Video Screencast Help
Cyber Security Group

Android Mobile App Pen-Test Tricks Part II – Installing BusyBox

Created: 03 Oct 2013 • 1 comment
Vince Kornacki's picture
+6 6 Votes
Login to vote

Welcome back to the "Android Mobile Application Penetration Test Tricks" blog series! We'll continue to examine techniques that you can use while performing your own mobile application penetration tests. In this installment we'll configure BusyBox, an extremely useful utility that combines tiny versions of many common UNIX utilities into a single small executable. The trusty ADB (Android Debug Bridge) command contains an option to launch a shell within the Android emulator:

    $ adb shell
    root@android:/ # pwd
    root@android:/ # ls

Shell commands can also be run directly from ADB:

    $ adb shell "pwd"
    $ adb shell "ls"

However, the ADB shell is somewhat limited and does not contain useful commands such as awk, find, or strace. BusyBox to the rescue! The first step is to download the appropriate binary from The "busybox-armv4tl", "busybox-armv5l" , and "busybox-armv6l" commands works within Android ARM emulators running Android 4.2 (API Level 17, commonly known as Jelly Bean), the current version at the time of writing. Depending on your Android version and emulator processor, you might need to download one of the other BusyBox commands instead (i.e., busybox-armv4l, busybox-i486, busybox-i586, busybox-i686, or busybox-x86_64). Now you can launch the emulator with the "partition-size" and "no-snapshot" options:

    $ emulator64-arm -avd myEmulator -partition-size 512 -no-snapshot

Setting the "partition-size" option to a large value such as 512 MB will allow us to make changes to the "/system" partition. Including the "-no-snapshot" option prevents hardware configuration conflicts introduced by the "partition-size" option. Now let's install the BusyBox binary. By default the /system partition is mounted read-only, so you'll need to remount this partition read/write with the following command:

    root@android:/ # mount -o rw,remount -t yaffs2 /dev/block/mtdblock0 /system

Let's examine the default PATH variable configured within the shell:

    root@android:/ # set | grep ^PATH

The /vendor directory is actually symbolic link to the /system/vendor directory:

    root@android:/ # ls -l /vendor
    lrwxrwxrwx  root  root  2013-03-27 14:18  vendor -> /system/vendor

The /system/vendor directory does not yet exist:

    root@android:/ # ls /system/vendor
    /system/vendor: No such file or directory

So this seems like a perfect place to stash the BusyBox binary. Let's create the /system/vendor/bin directory:

    root@android:/ # mkdir -p /system/vendor/bin

Now let's copy the BusyBox binary into the /system/vendor/bin directory:

    $ adb push busybox-armv6l /system/vendor/bin
    3014 KB/s (1096224 bytes in 0.355s)

And you can finally launch BusyBox:

    root@android:/ # busybox-armv6l
    BusyBox v1.20.0 (2012-08-22 21:36:24 CDT) multi-call binary.
    Copyright (C) 1998-2011 Erik Andersen, Rob Landley, Denys Vlasenko
    and others. Licensed under GPLv2.
    See source distribution for full notice.
    Usage: busybox [function] [arguments]...
       or: busybox --list[-full]
       or: busybox --install [-s] [DIR]
       or: function [arguments]...
      BusyBox is a multi-call binary that combines many common Unix
      utilities into a single executable.  Most people will create a
      link to busybox for each function they wish to use and BusyBox
      will act like whatever it was invoked as.
    Currently defined functions:
      [, [[, acpid, add-shell, addgroup, adduser, adjtimex, arp, arping,
      ash, awk, base64, basename, beep, blkid, blockdev, bootchartd,
      brctl, bunzip2, bzcat, bzip2, cal, cat, catv, chat, chattr, chgrp,
      unlzop, unxz, unzip, uptime, users, usleep, uudecode, uuencode,
      vconfig, vi, vlock, volname, wall, watch, watchdog, wc, wget,
      which, who, whoami, whois, xargs, xz, xzcat, yes, zcat, zcip
As you can see, BusyBox supports a whopping 346 different commands! In order to run a BusyBox command, just include the specific command and any options as parameters to the BusyBox binary. Consider the "free" command, which is not included within the default ADB shell:

    root@android:/ # busybox-armv6l free
                     total      used      free    shared    buffers
    Mem:            516144    196400    319744         0        828
    -/+ buffers:              195572    320572
    Swap:                0         0         0

However, for ease of use you can run the BusyBox binary with the "install" option in order to create renamed copies the BusyBox binary for all 346 commands:

    root@android:/ # busybox-armv6l --install /system/vendor/bin

Now there's a binary for each BusyBox command:

    root@android:/ # ls -l /system/vendor/bin
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  [
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  [[
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  acpid
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  yes
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  zcat
    -rwxr-xr-x  root  root  1096224  2013-03-08 15:39  zcip

So you can run BusyBox commands natively:

    root@android:/ # free
                     total      used      free    shared    buffers
    Mem:            516144    204996    311148         0        828
    -/+ buffers:              204168    311976
    Swap:                0         0         0

Furthermore, because the /vendor/bin directory is listed before the /system/bin directory within the shell PATH variable, BusyBox commands will override default ADB shell commands, providing enhanced functionality. Note that by default the emulator resets the system image between reboots. There are two ways around this problem. The first is to copy the BusyBox binary onto the SD card, where it will be saved between emulator reboots:

    $ adb push busybox-armv6l /mnt/sdcard
    3014 KB/s (1096224 bytes in 0.355s)

As a security precaution you cannot execute a binary from the /mnt/sdcard directory, so you'll have to create the /system/vendor/bin directory, copy the BusyBox binary to the /system/vendor/bin directory, modify the BusyBox binary permissions, and execute the BusyBox binary with the "install" option every time you reboot the emulator. Alternatively, you can backup the system state file before you shutdown the emulator. On Linux operating systems the system state file is stored within the /tmp/android-USERNAME/emulator-EXTENSION file:

    $ cp /tmp/android-vince/emulator-xfbkZA ~/

The USERNAME is the user that launched the emulator process, and the six letter EXTENSION changes between reboots. Now you can restore the emulator system state with the following command:

    $ emulator64-arm -avd myEmulator -partition-size 512 -no-snapshot -system ~/emulator-xfbkZA

That's it! BusyBox is installed and functional, so now you can enhance your mobile application penetration tests with a considerable number of additional Linux commands accessible within your emulator. Well that's all for this installment of the "Android Mobile Application Penetration Test Tricks" blog series. In our next installment we'll put BusyBox into action in order to monitor filesystem changes during mobile application execution!

Blog Entry Filed Under:

Comments 1 CommentJump to latest comment