|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
REQUIREMENTS
=============
Debian packages:
* gcc-arm-linux-gnueabi (Busybox)
* dialog
* build-essential
Android SDK:
* adb (on $PATH)
* NDK bundle (CVE-2016-5195 needs it)
PROCEDURE FOR IMAGING
======================
1. Airplane mode
2. Exploit root
3. adb forward tcp:8000 tcp:8000
4. (on recipient) nc -w 3 localhost 8000 | gunzip | tee file.dd | sha256sum | tee file.dd.sha256
5. dd if=/dev/block/mmcblk0 conv=noerror,sync | gzip | nc -l -p 8000
6. Crack a cold brewski with THE FUCKING LADS
7. Profit!
PROCEDURE FOR BUSYBOX
========================
(on tools/busybox-android folder)
1. ./build.sh
2. ./deploy.sh
NOTES
======
- Dumped image seems to use MSDOS partition table
- **WARNING** Exploit CVE-2016-5195 CAN overwrite RO files SOMEHOW, so besides de disk image, a copy of the run-as is also downloaded in case modification was permanent. In most terminals, the file is not overwritten, but it HAS happened and may very well happen, leaving the terminal vulnerable.
EXPLOITS
==========
* **[PATCHED]** Dirty Cow (CVE-2016-5195): Exploit persists until reboot. Patched on 1st December 2016 Security Patch Level.
DEVEL TODO's
==============
* [CVE-2014-3153] Adapt and try
* [CVE-2016-5195] dcow doesn't completely overwrite original file bytes sometimes. Requires multiple tries or reboot
|
