Better Mobile App

[Q] Read commands' output inside su process

Hello, maybe here someone will help me
I'm writing a file manager app and I want to allow it for browsing with root permissions.
All I have so far is creation of a Process object using Runtime.exec("su"). Then I get output stream from it and write "ls" command. And here goes the question. How to read the output of the "ls"? Getting the input stream from the process gives me stdout of the "su" which is useless.

glodos said:
Hello, maybe here someone will help me
I'm writing a file manager app and I want to allow it for browsing with root permissions.
All I have so far is creation of a Process object using Runtime.exec("su"). Then I get output stream from it and write "ls" command. And here goes the question. How to read the output of the "ls"? Getting the input stream from the process gives me stdout of the "su" which is useless.
Click to expand...
Click to collapse
Use the -c option of su:
Code:
su -c 'ls -l /system/'

I think I'm closer, but still it doesn't work
I have this:
Code:
p = Runtime.getRuntime().exec("/system/bin/su -c 'ls -d -1 "+directory.getAbsolutePath()+"/*'");
So the command for a directory /data will be:
Code:
/system/bin/su -c 'ls -d -1 /data/*'
But it gives me:
Code:
W/su (13979): request rejected (0->0 'ls)
I have tried putting the command's parts into array but then system asks for su permission on every command. For ex. ls /data needs permission and ls /system needs another permission beacuse the command is different.

Not much I can think of to do about that. I had a similar issue once upon a time and I dealt with it by using a script that read its commands from a data file. I'd write the datafile to my program's designated directory (no special permissions required), then run a single command with su and that script would read the datafile to know what to do, otherwise, I had a ****load of su requests bothering the user.

You've got a point there, but making it work with a file manager, where the commands are related to user interaction would be very difficult. Anyway I will put it into my consideration.
I wonder how all these root explorers are made but none of the developers, which I asked so far, were so kind to give me some tips

glodos said:
You've got a point there, but making it work with a file manager, where the commands are related to user interaction would be very difficult. Anyway I will put it into my consideration.
I wonder how all these root explorers are made but none of the developers, which I asked so far, were so kind to give me some tips
Click to expand...
Click to collapse
Well, I suppose you could keep a process open to a shell with root permissions and once open, keep input and output pipes routed to it and send and receive commands as needed.

Gene Poole said:
Well, I suppose you could keep a process open to a shell with root permissions and once open, keep input and output pipes routed to it and send and receive commands as needed.
Click to expand...
Click to collapse
Well, that's what I've tried to do, but as I mentioned in the first post, output pipe gives me stdout of the su process which doesn't write any output (but "ls" does).

glodos said:
Well, that's what I've tried to do, but as I mentioned in the first post, output pipe gives me stdout of the su process which doesn't write any output (but "ls" does).
Click to expand...
Click to collapse
No, I don't think you're following me. Just run su -c 'sh' and it should run a shell and keep it open. From there, you create an input stream, output stream and possibly an error stream, then write commands like "ls -l /system\n" (the \n triggers the shell to execute it) to the output stream, then read the results form the input stream. You keep doing this as needed and when you're done just send "exit\n".

Oh, I understand now. I'll try it ASAP.
Edit:
It works now, but I have problems with stopping the loop. Here is my piece of code:
Code:
String[] cmd = new String[]{"su", "-c", "/system/bin/sh"};
console = Runtime.getRuntime().exec(cmd);
BufferedWriter stdin = new BufferedWriter(new OutputStreamWriter(console.getOutputStream()));
stdin.write("ls -d -1 "+directory.getAbsolutePath()+"/*\n");
BufferedReader stdout = new BufferedReader(new InputStreamReader(console.getInputStream()));
String read;
data1 = new String();
while((read=stdout.readLine())!=null){
data1+=read + "\n";
}
The problem is, that it hangs at some point on invocation of "stdout.readLine()". I have read that it waits for some data to come and it will never be null.
Furthermore if my ls command returns nothing (which can happen) it always hangs forever on readLine().
Anyway I'll try to do something with this. Maybe there is a workaround and reading will not block.
Thank you for your effort, it was really helpful.

glodos said:
The problem is, that it hangs at some point on invocation of "stdout.readLine()". I have read that it waits for some data to come and it will never be null.
Furthermore if my ls command returns nothing (which can happen) it always hangs forever on readLine().
Anyway I'll try to do something with this. Maybe there is a workaround and reading will not block.
Thank you for your effort, it was really helpful.
Click to expand...
Click to collapse
Sorry to ressurect such an old thread. I'd been having the same problem with reads blocking using BufferedReader, InputStream and other variants. Turns out BufferedReader has a ready() method which indicates whether a read() will block. This code works for me:
Code:
String outputStr;
BufferedReader reader = new BufferedReader(new InputStreamReader(suProcess.getInputStream()));
while (reader.ready()) {
outputStr += reader.readLine();
}
Hope it helps someone from the repeating the same frustrations. Heck I hope it helps me in the future in case I forget this

[Q] got exception when executed "am start" command on xt720

To use adb shell, I executed the following command on motorola xt720:
===============
C:\Documents and Settings\guominl>adb -s 040394FD1901500C shell
$ am start -a android.intent.action.CALL tel:10086
===============
And got the following responses from console:
===============
am start -a android.intent.action.CALL tel:10086
Starting: Intent { act=android.intent.action.CALL dat=tel:10086 }
java.lang.SecurityException: Permission Denial: starting Intent { act=android.in
tent.action.CALL dat=tel:10086 flg=0x10000000 cmp=com.android.phone/.OutgoingCal
lBroadcaster } from null (pid=-1, uid=-1) requires android.permission.CALL_PHONE
======================================
My XT720 software version is STR_U2_01.18.2, there is somebody to know the reason? why? I need ugrade my XT720 software to 2.2 version?
thanks
guomin

[Q] App development using su permission causes SuperSU problem with su binary file

Hello everyone,
An error related to SuperSU's su binary file occured when i try to run "mount" linux command through background sh process.
Everything is ok in the process of running su and a root permission is properly got by SuperSU, code is here:
Code:
Process process = (new ProcessBuilder("/system/bin/sh")).redirectErrorStream(true).start();
BufferedReader reader = new BufferedReader(new InputStreamReader(process.getInputStream()));
PrintWriter writer = new PringWriter(process.getOutputStream());
writer.println("echo start");
writer.println("su");
writer.println("echo end");
String res = null;
while ((res = reader.readLine()) != null) {
if (res.equals("end")) break;
}
Of cause i run it in a sub thread and won't block the UI thread.
And in the click listener of a button i trigger the mount command in the similar process.
writer.println("toolbox mount -o rw,remount /system");
But when i successfully mount that path and return to SuperSU, the error occurs with no doult.
An error dialog will be poped up like this: There is no SU binary installed, and SuperSU cannot install it. This is a problem!
Any one have an idea that why running a single linux mount command can cause that problem? And how couldi do?
More information: I have tried several other command like pwd, ls and other basic command, but all of them work well, except
mount, who would like to explain this problem?

[Q] Android 4.3, upgrading file's permissions

I have an app, pushing it to in /data/local/tmp/myapp
I have root access for a while in exploit, so my goal is to setup "privileges" to /data/local/tmp/myapp, so it will be running as root even if was called from sh ( sh is running with shell privilleges )
_________________________________
BEFORE 4.3. code works fine ( executing in a context of process with root privileges ):
Code:
chown( "/data/local/tmp/myapp", 0 , 0); //owner to root
chmod("/data/local/tmp/myapp" 06777); //chmod myapp to suid
ls shows cute output after that:
-rwxrwxrwx root root myapp
Click to expand...
Click to collapse
Thats enough so myapp starts with uid == 0 even when was launched from "sh" with shell's uid.
4.3 this is NOT ENOUGH. Additional SE policies comes here ...
ls -Z shows the next output:
-rwxrwxrwx root root u: object_r:shell_data_file:s0 myapp
Click to expand...
Click to collapse
When i'm starting myapp from sh BEFORE 4.3 everything goes fine, but on 4.3 myapp launches with uid != 0.
PS: modifying context through chcon to u: object_r:system_file:s0 of myapp didnt help
_________________________________
Maybe someone have some ideas where i can continue research? :crying:

Circumventing root detection with custom kernel

Hi everyone (and sorry, can't post proper links yet),
I'm a security/pentester looking for a generic way of circumventing root detection. Only thing I'm usually interested is to have full filesystem access (check how apps encrypt their data), start a couple of execs with root (eg. frida-server) and have a root shell in general. I have a Nexus 5 "hammerhead", installed full stock image MOB30Y, then checked the kernel and downloaded the kernel source code for the matchin 3.4.0-gcef4f17. I added a backdoor to the kernel code, similar to this backdoor: github.com/allwinner-zh/linux-3.4-sunxi/blob/bd5637f7297c6abf78f93b31fc1dd33f2c1a9f76/arch/arm/mach-sunxi/sunxi-debug.c#L41 , then recompiled the kernel, and booted the device with that kernel. So far so good:
Code:
[email protected]:/ $ id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
*trigger the backdoor*
Code:
[email protected]:/ $ id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats) context=u:r:shell:s0
So I'm uid 0 now. Now I just need to get around the SELinux mess. Problem:
Code:
[email protected]erhead:/data/data $ ls /data/data
opendir failed, Permission denied
My question: Anybody knows how I can call functions from android.googlesource.com/platform/external/libselinux/+/jb-mr1-dev-plus-aosp/include/selinux/selinux.h so I get the init context?
I'm not too familiar with these calls.... I think something along:
Code:
#include <selinux/selinux.h>
if is_selinux_enabled(){
struct security_context_t *cont;
getcon(cont); //This should get the kernel's context
//How do I assign the kernel's context to the "current" process context?
//?
freecon(cont);
}