Vulnerability-zergrush (Supplement)

See the previous section.

Http://blog.csdn.net/tomken_zhang/article/details/6866260

 

We have not carefully analyzed the source and Utilization of the vulnerabilities in the previous article, but now we have gained some benefits and made a special record.

 

As mentioned above, a piece of socket data is sent to vold, and then vold crashes. The willingness to crash is stack overflow. Where does it actually overflow? It is actually in zergrush. as mentioned in C, the header of the file is written to libsysutils Root Exploit, which means that this library has a vulnerability that is used by the vold process, which is the root user capability.

 

Find the libsysutils Code. At \ android2.32 \ System \ core \ libsysutils \ SRC, there are not many files. I found a function problem only after tracing the benefits, relatively painful and roundabout. (Less experience !)

Frameworklistener. cpp File

> Ondataavailable receives socket data.

> Read-Only buffer of 255

> Dispatchcommand: allocate data

void FrameworkListener::dispatchCommand(SocketClient *cli, char *data) {    FrameworkCommandCollection::iterator i;    int argc = 0;    char *argv[FrameworkListener::CMD_ARGS_MAX];    char tmp[255];    char *p = data;    char *q = tmp;    bool esc = false;    bool quote = false;    int k;    memset(argv, 0, sizeof(argv));    memset(tmp, 0, sizeof(tmp));    while(*p) {        if (*p == '\\') {            if (esc) {                *q++ = '\\';                esc = false;            } else                esc = true;            p++;            continue;        } else if (esc) {            if (*p == '"')                *q++ = '"';            else if (*p == '\\')                *q++ = '\\';            else {                cli->sendMsg(500, "Unsupported escape sequence", false);                goto out;            }            p++;            esc = false;            continue;        }        if (*p == '"') {            if (quote)                quote = false;            else                quote = true;            p++;            continue;        }        *q = *p++;        if (!quote && *q == ' ') {            *q = '\0';            argv[argc++] = strdup(tmp);            memset(tmp, 0, sizeof(tmp));            q = tmp;            continue;        }        q++;    }    argv[argc++] = strdup(tmp);#if 0    for (k = 0; k < argc; k++) {        SLOGD("arg[%d] = '%s'", k, argv[k]);    }#endif    if (quote) {        cli->sendMsg(500, "Unclosed quotes error", false);        goto out;    }        for (i = mCommands->begin(); i != mCommands->end(); ++i) {        FrameworkCommand *c = *i;        if (!strcmp(argv[0], c->getCommand())) {            if (c->runCommand(cli, argc, argv)) {                SLOGW("Handler '%s' error (%s)", c->getCommand(), strerror(errno));            }            goto out;        }    }    cli->sendMsg(500, "Command not recognized", false);out:    int j;    for (j = 0; j < argc; j++)        free(argv[j]);    return;}

 

Overflow occurs on the stack variable argv [frameworklistener: cmd_args_max,

Frameworklistener: pai_args_max = 16 in the source code.

        *q = *p++;        if (!quote && *q == ' ') {            *q = '\0';            argv[argc++] = strdup(tmp);            memset(tmp, 0, sizeof(tmp));            q = tmp;            continue;        }        q++;

Here, argc ++ is performed by judging whether the incoming data is free, and the maximum subscript is obviously 16. If we specially transmit strings separated by more than 16 spaces, it will overflow.

To verify, put this code on the PC to write a function, compile it, and the result is indeed overflow.

 

Look back at zergrush. C.

In the do_fault function. Indeed, a 255 Buf is defined, which is as long as the Received Buffer. A bunch of strcat functions are used to put related fields,

There is another loop,

For (I = 3; I <buffsz + 1; I ++)
Strcat (BUF, "ZZZZ ");

More

Then some "addresses" are put. In fact, these addresses are a shellcode, which aims to overwrite the register LR and push it to the stack data space. Finally, the entire Elevation of Privilege is completed.

 

Stack Overflow Principle

When a function enters another function (in typical cases), the program will import the function parameters and some environments (registers, including reverse return address LR registers) into the stack space for storage.

At the same time, the function stack variables will also be placed in the stack space when the new function is executed, which is roughly as follows:

void func(int a, int b) {        int var;        return;}int main() {        func(1, 2)        do_somting();        return;}

When calling func,

Stack is like this:

>>>>> 2 (the value of B)

>>>>> 1 (the value of)

>>>>> VaR value

>>>>> The General Register to be pushed for this function, such as R0

>>>>> The LR reverse return address actually points to the do_somting address.

 

When the value assignment of VaR overflows, it will overwrite some of the following registers. If it is replaced properly, the abnormal process of the program is completed.

 

The above is probably the case. The actual situation is actually more complicated and I don't understand it. In addition, the PC and mobile phone are not the same. For reference only!