$ ldd toscoterm [12:32:23] linux-vdso.so.1 (0x00007fffccfb9000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007fce9ee20000) libglib-2.0.so.0 => /lib/x86_64-linux-gnu/libglib-2.0.so.0 (0x00007fce9eb00000) libgtk-x11-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgtk-x11-2.0.so.0 (0x00007fce9e4b0000) libgdk-x11-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0 (0x00007fce9e1f0000) libatk-1.0.so.0 => /usr/lib/x86_64-linux-gnu/libatk-1.0.so.0 (0x00007fce9dfc0000) libpangocairo-1.0.so.0 => /usr/lib/x86_64-linux-gnu/libpangocairo-1.0.so.0 (0x00007fce9dda0000) libgdk_pixbuf-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0 (0x00007fce9db70000) libpango-1.0.so.0 => /usr/lib/x86_64-linux-gnu/libpango-1.0.so.0 (0x00007fce9d920000) libgio-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgio-2.0.so.0 (0x00007fce9d580000) libgobject-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0 (0x00007fce9d320000) libcairo.so.2 => /usr/lib/x86_64-linux-gnu/libcairo.so.2 (0x00007fce9d000000) libX11.so.6 => /usr/lib/x86_64-linux-gnu/libX11.so.6 (0x00007fce9ccb0000) libtinfo.so.5 => /lib/x86_64-linux-gnu/libtinfo.so.5 (0x00007fce9ca80000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fce9c6e0000) /lib64/ld-linux-x86-64.so.2 (0x00007fce9f200000) libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fce9c460000) libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fce9c240000) libgmodule-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgmodule-2.0.so.0 (0x00007fce9c030000) libXcomposite.so.1 => /usr/lib/x86_64-linux-gnu/libXcomposite.so.1 (0x00007fce9be10000) libXdamage.so.1 => /usr/lib/x86_64-linux-gnu/libXdamage.so.1 (0x00007fce9bc00000) libXfixes.so.3 => /usr/lib/x86_64-linux-gnu/libXfixes.so.3 (0x00007fce9b9f0000) libpangoft2-1.0.so.0 => /usr/lib/x86_64-linux-gnu/libpangoft2-1.0.so.0 (0x00007fce9b7d0000) libfontconfig.so.1 => /usr/lib/x86_64-linux-gnu/libfontconfig.so.1 (0x00007fce9b590000) libfreetype.so.6 => /usr/lib/x86_64-linux-gnu/libfreetype.so.6 (0x00007fce9b2e0000) libXrender.so.1 => /usr/lib/x86_64-linux-gnu/libXrender.so.1 (0x00007fce9b0c0000) libXinerama.so.1 => /usr/lib/x86_64-linux-gnu/libXinerama.so.1 (0x00007fce9aeb0000) libXi.so.6 => /usr/lib/x86_64-linux-gnu/libXi.so.6 (0x00007fce9aca0000) libXrandr.so.2 => /usr/lib/x86_64-linux-gnu/libXrandr.so.2 (0x00007fce9aa90000) libXcursor.so.1 => /usr/lib/x86_64-linux-gnu/libXcursor.so.1 (0x00007fce9a880000) libXext.so.6 => /usr/lib/x86_64-linux-gnu/libXext.so.6 (0x00007fce9a660000) libgthread-2.0.so.0 => /usr/lib/x86_64-linux-gnu/libgthread-2.0.so.0 (0x00007fce9a440000) libpng16.so.16 => /usr/lib/x86_64-linux-gnu/libpng16.so.16 (0x00007fce9a200000) libthai.so.0 => /usr/lib/x86_64-linux-gnu/libthai.so.0 (0x00007fce99ff0000) libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fce99dd0000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007fce99ba0000) libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007fce99980000) libmount.so.1 => /lib/x86_64-linux-gnu/libmount.so.1 (0x00007fce99720000) libffi.so.6 => /usr/lib/x86_64-linux-gnu/libffi.so.6 (0x00007fce99510000) libpixman-1.so.0 => /usr/lib/x86_64-linux-gnu/libpixman-1.so.0 (0x00007fce99260000) libxcb-shm.so.0 => /usr/lib/x86_64-linux-gnu/libxcb-shm.so.0 (0x00007fce99050000) libxcb.so.1 => /usr/lib/x86_64-linux-gnu/libxcb.so.1 (0x00007fce98e20000) libxcb-render.so.0 => /usr/lib/x86_64-linux-gnu/libxcb-render.so.0 (0x00007fce98c10000) librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fce989f0000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fce987e0000) libharfbuzz.so.0 => /usr/lib/x86_64-linux-gnu/libharfbuzz.so.0 (0x00007fce98540000) libexpat.so.1 => /lib/x86_64-linux-gnu/libexpat.so.1 (0x00007fce98310000) libdatrie.so.1 => /usr/lib/x86_64-linux-gnu/libdatrie.so.1 (0x00007fce98100000) libblkid.so.1 => /lib/x86_64-linux-gnu/libblkid.so.1 (0x00007fce97ea0000) libXau.so.6 => /usr/lib/x86_64-linux-gnu/libXau.so.6 (0x00007fce97c90000) libXdmcp.so.6 => /usr/lib/x86_64-linux-gnu/libXdmcp.so.6 (0x00007fce97a80000) libgraphite2.so.3 => /usr/lib/x86_64-linux-gnu/libgraphite2.so.3 (0x00007fce97850000) libuuid.so.1 => /lib/x86_64-linux-gnu/libuuid.so.1 (0x00007fce97640000) libbsd.so.0 => /lib/x86_64-linux-gnu/libbsd.so.0 (0x00007fce97410000)
三月dev
2018年3月16日星期五
Partial statically compiled terminal emulator
I've met a problem that I want to use the terminal without libvte installed in the system. So I find this project, named toscoterm. And I compiled it partially under Ubuntu 14.04 x64.
2018年2月26日星期一
Prevent Windows taskbar still being visible when applications are in fullscreen.
Sometimes the taskbar keeps still visible when applications go into fullscreen. Restarting the explorer.exe would be a solution, but it's not so decent. The WS_EX_TOPMOST flag could be removed by calling SetWindowPost. So I wrote a small program to solve this problem.
2017年11月7日星期二
solve the problem of openvpn after updating, debian
problem:
TCP/UDP: Incoming packet rejected from [AF_INET]123.***.***.170:37828[2], expected peer address: [AF_INET]123.***.***.170:1194 (allow this incoming source address/port by removing --remote or adding --float)
after adding `bind` in the client configure, it says `bind` and `unbind` conflict.
solving by moving the client configure file from `/etc/openvpn/server/tun0.conf` to `/etc/openvpn/client/tun0.conf`
2017年1月7日星期六
An outdated man rooting an android device in early 2017
I happened to want to root an android device without any 3rd-party tools inspired of the Dirty Cow (CVE-2016-5195) and there was also such a device which I could play with.
Firstly, we should know about our stupid device:
Ok, we now know it's an ARMv7 device.
Secondly, we could compile an exploit program. I used timwr's code cause it's simple enough. We simply need only toolchains provided by Google, e.g. I used android-ndk-r13b. We don't need SDK cause we already know the cpu abi and sdk version. After slightly changing the Makefile and the PATH env by export PATH=/home/march/android-ndk-r13b/build:$PATH we just run make build.
We use adb push to transfer our files to the device.
Actually, we don't have to use cross-compile toolchains provide by Google. Standalone arm-linux-gnueabihf-gcc are also capable of producing target program, like su, with which, for example, /system/bin/run-as is substituted. However, there's no gnu c lib in Android system, so you have to statically compile, which results in huge file size and you cannot use such huge file to overwrite the poor dummy program in /system/bin.
Now we come to the climax. After chmod 755 dirtycow making dirtycow executable, we run ./dirtycow ./run-as /system/bin/run-as to exploit and substitute run-as.
Just in milliseconds, we rooted! Aha. Run run-as to get root privilege, and run id to verify.
So, we want to remount /system to read-write mode to do whatever evil we want.
WHAT ??? I'm so-called root! A root who can't remount /system can't be root!!! So what happened? After digging the internet and asking my android-expert friend, I found out that such device manufacturers have functions like remount, mount and write to mmcblk0p0 forbidden in the kernel scope! No way!
What interesting is, I found that mmcblk0 self is writable. By the way, I have to mention, chmod 777 /data/local/tmp would be really helpful.
An idea came to my mind. What if I copy the whole /system partition and mount it on my own computer and add su and all evil stuff to it and finally write it back to the device? Sounds reasonable.
First of all, we have to find way know the partition map of the device. In beginning, I was trying to find it out in somewhere in /etc and in boot.img. Nothing! I found nothing! It indicates that all the partition mapping stuff are done in the hard-coded linux kernel. No way again!
Thanks to the internet, pre-compiled parted can be easily found.
Let's grep /system(Number 27 in Fig.9) ! Be careful with the following two commands. Once you messed up, especially the second one, your device becomes so-called nothing but a brick.
# change skip, seek and count according to your own device !!!
dd if=/dev/block/mmcblk0 of=/data/local/tmp/zzzz bs=1024 count=921600 skip=329264
dd of=/dev/block/mmcblk0 if=/data/local/tmp/zzzz bs=1024 count=921600 seek=329264
In which, bs=1024 stands for each unit is 1KiB sized. Skip is for input file stream, seek is for output file stream. What skip, seek and count stand for is self-evident. The first command will read the partition and write it to a temporary file and vice versa.
I'm not going deeper about how to put some file in this partition image. There're tons of articles telling you how to put su in /system correctly and set such 4755 attribute.
You may transmit and receive the image file through adb:
Don't forget to reboot device after writing back /system!
Finally, we get a rooted device.
Have fun!
... and, one more thing:
: )
Firstly, we should know about our stupid device:
Fig.1 Get information from device
Secondly, we could compile an exploit program. I used timwr's code cause it's simple enough. We simply need only toolchains provided by Google, e.g. I used android-ndk-r13b. We don't need SDK cause we already know the cpu abi and sdk version. After slightly changing the Makefile and the PATH env by export PATH=/home/march/android-ndk-r13b/build:$PATH we just run make build.
Fig.2 Makefile modification
Fig.3 Build our exploit program
We use adb push to transfer our files to the device.
Fig.4 Adb push
Actually, we don't have to use cross-compile toolchains provide by Google. Standalone arm-linux-gnueabihf-gcc are also capable of producing target program, like su, with which, for example, /system/bin/run-as is substituted. However, there's no gnu c lib in Android system, so you have to statically compile, which results in huge file size and you cannot use such huge file to overwrite the poor dummy program in /system/bin.
Now we come to the climax. After chmod 755 dirtycow making dirtycow executable, we run ./dirtycow ./run-as /system/bin/run-as to exploit and substitute run-as.
Fig.5 Crazy exploit
Just in milliseconds, we rooted! Aha. Run run-as to get root privilege, and run id to verify.
So, we want to remount /system to read-write mode to do whatever evil we want.
Fig.6 Unable to remount
WHAT ??? I'm so-called root! A root who can't remount /system can't be root!!! So what happened? After digging the internet and asking my android-expert friend, I found out that such device manufacturers have functions like remount, mount and write to mmcblk0p0 forbidden in the kernel scope! No way!
Fig.7 Unable to write to mmcblk0p27
What interesting is, I found that mmcblk0 self is writable. By the way, I have to mention, chmod 777 /data/local/tmp would be really helpful.
Fig.8 Writable mmcblk0
An idea came to my mind. What if I copy the whole /system partition and mount it on my own computer and add su and all evil stuff to it and finally write it back to the device? Sounds reasonable.
First of all, we have to find way know the partition map of the device. In beginning, I was trying to find it out in somewhere in /etc and in boot.img. Nothing! I found nothing! It indicates that all the partition mapping stuff are done in the hard-coded linux kernel. No way again!
Thanks to the internet, pre-compiled parted can be easily found.
Fig.9 Partition map
Let's grep /system(Number 27 in Fig.9) ! Be careful with the following two commands. Once you messed up, especially the second one, your device becomes so-called nothing but a brick.
# change skip, seek and count according to your own device !!!
dd if=/dev/block/mmcblk0 of=/data/local/tmp/zzzz bs=1024 count=921600 skip=329264
dd of=/dev/block/mmcblk0 if=/data/local/tmp/zzzz bs=1024 count=921600 seek=329264
In which, bs=1024 stands for each unit is 1KiB sized. Skip is for input file stream, seek is for output file stream. What skip, seek and count stand for is self-evident. The first command will read the partition and write it to a temporary file and vice versa.
I'm not going deeper about how to put some file in this partition image. There're tons of articles telling you how to put su in /system correctly and set such 4755 attribute.
Fig.10 Mount and umount partition
You may transmit and receive the image file through adb:
Fig.11 Adb pull and push
Don't forget to reboot device after writing back /system!
Finally, we get a rooted device.
Fig.12 Rooted device
Have fun!
... and, one more thing:
Fig.13 Stupid device refuses to update cause it's rooted.
: )
订阅:
博文 (Atom)