Vroot Technical Write-up
By: John Hale (firstname.lastname@example.org)
This is my first writeup on any sort of exploit/bug/anything in quite some time, so pardon if I misuse some phrases ☺
Firstly, I wanted to say, I was interested in this because, it seems that it can root pretty much any device with ease. Some people reported that it used certain bugs and others reported other bugs. Well, I have figured out what it actually does.
Here we go.
Firstly, It will grab your IMEI and Serial Number and Model Number of your device then it will query their server. (I have looked into this countless times) it looks pretty much legit. All they are doing is figuring out which device you own / version of android its on so they can chose which exploit to use on your device.
With the above said, This is the reason for this writeup, people have wrote that it uses put_user/get_user and other things. Well, the fact is, It uses a mass amount of exploits.
This is the process:
A) Acquire Vroot English version : http://www.mgyun.com/en/getvroot
B) Install it and set your phone to USB debug mode
C) Don’t worry about any drivers in windows! It will download them!
D) Plug your phone in when it asks. And sit back and profit.
E) This may seem interesting, and I will explain in a second ☺
Once you run this and install this on your computer, Personally, I have not seen anything malware related. Someone else may want to chime in if they have looked at it. Once you run this, the app will dump a few files into the following directory:
.rommaster_root – exploit wrapper
.rommaster_root.sh – simple bash script to remount system after root.
.rommaster_root will check your device to see what it is vulnerable to, then it will unpack a shared library called .xiny[Random Number]. This shared library is the actual exploit for your device. The only way to aquire this file, is to patch the original .rommaster_root file so it does not unlink() the shared library.
So far, I have seen that it is using, put_user/get_user/MSM camera vuln and I am sure there is others but I don’t own the devices to test this.
I will include a .zip with sample files. This will include the unwrapped .xin file for the MSM camera vulnerability. Personally, I have not had time to reverse and see how this works. But, maybe someone out there is interested!
I have also put together a simple C file that will load the library and try to run the exploit from the shared library. Honestly, this is useless ☺ You need to patch the actual rommaster__root file in order to get anything to work in any way shape or form.
Tests ran on the Verizon Note 3 on the latest android firmware:
1) No knox trip (GREAT)
2) The exploit somehow gains access to either the camera user or system user then tries to open all the /dev/v4l-subdev* devices and run an ioctl() on it.
3) This is as far as I have gotten. And, I believe with no real help, I wont be going any further.
Thanks to #vrootreverse on irc.freenode.net , people testing and helping out.
Maximus64 , zenofex and others.
For more information, Please follow me on twitter @rhcp011235 or feel free to email me.
China ASM dump of this exploit:
If I find time, I will update this, or post more details.
Link to files as promised: https://drive.google.com/file/d/0B0g-ojj_rL70TjZ0cW02TmFGbkk/edit?usp=sharing