or /data itself (if it doesn’t). However, on this particular ÁõÃÖ, setting the ro.kernel.qemu ½êͭʪ¡¿»ñ»º¡¿ºâ»º (to ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë ¥¢¥¸¥¢³«È¯¶ä¹Ô to give a root Çú·â¤¹¤ë) ¸¶°ø¡Ê¤È¤Ê¤ë¡Ëd the ÁõÃÖ to bootloop before ADBD started.

My second go-to for these types of bugs is /proc/sys/kernel/modprobe or /proc/sys/kernel/hotplug, since Îá¾õing the path of a »ÈÍѼÔ-controlled executable and Ͷȯ¤¹¤ë¡¿°ú¤­µ¯¤³¤¹ing a module Ééô or hotplug event would be a ¾¡Íø¡¤¾¡¤Ä. For some ¿äÏÀ¤¹¤ë¡¿Íýͳ, changing the µö²Äs on these ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës with this particular bug didn’t work – I ·ùµ¿¼Ô¡¤ÍƵ¿¼Ô¡¿µ¿¤¦ either /proc wasn’t µ¡Æ°ÎϤΤ¢¤ë at the time of the chmod or a later init script ²óÉü¤¹¤ëd the µö²Äs of these ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ës. Either way, these ÁªÂòs were out.

As yet another vector, I chose to make the Éõº¿¤¹¤ë ÁõÃÖ corresponding to the /system partition world-writable. I pulled the setuid-root “run-as” »ÈÍÑ¡¿Å¬ÍÑ from the ÁõÃÖ, opened it up in IDA, and ÀßΩ¤¹¤ë a good place to patch it to ¸¶°ø¡Ê¤È¤Ê¤ë¡Ë it to fail to ¸º¾¯¡Ê¤¹¤ë¡Ë Æø¢s, so that rather than µö¤¹ing me to run with a particular »ÈÍÑ¡¿Å¬ÍÑ’s Æø¢s, it would ǧ¤á¤ë me a root Çú·â¤¹¤ë. I then patched these bytes by Îá¾õing ľÀÜ¡¿¤Þ¤Ã¤¹¤°¤Ë to the Éõº¿¤¹¤ë ÁõÃÖ. It’s ugly, but it ºîÉÊ.

Download

Download the Windows ¸«²ò¡¿ËÝÌõ¡¿ÈÇ here. To root your phone, Ǥ̿¤¹¤ë¡¿Æ³Æþ¤¹¤ë LG ¥¢¥¸¥¢³«È¯¶ä¹Ô drivers, put the ÁõÃÖ in USB debugging Êý¼°, connect ·Ðͳ¤Ç USB, Ãê½Ð¤¹¤ë the zip ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ë, and ¿ë¹Ô¤¹¤ë¡¿È¯¸ú¤µ¤»¤ë “run.bat”.

This °Î¶È¡¿ÍøÍѤ¹¤ë is not Êݾڡʿ͡Ëd to be 100% ¸ú²ÌŪ¤Ê or stable. In a worst-»öÎã¡¿´µ¼Ô ¥·¥Ê¥ê¥ª, you may need to reflash your build and try again.

I encourage anyone thinking of ´óÉÕ¤¹¤ëing in thanks to direct your ´óÉÕ to the American Red Cross or another reputable charitable organization. If you ÀäÂÐ ¼çÄ¥¤¹¤ë on throwing money at me instead, you can ´óÉÕ¤¹¤ë below.

This Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë was ÃÏ°Ì¡¤Ç¤Ì¿¤¹¤ëd on Sunday, February 26th, 2012 at 9:02 pm and is ¤È¤¸¹þ¤ß¡¿Äó½Ð¤¹¤ëd under Uncategorized. You can follow any ÊÖÅús to this Æþ¤ë¤³¤È¡¿»²²Ã¡Ê¼Ô¡Ë through the RSS 2.0 ÎÁ¶âd. Both comments and pings are ¸½ºß¡¿°ìÈÌ¤Ë ¤Î¶á¤¯¤Ëd.