WithSecureLabs
Root exploits
Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html
| Exploit | Reference | Possible to port to drozer? | Comment |
|---|---|---|---|
| Exploid | CVE-2009-1185 | Yes | |
| Gingerbreak | CVE-2011-1823 | Yes | Requires drozer with READ_LOGS permission |
| Mempodroid | CVE-2012-0056 | Yes | Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app |
| Wunderbar | CVE-2009-2692 | Yes | |
| ZergRush | CVE-2011-3874 | Yes | Requires drozer with READ_LOGS permission |
| Zimperlich / Zygote | c-skills blog | Yes | Exploits the zygote setuid() bug |
| Exynos | CVE-2012-6422 | Yes | Done - testing completed on Galaxy S3 + S2 |
| ZTE sync_agent | CVE-2012-2949 | Yes | Done - still requires testing |
| cmdclient | xdadevelopers / Dan Rosenburg | Yes | Done - still requires testing |
| HTC Butterfly diag | Yes | ||
| Levitator | CVE-2011-1352 | Unclear | Requires access to /dev/pvrsrvkm - what are the permissions on this? |
| Thinkpad Tablet | Dan Rosenburg | Unclear | Runs thinkpwn binary |
| Droid 4 (motofail) | Dan Rosenburg | Unclear | Runs motofail binary |
| XYBoard/Xoom 2 | Dan Rosenburg | Unclear | Runs xyz binary |
| KillingInTheNameOf | CVE-2010-743C | No | Remap Android property space to writeable which gives root shell from shell user |
| rageagainstthecage | No | Exploits the adb setuid() bug | |
| psneuter | CVE-2011-1149 | No | Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off) |
| Samsung Admire | Dan Rosenburg | No | Requires privileges held by shell user |
| Droid 3 | Dan Rosenburg | No | Requires privileges held by shell user |
| LG Spectrum | Dan Rosenburg | No | Requires privileges held by shell user |
| LG Esteem | Dan Rosenburg | No | Requires privileges held by shell user |
| Sony Tablet S | Dan Rosenburg | No | Requires privileges held by shell user |
Here is a list of all the exploits that I could find to obtain root on Android. We would like to port as many of these as possible into drozer. Please feel free to correct or contribute to this list, but more importantly to help us port them :) A list of all known root exploit is maintained (not by me) @ https://docs.google.com/spreadsheet/pub?key=0Am5hHW4ATym7dGhFU1A4X2lqbUJtRm1QSWNRc3E0UlE&single=true&gid=0&output=html
Exploit Reference Possible to port to drozer? Comment Exploid CVE-2009-1185 Yes Gingerbreak CVE-2011-1823 Yes Requires drozer with READ_LOGS permission Mempodroid CVE-2012-0056 Yes Needs a SUID binary that writes something deterministic to a file descriptor. But run-as only works as root or shell user, hence on stock Android this will not work from an app Wunderbar CVE-2009-2692 Yes ZergRush CVE-2011-3874 Yes Requires drozer with READ_LOGS permission Zimperlich / Zygote c-skills blog Yes Exploits the zygote setuid() bug Exynos CVE-2012-6422 Yes Done - testing completed on Galaxy S3 + S2 ZTE sync_agent CVE-2012-2949 Yes Done - still requires testing cmdclient xdadevelopers / Dan Rosenburg Yes Done - still requires testing HTC Butterfly diag Yes Levitator CVE-2011-1352 Unclear Requires access to /dev/pvrsrvkm - what are the permissions on this? Thinkpad Tablet Dan Rosenburg Unclear Runs thinkpwn binary Droid 4 (motofail) Dan Rosenburg Unclear Runs motofail binary XYBoard/Xoom 2 Dan Rosenburg Unclear Runs xyz binary KillingInTheNameOf CVE-2010-743C No Remap Android property space to writeable which gives root shell from shell user rageagainstthecage No Exploits the adb setuid() bug psneuter CVE-2011-1149 No Disables access to the property service and so ADB starts as root (Android assumes ro.secure is off) Samsung Admire Dan Rosenburg No Requires privileges held by shell user Droid 3 Dan Rosenburg No Requires privileges held by shell user LG Spectrum Dan Rosenburg No Requires privileges held by shell user LG Esteem Dan Rosenburg No Requires privileges held by shell user Sony Tablet S Dan Rosenburg No Requires privileges held by shell user
https://libsodium.gitbook.io/doc/bindings_for_other_languages
