quarkslab/AERoot quarkslab/AERoot

  • Stars
    star
    195
  • Rank 199,374 (Top 4 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated about 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
quarkslab/AERoot
github

quarkslab

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

AERoot is a command line tool that allows you to give root privileges on-the-fly to any process running on the Android emulator with Google Play flavors AVDs.

Python version Linux macOS Codestyle

AERoot

AERoot is a command line tool that allows you to give the root privileges on-the-fly to any process running on the Android emulator with Google Play flavors AVDs.

This project is a rewrite from scratch of the android-emuroot tool (https://github.com/airbus-seclab/android_emuroot). It comes with new features:

  • Recent AVDs support (Android API > 27)
  • Execution time optimization
  • Selection of a process by its PID

Compatible Kernels

Kernel x86 x86_64 Android version
3.10.0+ ✓ 7.0 / 7.1
3.18.56+ ✓ 8.0
3.18.91+ ✓ 8.1
4.4.124+ ✓ ✓ 9.0
4.14.112+ ✓ ✓ 9.0 + 10.0 (TV / Automotive)
5.4.36-00815-g3b29042c17b1 ✓ ✓ 10.0
5.4.43-00621-g90087296b3b1 ✓ ✓ 10.0
5.4.47-01061-g22e35a1de440 ✓ ✓ 10.0
5.4.54-android11-0-00619-g476c942d9b3e-ab6722723 ✓ ✓ 11.0
5.4.61-android11-0-00791-gbad091cc4bf3-ab6833933 ✓ ✓ 11.0
5.4.61-android11-2-00064-g4271ad6e8ade-ab6991359 ✓ 11.0
5.4.86-android11-2-00006-gae78026f427c-ab7595864 ✓ 11.0 (Automotive)
5.4.86-android11-2-00040-g29b2beadc627-ab7157994 ✓ ✓ 11.0 (TV / Automotive)
5.10.4-android12-0-03442-gf2684370d34d-ab7068937 ✓ 12.0
5.10.15-android12-0-01814-gfca78df78ef2-ab7137072 ✓ 12.0
5.10.21-android12-0-01012-gcc574f0d3698-ab7214561 ✓ 12.0
5.10.21-android12-0-01145-ge82381ad9a3f-ab7230153 ✓ 12.0
5.10.35-android12-4-00865-gd9d0c09e0a3b-ab7349034 ✓ 12.0
5.10.43-android12-6-00231-g54e7412d4ff9-ab7460289 ✓ 12.0
5.10.43-android12-9-00001-ga30f38980440-ab7882141 ✓ 12.0
5.10.66-android12-9-00022-g2d6a43c0364d-ab7992900 ✓ 12.0 (TV)
5.10.66-android12-9-00041-gfa9c9074531e-ab7914766 ✓ 12.0
5.10.102-android13-0-00549-g255b30f804ac-ab8238117 ✓ ✓ 13.0 + 13.0 (TV)
5.10.107-android13-2-00451-g7ba447d0399b-ab8409457 ✓ 13.0
5.15.32-android13-3-00067-g7b5e736d7c63-ab8474665 ✓ 13.0
5.15.41-android13-6-02245-g158384f20d1e-ab8610100 ✓ 13.0
5.15.41-android13-8-00205-gf1bf82c3dacd-ab8747247 ✓ 13.0
5.15.41-android13-8-00055-g4f5025129fe8-ab8949913 ✓ 13.0
5.15.83-android14-5-00138-g5e28b848962c-ab9412825 ✓ 14.0
6.1.12-android14-0-00356-g116e1532b95d-ab9618665 ✓ 14.0
6.1.21-android14-3-01811-g9e35a21ec03f-ab9850788 ✓ 14.0

Requirements

AERoot requires gdb (with Python support enabled) to run properly.

Installation

Last Release

pip install aeroot

Current version

git clone https://github.com/quarkslab/AERoot.git
python3 setup.py install --user

Docker

A Docker image of AERoot is available on dockerhub.

Also, you can build an image by yourself:

docker build -t aeroot https://github.com/quarkslab/AERoot.git

Linux

Usage

docker run --rm \
           -v $HOME/.emulator_console_auth_token:$HOME/.emulator_console_auth_token \
           --network host \
           ha0ris/aeroot [aeroot options]

Example

docker run --rm \
           -v $HOME/.emulator_console_auth_token:$HOME/.emulator_console_auth_token \
           --network host \
           ha0ris/aeroot daemon

macOS

Usage

docker run --rm \
           -v $HOME/.emulator_console_auth_token:$HOME/.emulator_console_auth_token \
           ha0ris/aeroot --host host.docker.internal [aeroot options]

Example

docker run --rm \
           -v $HOME/.emulator_console_auth_token:$HOME/.emulator_console_auth_token \
           ha0ris/aeroot --host host.docker.internal daemon

Quick-start

First of all, you must launch the Android emulator with the gdb qemu option (-qemu -s).

emulator @Your_AVD -qemu -s

Then run aeroot by choosing the mode among:

  • pid: give the root privileges to a process selected by its PID.
  • name: give the root privileges to a process selected by its name.
  • daemon: give the root privileges to the ADB daemon, so shells created with adb shell will automaticaly have root rigths.

Usage

aeroot [-h] [--verbose | --quiet] [--device DEVICE] [--host HOST] [--port PORT] {name,pid,daemon} ...

Examples

pid mode example

aeroot pid 1337

Gives the root privileges to the process with pid 1337

name mode example

aeroot name my_process

Gives the root privileges to the process named "my_process"

daemon mode example

aeroot daemon

Gives the root privileges to the ADB daemon

Additional options

You can find additional options by checking the help of the tool: aeroot -h

More Repositories

1

binbloom

Raw binary firmware analysis software
C
493
star
2

kdigger

Kubernetes focused container assessment and context discovery tool for penetration testing
Go
424
star
3

quarkspwdump

Dump various types of Windows credentials without injecting in any process.
C
418
star
4

rewind

Snapshot-based coverage-guided windows kernel fuzzer
Rust
307
star
5

arybo

Manipulation, canonicalization and identification of mixed boolean-arithmetic symbolic expressions
C++
293
star
6

irma

IRMA is an asynchronous & customizable analysis system for suspicious files.
JavaScript
268
star
7

conf-presentations

Quarkslab conference talks
263
star
8

dreamboot

UEFI bootkit
C
230
star
9

binmap

system scanner
C++
216
star
10

legu_unpacker_2019

Scripts to unpack APK protected by Legu
Python
211
star
11

android-restriction-bypass

PoC to bypass Android restrictions
C++
194
star
12

peetch

An eBPF playground
Python
184
star
13

titanm

This repository contains the tools we used in our research on the Google Titan M chip
C
181
star
14

qbindiff

Quarkslab Bindiffer but not only !
Python
169
star
15

quokka

Quokka: A Fast and Accurate Binary Exporter
C++
165
star
16

NFLlib

NTT-based Fast Lattice library
C++
165
star
17

pastis

PASTIS: Collaborative Fuzzing Framework
Python
154
star
18

samsung-trustzone-research

Reverse-engineering tools and exploits for Samsung's implementation of TrustZone
Python
143
star
19

qsynthesis

Greybox Synthesizer geared for deobfuscation of assembly instructions.
Python
136
star
20

pyrrha

A tool for firmware cartography
Python
135
star
21

llvm-passes

Collection of various llvm passes
C++
115
star
22

qb-sync

qb-sync is an open source tool to add some helpful glue between IDA Pro and Windbg. Its core feature is to dynamically synchronize IDA's graph windows with Windbg's position.
C++
115
star
23

starlink-tools

A collection of tools for security research on Starlink's User Terminal
Python
112
star
24

LLDBagility

A tool for debugging macOS virtual machines
C
107
star
25

tritondse

Triton-based DSE library with loading and exploration capabilities (and more!)
Python
102
star
26

sspam

Symbolic Simplification with PAttern Matching
Python
100
star
27

android-fuzzing

C
100
star
28

CVE-2020-0069_poc

C
97
star
29

minik8s-ctf

A beginner-friendly CTF about Kubernetes security.
Shell
74
star
30

QBDL

QuarkslaB Dynamic Linker library
C++
71
star
31

iMITMProtect

Prevent Apple to mess with keys
C
70
star
32

whvp

PoC for a snapshot-based coverage-guided fuzzer targeting Windows kernel components
Rust
67
star
33

mattermost-plugin-e2ee

End-to-end encryption plugin for Mattermost
TypeScript
66
star
34

aosp_dataset

Large Commit Precise Vulnerability Dataset based on AOSP CVE
Python
57
star
35

llvm-dev-meeting-tutorial-2015

Material for an LLVM Tutorial presented at LLVM Dev Meeting 2015
TeX
47
star
36

dxfx

DxFx is a proof-of-concept DJI Pilot unpacker
Python
31
star
37

irma-probe

IRMA probe
25
star
38

irma-frontend

IRMA frontend
25
star
39

irma-ansible-old

IRMA ansible
24
star
40

libleeloo

Library to manage big sets of integers (and IPv4 ranges)
C++
23
star
41

sboot-binwalk

Python
21
star
42

irma-brain

IRMA brain
21
star
43

nodescan

Asynchronous scanning library
C++
19
star
44

pixiefail

PoC for PixieFail vulnerabilities
Python
18
star
45

python-binexport

Python interface for Binexport, the Bindiff export format
Python
14
star
46

numbat

Library to manipulate and create Sourcetrail databases
Python
14
star
47

bgraph

BGraph is a tool designed to generate dependencies graphs from Android.bp soong files.
Python
14
star
48

training_ecu

Hardware and software for the ECU we use during trainings
C++
14
star
49

dataset-call-graph-blogpost-material

12
star
50

idascript

Utilities scripts and Python module to facilitate executing idapython scripts in IDA.
Python
10
star
51

python-bindiff

Python module wrapping Bindiff usage into a Python API.
Python
10
star
52

BVWhiteBox

This PoC illustrates our work on asymmetric white-box cryptography, it can be used to generate a set of lookup tables used for lattice-based white-box scheme
Python
10
star
53

tpmee

Python
9
star
54

nvidia-ngx-wrapper

C
9
star
55

sstic-tame-the-qemu

C
9
star
56

ip_conv_sse

C++
9
star
57

crypto-condor

crypto-condor is a Python library for compliance testing of implementations of cryptographic primitives
C
8
star
58

qsig

QSig: Patch signature generation - detection tool
Python
8
star
59

linksys-wag200G

Some binaries and tools for the Linksys WAG200N router
C
7
star
60

windbg-vtl

JavaScript debugger extension for WinDbg that allows to dump the partitions running on Hyper-V
JavaScript
7
star
61

keyringer

Fork of keyringer from https://keyringer.pw (added some features like tree view, additional checks, ...)
Shell
7
star
62

irma-common

IRMA common
7
star
63

ansible-selenium-server

a Vagrant VM using Ansible to provide a Selenium Server
Shell
7
star
64

irmacl

irma api command line client
Python
6
star
65

land_of_cxx

C++
6
star
66

hooking-golang-playground

Various experiments with golang internals
C
4
star
67

erlang-prism

PRISM is a disassembler for Erlang BEAM virtual machine bytecode
Python
4
star
68

qb.backup

The server-side script of the qb.backup orchestration solution.
Python
4
star
69

wirego

C
4
star
70

wdnis_tool

CMake
3
star
71

diffing-portal

Static site for diffing portal
Jupyter Notebook
3
star
72

ziphyr

On-the-fly zip of streamed file with optional zipcrypto.
Python
2
star
73

python-zipstream

forked from allanlei/python-zipstream
Python
2
star
74

ansible-playbook-qb.backup

An example Ansible playbook deploying the roles qb.backup and qb.backup_server.
1
star
75

irma-web-ui

IRMA Web User Interface
JavaScript
1
star
76

irma-probe-tutorial

1
star
77

irmacl-async

Asynchronous client library for IRMA API
Python
1
star
78

can-workshop

Files for the Grehack 2021 workshop: Revers3 me if you CAN
Python
1
star