Android(安卓)Root方法原理解析及Hook(四) GingerBreak
16lz
2021-01-26
和zergRush的攻击原理是一样的,其实zergRush的code部分源于GingerBreak,都是先使vold进程崩溃,从logcat拿到调试信息,然后让vold进程以root权限执行恶意的shellcode(boomsh),
利用了android的/system/vold/DirectVolume.cpp中handlePartitionAdded()函数的漏洞
[cpp] view plain copy- voidDirectVolume::handlePartitionAdded(constchar*devpath,NetlinkEvent*evt){
- intmajor=atoi(evt->findParam("MAJOR"));
- intminor=atoi(evt->findParam("MINOR"));
- intpart_num;
- constchar*tmp=evt->findParam("PARTN");
- if(tmp){
- part_num=atoi(tmp);
- }else{
- SLOGW("Kernelblockueventmissing'PARTN'");
- part_num=1;
- }
- +
- if(part_num>mDiskNumParts){
- mDiskNumParts=part_num;
- }
- ...
- if(part_num>MAX_PARTITIONS){//攻击点,如果part_num小于1
- SLOGE("Dv:partAdd:ignoringpart_num=%d(max:%d)\n",part_num,MAX_PARTITIONS);
- }else{
- mPartMinors[part_num-1]=minor;
- }
- --mPendingPartsCount;
- …
- }
Android fixed patch and my hook code:
[cpp] view plain copy
- #include<cutils/log.h>
- #defineLOG_TAG“gingerbreakhooker”
- voidDirectVolume::handlePartitionAdded(constchar*devpath,NetlinkEvent*evt){
- intmajor=atoi(evt->findParam("MAJOR"));
- intminor=atoi(evt->findParam("MINOR"));
- intpart_num;
- constchar*tmp=evt->findParam("PARTN");
- if(tmp){
- part_num=atoi(tmp);
- }else{
- SLOGW("Kernelblockueventmissing'PARTN'");
- part_num=1;
- }
- +if(part_num>MAX_PARTITIONS||part_num<1){
- +SLOGE("Invalid'PARTN'value");
- +return;
- +}
- if(part_num>mDiskNumParts){
- mDiskNumParts=part_num;
- }
- ...
- if(part_num>=MAX_PARTITIONS){
- SLOGE("Dv:partAdd:ignoringpart_num=%d(max:%d)\n",part_num,MAX_PARTITIONS);
- }else{
- mPartMinors[part_num-1]=minor;
- }
- mPendingPartMap&=~(1<<part_num);
- …
- }
更多相关文章
- Android之通过ContentProvider实现两个app(进程间)间通信以及函
- android开发退出程序的几种方式
- Android(安卓)ISurface PostBuffer 处理流程
- Android(安卓)关闭应用程序的6种方法
- Android(安卓)Activity分析
- android下查看内存阀值限制
- [Android(安卓)Pro] Android中全局Application的onCreate多次调
- Android(安卓)四大组件 - bindService 的通信过程
- Android(安卓)关闭整个应用程序