|
|
@@ -256,7 +256,7 @@ ls: /proc/net/ip6_tables_names: No such file or directory
|
|
|
Lastly, we need a signed executable to run or a script (scripts do work because the interpreter, busybox is signed). Unfortunately, busybox, if run this way will instantly drop its privileges.
|
|
|
Also, we cannot pass `LD_PRELOAD` to an `execv` call so the only way is to actually swap a library used by a signed executable that we can call.
|
|
|
|
|
|
-Luckily, on my device there are two user-installed apps (every working terminal must have at least one) and they both use shared libraries with are writeable by the low privileged user. I wouldn't say that this itself is some kind of vulnerability because our current user is indeed the user responsible for installing (and thus if required overwriting) the applications and their assets.
|
|
|
+Luckily, on my device there are two user-installed apps (every working terminal must have at least one) and they both use shared libraries which are writeable by the low privileged user. I wouldn't say that this itself is some kind of vulnerability because our current user is indeed the user responsible for installing (and thus if required overwriting) the applications and their assets.
|
|
|
|
|
|
|
|
|
So, some simple code like:
|
|
|
@@ -313,7 +313,7 @@ These libraries, on the device are in `/data/app/MAINAPP/lib/`. I choose to over
|
|
|
/data/app/MAINAPP $ id
|
|
|
uid=999(MAINAPP) gid=999(MAINAPP) groups=1(system),2(hwdev),999(MAINAPP),999(MAINAPP)
|
|
|
/data/app/MAINAPP $ xtables-multi ip6tables -t nat -L --modprobe=/data/app/MAINAPP/bin/MablApp
|
|
|
-Test ld_preload
|
|
|
+LD_PRELOAD is working!
|
|
|
My UID is: 0. My GID is: 999. My EUID is: 0
|
|
|
|
|
|
|
|
|
@@ -393,4 +393,4 @@ EOD
|
|
|
[..]
|
|
|
```
|
|
|
|
|
|
-...
|
|
|
+...
|
