Rooting Every Android From extension to exploitation
eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation
eu-16-Shen-Rooting-Every-Android-From-Extension-To-Exploitation
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Case study 2 – kernel code execution<br />
• Copy shellcode <strong>to</strong> pages allocated in user space<br />
• Get the direct mapped address of these pages in kernel<br />
(ret2dir), pages are EXECUTABLE in kernel space on<br />
MTK devices<br />
• Overwrite plWlanRemove with kernel address of<br />
shellcode<br />
• Call Java API wifi.setWifiEnabled(false) so that<br />
system process “mtk_wmtd” may call plWlanRemove <strong>to</strong><br />
execute shellcode in kernel space<br />
• Gain root and recover every modified global variables