CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/android/adb/adb_server_exec.md
Views: 1904
Vulnerable Application
Writes and spawns a native payload on an Android device that is listening for Android Debug Bridge (ADB) debug messages.
Installation Steps
To emulate Android devices, download and install Android Studio.
Start Android Studio and create a device using Device Manager.
Start an emulated device, either via Android Studio or using the
emulator
executable from Android SDK.
List available AVDs and start one with the emulator:
For physical devices, refer to:
Verification Steps
msfconsole
use exploit/android/adb/adb_server_exec
set rhosts [host]
set rport [port]
set target [target]
run
You should get a session
Options
Scenarios
Remote Exploitation
Emulated Device Local Exploitation
When running Android devices in an emulator with Android Studio, the ADB service is exposed only on the local network interface. However, the service is accessible to all local users and may allow one user to compromise another user's emulated device if authentication is disabled.
Setting up a port forward to the ADB service allows this module to exploit ADB over an existing session:
Successful exploitation results in adb
user privileges with shell
SELinux context, leading to root
privileges on the device by using su
:
Emulated Device Privilege Escalation
When running Android devices in an emulator with Android Studio, it is possible for apps to communicate with the ADB service on the host's local network interface. This allows a malicious app to request a shell on the device via ADB, leading to elevation of privileges by creating a new session with shell
privileges.
Untrusted Android apps have untrusted_app
SELinux context, do not have shell
privileges and cannot execute su
:
However, apps can communicate with the ADB service associated with the emulated device (port 5555
in this example) on the host 10.0.2.2
. Setting up a port forward to the ADB service allows this module to exploit ADB over the session:
Successful exploitation results in adb
user privileges with shell
SELinux context, leading to root
privileges on the device by using su
: