forked from llamasoft/RootMyRoku
-
Notifications
You must be signed in to change notification settings - Fork 0
/
bootstrap.conf
55 lines (50 loc) · 3.15 KB
/
bootstrap.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
# udhcpd allows you to specify an executable to notify whenever the lease file is updated.
# It will call the `notify_file` executable and pass `lease_file` as the only parameter.
# However, it has a few critical limitations:
# - The `notify_file` target must have the execute bit set.
# This is actually a major hurdle.
# While we can copy/write to arbitrary files, we can't control
# the resulting file's permissions. As a consequence, the files
# we write to /nvram always never have their execute bit set.
# - udhcpd uses `execvp` to call `notify_file`, so we have access to
# exactly ONE parameter (i.e. `lease_file`) regardless of whitespace.
# This means things like `/bin/sh -c "commands to run"` won't work.
# - The contents of `lease_file` will be overwritten before calling `notify_file`.
# This means we can't use `/bin/sh /path/to/script.sh` because udhcpd
# will clobber the contents of our script before it ever gets executed.
# - The value of `lease_file` must be a path that udhcpd can write to.
# If it fails to write to `lease_file` then it won't call `notify_file`.
# The file itself doesn't need to exist in advance, but udhcpd can't
# create directories so it must be placed somewhere udhcpd can write.
# The solution is an awk script + file path polyglot:
# - Start with a pattern match (`/tmp/;`) that executes nothing.
# This makes the entire awk script look like a file path under /tmp.
# From this point on, we can no longer use front-slahes otherwise
# it will be interpreted as subdirectories.
# We work around this by creating a front-slash using sprintf
# and using string concatination to generate a system command.
# - awk normally reads input via file name arguments and/or stdin,
# but udhcpd won't be passing any additional arguments.
# This means that the core of the awk script must be inside a `BEGIN`
# block which executes before any input processing takes place.
# As a side note, we must manually exit awk. If we reach the end of
# the `BEGIN` block, it will hang when attempting to consume stdin.
# This in turn causes udhcpd to hang waiting for `notify_file` to finish.
# - Lastly, we need to manually chmod +x the exploit payload
# because the execute bit will be missing.
# Behold! (I'm actually pretty proud of this.)
notify_file /usr/bin/awk
lease_file /tmp/; BEGIN { fs=sprintf("%c",47); system("chmod +x "fs"nvram"fs"payload.sh && "fs"nvram"fs"payload.sh"); exit(0); }
# udhcpd calls `notify_file` whenever a new lease is created or every `auto_time` seconds.
# We need the exploit payload to run before Application launches.
# To accomplish this, we set the `auto_time` value to a small value
# so that it triggers very early in the boot process.
# The exploit payload will update the udhcpd config file
# so that the small `auto_time` value is only used once.
auto_time 1
# A fallback interface in case we couldn't find one during installation.
interface wlan1
# Make sure this file ends with an empty line.
# An `interface` line will be appended during startup
# and we need to make sure that it doesn't accidentally
# get appended to one of our directives.