Jump to content


Photo

[ROOT] Motoshare 2: Old Bug, New Exploit


  • Please log in to reply
985 replies to this topic

#241 DrJay

DrJay

    Member

  • Members
  • PipPip
  • 63 posts
  • Google+:jconawayiii@gmail.com
  • LocationRancho Cucamonga California

Posted 23 April 2013 - 07:14 AM

Exploit worked perfectly. I have never run linux on a desktop/laptop that worked. Last time i tried was about 15 yrs ago with redhat and a live cd of Ubuntu 12.01 32bit worked flawlessly. A little more work than a windows exploit but i must admit that it was fun working with a command line again (the way we had to 30 years ago). The more things change the more they stay the same...) :)

Sent from my Nexus 7 using Tapatalk 2
  • SamuriHL and livinginkaos like this
Sent from my ICS Bionic using my fingers

#242 pjcpke

pjcpke

    n00b

  • Members
  • Pip
  • 5 posts

Posted 23 April 2013 - 07:19 AM

Yes, show us the output of it running so we can actually SEE what's going on and help you.

 

Here's a total copy-paste of my terminal output for the whole affair.  Just to confirm, I had the device in MTP, it is an XT910 running 4.1.2 and I was using the 32-bit distro.

 

Basically, I go through this but each time I try a root-check I get the same results.

 

ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 9s (440 kB/s)                                              
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 7673
nmbd start/running, process 7709
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 7840
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 15:38:36-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852    137K/s   in 25s     

2013-04-23 15:39:02 (130 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ ifconfig
eth0      Link encap:Ethernet  HWaddr e0:cb:4e:01:68:f3  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr e0:cb:4e:01:64:a7  
          inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e2cb:4eff:fe01:64a7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5795 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3967 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8178004 (8.1 MB)  TX bytes:293487 (293.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17185 (17.1 KB)  TX bytes:17185 (17.1 KB)

ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4088 KB/s (366952 bytes in 0.087s)
4805 KB/s (1867568 bytes in 0.379s)
1575 KB/s (64391 bytes in 0.039s)
5071 KB/s (1578585 bytes in 0.303s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.



#243 rlewis312010

rlewis312010

    Member

  • Members
  • PipPip
  • 111 posts

Posted 23 April 2013 - 07:24 AM

Here's a total copy-paste of my terminal output for the whole affair.  Just to confirm, I had the device in MTP, it is an XT910 running 4.1.2 and I was using the 32-bit distro. Basically, I go through this but each time I try a root-check I get the same results. ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 9s (440 kB/s)                                              
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 7673
nmbd start/running, process 7709
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 7840
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 15:38:36-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852    137K/s   in 25s     

2013-04-23 15:39:02 (130 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ ifconfig
eth0      Link encap:Ethernet  HWaddr e0:cb:4e:01:68:f3  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr e0:cb:4e:01:64:a7  
          inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e2cb:4eff:fe01:64a7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5795 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3967 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8178004 (8.1 MB)  TX bytes:293487 (293.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17185 (17.1 KB)  TX bytes:17185 (17.1 KB)

ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4088 KB/s (366952 bytes in 0.087s)
4805 KB/s (1867568 bytes in 0.379s)
1575 KB/s (64391 bytes in 0.039s)
5071 KB/s (1578585 bytes in 0.303s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.

Same thing:-(

#244 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 07:26 AM

Here's a total copy-paste of my terminal output for the whole affair.  Just to confirm, I had the device in MTP, it is an XT910 running 4.1.2 and I was using the 32-bit distro.

 

Basically, I go through this but each time I try a root-check I get the same results.

 

ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 9s (440 kB/s)                                              
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 7673
nmbd start/running, process 7709
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 7840
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 15:38:36-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852    137K/s   in 25s     

2013-04-23 15:39:02 (130 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ ifconfig
eth0      Link encap:Ethernet  HWaddr e0:cb:4e:01:68:f3  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth1      Link encap:Ethernet  HWaddr e0:cb:4e:01:64:a7  
          inet addr:192.168.1.102  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::e2cb:4eff:fe01:64a7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5795 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3967 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8178004 (8.1 MB)  TX bytes:293487 (293.4 KB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:124 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:17185 (17.1 KB)  TX bytes:17185 (17.1 KB)

ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4088 KB/s (366952 bytes in 0.087s)
4805 KB/s (1867568 bytes in 0.379s)
1575 KB/s (64391 bytes in 0.039s)
5071 KB/s (1578585 bytes in 0.303s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.

 

 

Uhh, hmm.  That does look like it worked.  You pressed a hardware button when it told you to?

 

sudo ./adb.linux shell ls -l /system/xbin/su*

sudo ./adb.linux shell ls -l /system/bin/su*

 

 

Please run those two commands and give me the output.


Non potest esse nisi unus


#245 pjcpke

pjcpke

    n00b

  • Members
  • Pip
  • 5 posts

Posted 23 April 2013 - 07:31 AM

Uhh, hmm.  That does look like it worked.  You pressed a hardware button when it told you to?

 

sudo ./adb.linux shell ls -l /system/xbin/su*

sudo ./adb.linux shell ls -l /system/bin/su*

 

 

Please run those two commands and give me the output.

 

Yeah, I used the volume-up key the first time around and since then I've alternated between all three of my available keys.

 

This is my output:

 

ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell ls -l /system/xbin/su*
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
lrwxrwxrwx root     root              2013-04-24 01:41 sulogin -> /system/xbin/busybox
lrwxrwxrwx root     root              2013-04-24 01:41 sum -> /system/xbin/busybox

 

ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell ls -l /system/bin/su*
lrwxrwxrwx root     root              2013-04-24 01:41 su -> /system/xbin/su
-rwxr-xr-x root     shell        5352 2013-04-21 21:53 surfaceflinger
ubuntu@ubuntu:/tmp/share$



#246 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 07:38 AM

Yeah, I used the volume-up key the first time around and since then I've alternated between all three of my available keys.

 

This is my output:

 

ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell ls -l /system/xbin/su*
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
lrwxrwxrwx root     root              2013-04-24 01:41 sulogin -> /system/xbin/busybox
lrwxrwxrwx root     root              2013-04-24 01:41 sum -> /system/xbin/busybox

 

ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell ls -l /system/bin/su*
lrwxrwxrwx root     root              2013-04-24 01:41 su -> /system/xbin/su
-rwxr-xr-x root     shell        5352 2013-04-21 21:53 surfaceflinger
ubuntu@ubuntu:/tmp/share$

 

WTF?  Um, that's odd.  Try this:

 

sudo ./adb.linux shell

su

 

Do you get a # prompt??


Non potest esse nisi unus


#247 pjcpke

pjcpke

    n00b

  • Members
  • Pip
  • 5 posts

Posted 23 April 2013 - 07:44 AM

WTF?  Um, that's odd.  Try this:

 

sudo ./adb.linux shell

su

 

Do you get a # prompt??

 

Afraid all I get back is:

 

-rwxr-xr-x root     shell        5352 2013-04-21 21:53 surfaceflinger
ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell
shell@umts_spyder:/ $ su
/system/bin/sh: su: not found



#248 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 07:48 AM

Afraid all I get back is:

 

-rwxr-xr-x root     shell        5352 2013-04-21 21:53 surfaceflinger
ubuntu@ubuntu:/tmp/share$ sudo ./adb.linux shell
shell@umts_spyder:/ $ su
/system/bin/sh: su: not found

 

I think you're on a Bionic yes?  If so, you're going to probably need to flash the system.img from the 98.72.22 FXZ (JUST the system.img) and trying this again.


Non potest esse nisi unus


#249 rlewis312010

rlewis312010

    Member

  • Members
  • PipPip
  • 111 posts

Posted 23 April 2013 - 07:50 AM

Sam, will go over it all today. Noting it all though.

#250 Int_Rnd_Pooka

Int_Rnd_Pooka

    Member

  • Members
  • PipPip
  • 284 posts
  • Current Device(s):Bionic

Posted 23 April 2013 - 07:53 AM

Wow, 7 pages of a thread to read while I've been away fixing computers.
 
Good news - I had an impromptu interview yesterday afternoon.
 
Bad news - I'm working my way through 2 different computers afflicted with the MBAM fiasco from last Monday (Boston day).
 
I've already got the plans on how to get this working with a much smaller Live CD, but it's going to take some time *and* testing - and I am my own first guinea pig.  So, please be patient.
 
Dan - thanks for your blessings, and thanks for taking the time and modifying the exploit to work on our phones - you rock!
 
Sam, thanks for being there for the community again, as you always are.
 
King Howie - thanks for donating in my name :D
 
Everyone else - thanks for being the awesome people that you are!


A mostly automated livecd with HoB and the root exploit would be a nice tool for the people who are having trouble
  • livinginkaos likes this

#251 pjcpke

pjcpke

    n00b

  • Members
  • Pip
  • 5 posts

Posted 23 April 2013 - 07:58 AM

I think you're on a Bionic yes?  If so, you're going to probably need to flash the system.img from the 98.72.22 FXZ (JUST the system.img) and trying this again.

 

Afraid I'm on the XT910 Razr.

 

Are there any more options to try, or should I just give up on my phone being rooted?



#252 livinginkaos

livinginkaos

    I don't know what I'm doing anymore.....

  • Administrator
  • 15,282 posts
  • Google+:Hangouts - livinginkaos@gmail.com
  • LocationOregon
  • Current Device(s):Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7

Posted 23 April 2013 - 08:02 AM

The XT910 was proven to work with this method, so if you can get the system image for your build and do what he is asking, that would be the way to go.


b2wvCBn.png

Sig by livinginkaos
Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7


#253 bigtex52

bigtex52

    n00b

  • Members
  • Pip
  • 13 posts
  • Twitter:@STM8TR
  • LocationDallas

Posted 23 April 2013 - 08:05 AM

DOH!   :o



#254 bigtex52

bigtex52

    n00b

  • Members
  • Pip
  • 13 posts
  • Twitter:@STM8TR
  • LocationDallas

Posted 23 April 2013 - 08:10 AM

This is my output:

ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 5s (784 kB/s)
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 9314
nmbd start/running, process 9350
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 9469
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 16:12:59-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852   34.4K/s   in 1m 59s  

2013-04-23 16:14:59 (27.2 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4331 KB/s (366952 bytes in 0.082s)
5024 KB/s (1867568 bytes in 0.362s)
1607 KB/s (64391 bytes in 0.039s)
4592 KB/s (1578585 bytes in 0.335s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.
 

Looks ok but Rootchecker says "Root not installed properly" :(



#255 livinginkaos

livinginkaos

    I don't know what I'm doing anymore.....

  • Administrator
  • 15,282 posts
  • Google+:Hangouts - livinginkaos@gmail.com
  • LocationOregon
  • Current Device(s):Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7

Posted 23 April 2013 - 08:14 AM

This is my output:

ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 5s (784 kB/s)
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 9314
nmbd start/running, process 9350
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 9469
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 16:12:59-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852   34.4K/s   in 1m 59s  

2013-04-23 16:14:59 (27.2 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4331 KB/s (366952 bytes in 0.082s)
5024 KB/s (1867568 bytes in 0.362s)
1607 KB/s (64391 bytes in 0.039s)
4592 KB/s (1578585 bytes in 0.335s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.
 

Looks ok but Rootchecker says "Root not installed properly" :(

If you go into superuser, update binaries, what do you get?


b2wvCBn.png

Sig by livinginkaos
Samsung S8+ / Pixel XL 128gb / iPhone 7+ 256gb / iPad Pro 12.9" / Samsung Chromrbook Plus / Pixel C / Nexus 6p 128gb / Nexus 6 / Nexus 6 on Fi / Nexus 9 / Moto 360^2 / Nvidia Shield TV Pro / Nvidia Shield Tablet / HTC EVODesign on FreedomPop / Chromecast / Surface Pro 3 i7 / Samsung Tab Pro 12.2 / Lenovo Win8 Tab / Eee Slate / '13 Nexus 7


#256 bigtex52

bigtex52

    n00b

  • Members
  • Pip
  • 13 posts
  • Twitter:@STM8TR
  • LocationDallas

Posted 23 April 2013 - 08:21 AM

There is an old super user and a new one. I can't uninstall the old one, only uninstall updates. The new one says binaries need updating but when I click install, it says error installing Superuser. Send log to developer.



#257 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 08:21 AM

Afraid I'm on the XT910 Razr.

 

Are there any more options to try, or should I just give up on my phone being rooted?

 

Same concept, different FXZ.  Grab the latest FXZ for your phone (I don't have a link handy at the moment but make sure it corresponds to what's installed on there for a version) and flash the system.img.  That should clean it up and allow you to redo the root exploit again.


  • Int_Rnd_Pooka likes this

Non potest esse nisi unus


#258 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 08:24 AM

This is my output:

ubuntu@ubuntu:~$ mkdir /tmp/share
ubuntu@ubuntu:~$ sudo apt-get install samba
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following extra packages will be installed:
  tdb-tools
Suggested packages:
  openbsd-inetd inet-superserver smbldap-tools ldb-tools
The following NEW packages will be installed:
  samba tdb-tools
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 4,130 kB of archives.
After this operation, 23.0 MB of additional disk space will be used.
Do you want to continue [Y/n]? Y
Get:1

Please Login or Register to see this Hidden Content

quantal/main samba i386 2:3.6.6-3ubuntu5 [4,107 kB]
Get:2

Please Login or Register to see this Hidden Content

quantal/main tdb-tools i386 1.2.10-2 [22.8 kB]
Fetched 4,130 kB in 5s (784 kB/s)
Preconfiguring packages ...
Selecting previously unselected package samba.
(Reading database ... 161209 files and directories currently installed.)
Unpacking samba (from .../samba_2%3a3.6.6-3ubuntu5_i386.deb) ...
Selecting previously unselected package tdb-tools.
Unpacking tdb-tools (from .../tdb-tools_1.2.10-2_i386.deb) ...
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
Processing triggers for man-db ...
Setting up samba (2:3.6.6-3ubuntu5) ...
Generating /etc/default/samba...
update-alternatives: using /usr/bin/smbstatus.samba3 to provide /usr/bin/smbstatus (smbstatus) in auto mode
smbd start/running, process 9314
nmbd start/running, process 9350
Setting up tdb-tools (1.2.10-2) ...
update-alternatives: using /usr/bin/tdbbackup.tdbtools to provide /usr/bin/tdbbackup (tdbbackup) in auto mode
Processing triggers for ureadahead ...
Processing triggers for ufw ...
WARN: / is world writable!
WARN: / is group writable!
ubuntu@ubuntu:~$ sudo gedit /etc/samba/smb.conf
ubuntu@ubuntu:~$ sudo useradd guest -m -G users
ubuntu@ubuntu:~$ sudo passwd guest
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
ubuntu@ubuntu:~$ sudo smbpasswd -a guest
New SMB password:
Retype new SMB password:
Added user guest.
ubuntu@ubuntu:~$ sudo restart smbd
smbd start/running, process 9469
ubuntu@ubuntu:~$ cd /tmp/share
ubuntu@ubuntu:/tmp/share$ wget

Please Login or Register to see this Hidden Content


--2013-04-23 16:12:59-- 

Please Login or Register to see this Hidden Content


Resolving vulnfactory.org (vulnfactory.org)... 199.188.204.9
Connecting to vulnfactory.org (vulnfactory.org)|199.188.204.9|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3304852 (3.2M) [application/x-tar]
Saving to: `motoshare2.tgz'

100%[======================================>] 3,304,852   34.4K/s   in 1m 59s  

2013-04-23 16:14:59 (27.2 KB/s) - `motoshare2.tgz' saved [3304852/3304852]

ubuntu@ubuntu:/tmp/share$ tar xvf motoshare2.tgz
adb.linux
adb.osx
busybox
pwn
run.sh
su
Superuser.apk
ubuntu@ubuntu:/tmp/share$ sudo chmod 755 run.sh
ubuntu@ubuntu:/tmp/share$ cd /tmp/share/
ubuntu@ubuntu:/tmp/share$ sudo ./run.sh
[+] Waiting for device...
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
[+] Device found.
[+] Pushing exploit...
4331 KB/s (366952 bytes in 0.082s)
5024 KB/s (1867568 bytes in 0.362s)
1607 KB/s (64391 bytes in 0.039s)
4592 KB/s (1578585 bytes in 0.335s)
    pkg: /data/local/tmp/Superuser.apk
Success
[+] Rooting phone...
[+] Your phone may appear to reboot. Please ignore this and continue with the exploit.
[+]
[+] Motoshare 2: Motorola 4.1.2 root exploit
[+] Copyright 2013 Dan Rosenberg (@djrbliss)
[+]
[+] Tested on Droid Bionic, Droid Razr (XT910)
[+]
[+] Getting root...
[+] Please press any hardware button on your phone.
[+] Don't worry if the phone is unresponsive at this time.
[+] Press enter to continue once you have pressed a hardware button.

[*] Cleaning up...
[*] Exploit complete. Press enter to reboot and exit.
 

Looks ok but Rootchecker says "Root not installed properly" :(

 

Please do what I've been telling everyone in your situation to do.  Run the following and give me the output:

 

sudo ./adb.linux shell ls -l /system/bin/su*

sudo ./adb.linux shell ls -l /system/xbin/su*

 

I need to see the output from each one of those.


Non potest esse nisi unus


#259 SamuriHL

SamuriHL

    Android Warrior

  • Smod
  • 44,201 posts
  • Current Device(s):S21 Ultra, Pixel 6

Posted 23 April 2013 - 08:25 AM

There is an old super user and a new one. I can't uninstall the old one, only uninstall updates. The new one says binaries need updating but when I click install, it says error installing Superuser. Send log to developer.

 

Remnants from the old republic.  That's why I want to see the output from those two commands. I suspect you'll be doing a system.img flash shortly, as well.


Non potest esse nisi unus


#260 djrbliss

djrbliss

    Security Exploit Specialist

  • Root Exploit God
  • 21 posts

Posted 23 April 2013 - 08:28 AM

It seems some people are having problems with the part requiring pressing a hardware button.

 

I've uploaded a new version of the exploit that will cause the phone to vibrate when that stage has competed successfully. As the instructions now state, don't press enter to continue with the exploit until your device has vibrated. That will hopefully fix all the problems.

 

The updated exploit also uninstalls old versions of Superuser.apk if it was previously installed on the system partition instead of as a normal app.


  • SamuriHL, Int_Rnd_Pooka, matjmonk and 5 others like this




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users