Android get_user/put_user Exploit
Description
This module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application.
Author(s)
- fi01
- cubeundcube
- timwr
Platform
Android,Linux
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/android/local/put_user_vroot
msf exploit(put_user_vroot) > show targets
...targets...
msf exploit(put_user_vroot) > set TARGET < target-id >
msf exploit(put_user_vroot) > show options
...show and set options...
msf exploit(put_user_vroot) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security