本文介绍如何修改SU源码,绕过权限检查,实现任意用户切换到ROOT,并重新编译SU。
首先找到system\extras\su\目录,然后打开su.c文件,
找到main函数,如下:
int main(int argc, char** argv) {
uid_t current_uid = getuid();
if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
// Handle -h and --help.
++argv;
if (*argv && (strcmp(*argv, "--help") == 0 || strcmp(*argv, "-h") == 0)) {
fprintf(stderr,
"usage: su [UID[,GID[,GID2]...]] [COMMAND [ARG...]]/n" "/n"
"Switch to WHO (default 'root') and run the given command (default sh)./n" "/n"
"where WHO is a comma-separated list of user, group,/n"
"and supplementary groups in that order./n" "/n");
return 0;
}
// The default user is root.
uid_t uid = 0;
gid_t gid = 0;
// If there are any arguments, the first argument is the uid/gid/supplementary groups. if (*argv) {
gid_t gids[10];
int gids_count = sizeof(gids)/sizeof(gids[0]);
extract_uidgids(*argv, &uid, &gid, gids, &gids_count);
if (gids_count) {
if (setgroups(gids_count, gids)) {
error(1, errno, "setgroups failed");
}
}
++argv;
}
if (setgid(gid)) error(1, errno, "setgid failed");
if (setuid(uid)) error(1, errno, "setuid failed");
// Reset parts of the environment.
setenv("PATH", _PATH_DEFPATH, 1);
unsetenv("IFS");
struct passwd* pw = getpwuid(uid);
setenv("LOGNAME", pw->pw_name, 1);
setenv("USER", pw->pw_name, 1);
// Set up the arguments for exec.
char* exec_args[argc + 1];
// Having too much space is fine.
size_t i = 0;
for (; *argv != NULL; ++i) {
exec_args[i] = *argv++;
}
// Default to the standard shell.
if (i == 0) exec_args[i++] = "/system/bin/sh";
exec_args[i] = NULL;
execvp(exec_args[0], exec_args);
error(1, errno, "failed to exec %s", exec_args[0]);
}
然后把该函数中的
如下两行代码注释掉
uid_t current_uid = getuid();
if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
即改为
int main(int argc, char** argv) {
/*
uid_t current_uid = getuid();
if (current_uid != AID_ROOT && current_uid != AID_SHELL) error(1, 0, "not allowed");
*/
// Handle -h and --help.
++argv;
if (*argv && (strcmp(*argv, "--help") == 0 || strcmp(*argv, "-h") == 0)) {
fprintf(stderr,
"usage: su [UID[,GID[,GID2]...]] [COMMAND [ARG...]]/n" "/n"
"Switch to WHO (default 'root') and run the given command (default sh)./n" "/n"
"where WHO is a comma-separated list of user, group,/n"
"and supplementary groups in that order./n" "/n");
return 0;
}
// The default user is root.
uid_t uid = 0;
gid_t gid = 0;
// If there are any arguments, the first argument is the uid/gid/supplementary groups. if (*argv) {
gid_t gids[10];
int gids_count = sizeof(gids)/sizeof(gids[0]);
extract_uidgids(*argv, &uid, &gid, gids, &gids_count);
if (gids_count) {
if (setgroups(gids_count, gids)) {
error(1, errno, "setgroups failed");
}
}
++argv;
}
if (setgid(gid)) error(1, errno, "setgid failed");
if (setuid(uid)) error(1, errno, "setuid failed");
// Reset parts of the environment.
setenv("PATH", _PATH_DEFPATH, 1);
unsetenv("IFS");
struct passwd* pw = getpwuid(uid);
setenv("LOGNAME", pw->pw_name, 1);
setenv("USER", pw->pw_name, 1);
// Set up the arguments for exec.
char* exec_args[argc + 1];
// Having too much space is fine.
size_t i = 0;
for (; *argv != NULL; ++i) {
exec_args[i] = *argv++;
}
// Default to the standard shell.
if (i == 0) exec_args[i++] = "/system/bin/sh";
exec_args[i] = NULL;
execvp(exec_args[0], exec_args);
error(1, errno, "failed to exec %s", exec_args[0]);
}
重新编译即可
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
