MobileRead Forums - View Single Post - newer Kindle firmware can't use 'awk', so jb hotfix fails

bulltricks · 05-24-2023, 11:30 AM

Quote:

Originally Posted by NiLuJe

As for the actual failure, try strace-ing it, I would assume there's a conflicting busybox build somewhere in the PATH (or they botched a forkless busybox build, awk is a noexec applet).

This is a KT4 with 5.15.1.1, using a reverse shell (/bin/sh -i piped to netcat )

The difference seems to be how the applet is being reached - if it is reached through /usr/bin/awk (which symlinks to busybox) then it works, but if it's being ran from /bin/sh, it segfaults.

The strangest thing is this:

Code:

prctl(PR_SET_NAME, "awk\0\0\0\0\0\334\222\242\0\304\222\242\0") = 0

It has to be something to do with the shell, because awk seems to have ran fine in the startup scripts!

Failing:

Code:

execve("/bin/sh", ["sh", "-c", "awk -h"], [/* 7 vars */]) = 0
...
open("/var/local/system/locale", O_RDONLY) = 6
lseek(6, 0, SEEK_END)                   = 34
mmap2(NULL, 34, PROT_READ|PROT_WRITE, MAP_PRIVATE, 6, 0) = 0x76f91000
brk(0)                                  = 0xa29000
brk(0xa4a000)                           = 0xa4a000
munmap(0x76f91000, 34)                  = 0
close(6)                                = 0
open("/var/local/system/tzVar", O_RDONLY) = -1 ENOENT (No such file or directory)
prctl(PR_SET_NAME, "sh\0-c\0awk -h\0SHL") = 0
getuid32()                              = 0
getpid()                                = 18153
rt_sigaction(SIGCHLD, {0x576b8, ~[RTMIN RT_1], SA_RESTORER, 0x76ddaf00}, NULL, 8) = 0
getppid()                               = 18151
uname({sysname="Linux", nodename="kindle", ...}) = 0
stat64("/var/local", {st_mode=S_IFDIR|S_ISGID|0775, st_size=3072, ...}) = 0
stat64(".", {st_mode=S_IFDIR|S_ISGID|0775, st_size=3072, ...}) = 0
rt_sigaction(SIGINT, NULL, {SIG_IGN, [], 0}, 8) = 0
rt_sigaction(SIGQUIT, NULL, {SIG_IGN, [], 0}, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
prctl(PR_SET_NAME, "awk\0\0\0\0\0\334\222\242\0\304\222\242\0") = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_ACCERR, si_addr=0xc3833} ---

Successful:

Code:

execve("/bin/sh", ["/bin/sh", "-c", "/usr/bin/awk -h"], [/* 7 vars */]) = 0 
...
execve("/usr/bin/awk", ["/usr/bin/awk", "-h"], [/* 7 vars */]) = 0                          
brk(0)                                  = 0x1987000                                         
uname({sysname="Linux", nodename="kindle", ...}) = 0                                        
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76f96000      
access("/etc/ld.so.preload", R_OK)      = 0    
...
open("/var/local/system/locale", O_RDONLY) = 6
lseek(6, 0, SEEK_END)                   = 34
mmap2(NULL, 34, PROT_READ|PROT_WRITE, MAP_PRIVATE, 6, 0) = 0x76f93000
brk(0)                                  = 0x1987000
brk(0x19a8000)                          = 0x19a8000
munmap(0x76f93000, 34)                  = 0
close(6)                                = 0
open("/var/local/system/tzVar", O_RDONLY) = -1 ENOENT (No such file or directory)
prctl(PR_SET_NAME, "awk\0-h\0SHLVL=3\0O") = 0
getuid32()                              = 0
write(2, "/usr/bin/awk: invalid option -- "..., 36/usr/bin/awk: invalid option -- 'h'
) = 36