quarkslab / aeroot Goto Github PK

At start, AERoot should check if GDB has been compiled with Python support. If not, just warn the user the feature is missing, then abort.

Latest UpsideDownCake system image (r03) comes with 6.1.12-android14-0-00356-g116e1532b95d-ab9618665 kernel.

Hi. For any emulator except Android 11 I try to use AERoot I receive errors like the following:

[+] Detected: Android 10.0 (Q) x86
[+] Search for [adbd] process in memory (this may take a while) ...
[+] Exiting.
Traceback (most recent call last):
File "/home/vinicius/Tools/AERoot/./aeroot.py", line 435, in
process_addr = find_task_struct(gdb_helper, avd_conf, target_process)
File "/home/vinicius/Tools/AERoot/./aeroot.py", line 216, in find_task_struct
return next(filter(lambda x: process.match(gdb, avd, x), get_task_structs(gdb, avd)), None)
File "/home/vinicius/Tools/AERoot/./aeroot.py", line 221, in get_task_structs
find_init(gdb, avd)
File "/home/vinicius/Tools/AERoot/./aeroot.py", line 212, in find_init
avd["init_addr"] = gdb.read_addr(mem_init_ptr) - avd.get("offset_to_tasks")
File "/home/vinicius/Tools/AERoot/./aeroot.py", line 131, in read_addr
return int(response.split("\t")[1].replace("\n", ""), 16)
ValueError: invalid literal for int() with base 16:

I've modified the script a bit to try to debug the issue, but I don't know exactly how to proceed. It seems the debugger can't access a memory address during the second read_addr of find_init.

[+] Search for [adbd] process in memory (this may take a while) ...
find_init1
[
    {
        "type": "log",
        "message": null,
        "payload": "x/a 0xfffffe0000034dc8\\n",
        "stream": "stdout"
    },
    {
        "type": "console",
        "message": null,
        "payload": "0xfffffe0000034dc8:\\t0x0\\n",
        "stream": "stdout"
    },
    {
        "type": "result",
        "message": "done",
        "payload": null,
        "token": null,
        "stream": "stdout"
    }
]
find_init2
[
    {
        "type": "log",
        "message": null,
        "payload": "x/a -0x12ce0\\n",
        "stream": "stdout"
    },
    {
        "type": "console",
        "message": null,
        "payload": "0xfffffffffffed320:\\t",
        "stream": "stdout"
    },
    {
        "type": "log",
        "message": null,
        "payload": "Cannot access memory at address 0xfffffffffffed320\\n",
        "stream": "stdout"
    },
    {
        "type": "result",
        "message": "error",
        "payload": {
            "msg": "Cannot access memory at address 0xfffffffffffed320"
        },
        "token": null,
        "stream": "stdout"
    }
]
[+] Exiting.

I think the hardcoded addresses on config.json may be the cause of this problem, but I don't know how to adapt it for my emulator.

System:
macOS Mojave (10.14.6)

Kernel tested:

• 4.14.112+ x86_64
• 5.4.61-android11-2-00064-g4271ad6e8ade-ab6991359 x86_64

Emulator version:
Android emulator version 30.6.5.0 (build_id 7324830) (CL:N/A)

Issue description:
When doing an avd cold boot aeroot fails to map kernel memory.
Loading from a state (snapshot) fix the kernel base address mapping.
Possibly caused by gdbserver/ gdbstub not updating the kernel address mapping properly at boot

Issue reproduction:

• Execute ./emulator @AVD_NAME -no-snapshot-load -qemu -s
• Wait for complete boot of the emulator
• Run aeroot daemon (v0.3)

AERoot (Android Emulator ROOTing system) v. 0.3
[+] Wait for kernel memory mapping (try: 1/5)...
[+] Wait for kernel memory mapping (try: 2/5)...
[+] Wait for kernel memory mapping (try: 3/5)...
[+] Wait for kernel memory mapping (try: 4/5)...
[+] Wait for kernel memory mapping (try: 5/5)...
[!] Can't retrieve kernel base from memory **Aborting**
[+] Exiting

Workaround:

• adb emu avd snapshot save foo
• adb emu avd snapshot load foo

(to save / load from a snapshot)

• aeroot daemon

AERoot (Android Emulator ROOTing system) v. 0.3
[+] Kernel base address found at 0xffffffffa7e00000
[+] Process [1784] found at 0xffff9d9eab656040
[+] Overwriting process [1784] credentials
[+] Set SELinux enforce (0xffffffffa929cdc8) to 0
[+] Exiting

Hello quarkslab, first thank you for create this tool.
I couldnt try it but .... your application worth the time .

I am using Android 11.0 (Google Play)
python3 aeroot.py pid 10614
AERoot (Android Emulator ROOTing system) v. 0.2
_ _ _ _
|| ( \ ( ) ( )
( / \ \ | || |
| (|_| \ \ ( _ )
( ) ()) ) | () |
/_||) | / / ( _ )
_) / / | | | |
|| (/ () (_)

[!] Android version not supported. Aborting.
[+] Exiting.

Well, I wasn't with my arms crossed. XD
First by touching the phyton code I have to read the outcome of uname:
uname -rm return
"5.4.47-01061-g22e35a1de440 x86_64"

Second: Install gdb (because you didnt tell me I will need it).
brew install gdb

Third Add the dictionary entry:
"5.4.47-01061-g22e35a1de440 x86_64": {
"name": "Android 11.0 (R) x86_64",
"gdb_arch": "x86_64",
"offset_to_comm": 1808,
"offset_to_parent": 1368,
"offset_to_tasks": 1096,
"offset_to_creds": 1792,
"offset_to_init_ptr": -1379768,
"offset_to_pid": 1352,
"kernel_ptr": 18446741874686296388,
"selinux_offset": 1703193,
"ptr_size": 8,
"enforce_size": 1,
"ps_name_cmd": "ps -A",
"ps_pid_cmd": "ps -A -o pid="
},
and ...
the ps command is not working in my OS !!
I try :
"ps_name_cmd": "ps aux | grep -v grep | grep -c [-i] ",
"ps_pid_cmd": "ps -A -o -p "
But didnt work

Do you know how can I do to run it in MacOS ?

Hi,

I noticed that the Dockerized version of AERoot for some AVDs returns Emulator console connection error for no particular reason and turns out it's because we try to read emulator console auth token file from the filesystem.

Not sure what's the best way to fix this, but my work-around is to mount default path of this file at the exact same path inside container:

docker run --rm \
           -v $HOME/.emulator_console_auth_token:$HOME/.emulator_console_auth_token \
           aeroot --host host.docker.internal daemon

Hope it will help someone.

Cheers

New system image is available : x86_64-UpsideDownCake_r01.zip, hash: b744afd452271cc77cdbe5b4ed447a11a94e9927

If the AVD kernel is not supported, the raised exception has to be properly handled.

Running ./aeroot.py daemon is throwing the error.

Traceback (most recent call last):
  File "./aeroot.py", line 20, in <module>
    from pygdbmi.constants import GdbTimeoutError
ModuleNotFoundError: No module named 'pygdbmi.constants'

which version should I install?

At start, AERoot should check the integrity of the namespace generated from the kernel config file. If an attribute is missing or if the type of an attribute is unexpected, AERoot should warn the user, then abort.

`aeroot --verbose daemon`

AERoot (Android Emulator ROOTing system) v. 0.3.9
[d] Kernel configuration 5.4.61-android11-0-00791-gbad091cc4bf3-ab6833933 i686 loaded
[d] Retrieving kernel base address from memory
[+] Kernel base address found at 0xffffffffba800000
[d] Retrieving tasklist from memory
[+] Process [2103] found at 0xffff90721c143b00
[+] Overwriting process [2103] credentials
[+] Set SELinux enforce (0xffffffffbc918b19) to 0
[+] Exiting

it does seems like I'm root, but I'm unable to run su -c / sudo
Frida server doesn't work well

$ frida -U -f /bin/ls
     ____
    / _  |   Frida 16.2.1 - A world-class dynamic instrumentation toolkit
   | (_| |
    > _  |   Commands:
   /_/ |_|       help      -> Displays the help system
   . . . .       object?   -> Display information about 'object'
   . . . .       exit/quit -> Exit
   . . . .
   . . . .   More info at https://frida.re/docs/home/
   . . . .
   . . . .   Connected to Android Emulator 5554 (id=emulator-5554)
Failed to attach: unable to access process with pid 15285 due to system restrictions; try `sudo sysctl kernel.yama.ptrace_scope=0`, or run Frida as root

does it depends on the architecture of the AVD?