From c757a1b18903a313b1fa8389f5dd9fa2a287d90e Mon Sep 17 00:00:00 2001 From: Giulio Date: Sat, 31 Oct 2020 22:28:05 +0100 Subject: [PATCH] Minor fixes --- Readme.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Readme.md b/Readme.md index 3972c39..5b62863 100644 --- a/Readme.md +++ b/Readme.md @@ -256,7 +256,7 @@ ls: /proc/net/ip6_tables_names: No such file or directory Lastly, we need a signed executable to run or a script (scripts do work because the interpreter, busybox is signed). Unfortunately, busybox, if run this way will instantly drop its privileges. Also, we cannot pass `LD_PRELOAD` to an `execv` call so the only way is to actually swap a library used by a signed executable that we can call. -Luckily, on my device there are two user-installed apps (every working terminal must have at least one) and they both use shared libraries with are writeable by the low privileged user. I wouldn't say that this itself is some kind of vulnerability because our current user is indeed the user responsible for installing (and thus if required overwriting) the applications and their assets. +Luckily, on my device there are two user-installed apps (every working terminal must have at least one) and they both use shared libraries which are writeable by the low privileged user. I wouldn't say that this itself is some kind of vulnerability because our current user is indeed the user responsible for installing (and thus if required overwriting) the applications and their assets. So, some simple code like: @@ -313,7 +313,7 @@ These libraries, on the device are in `/data/app/MAINAPP/lib/`. I choose to over /data/app/MAINAPP $ id uid=999(MAINAPP) gid=999(MAINAPP) groups=1(system),2(hwdev),999(MAINAPP),999(MAINAPP) /data/app/MAINAPP $ xtables-multi ip6tables -t nat -L --modprobe=/data/app/MAINAPP/bin/MablApp -Test ld_preload +LD_PRELOAD is working! My UID is: 0. My GID is: 999. My EUID is: 0 @@ -393,4 +393,4 @@ EOD [..] ``` -... \ No newline at end of file +...