Rapid7 Vulnerability & Exploit Database

Android get_user/put_user Exploit

Back to Search

Android get_user/put_user Exploit



This module exploits a missing check in the get_user and put_user API functions in the linux kernel before 3.5.5. The missing checks on these functions allow an unprivileged user to read and write kernel memory. This exploit first reads the kernel memory to identify the commit_creds and ptmx_fops address, then uses the write primitive to execute shellcode as uid 0. The exploit was first discovered in the wild in the vroot rooting application.


  • fi01
  • cubeundcube
  • timwr




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/android/local/put_user_vroot
msf exploit(put_user_vroot) > show targets
msf exploit(put_user_vroot) > set TARGET < target-id >
msf exploit(put_user_vroot) > show options
    ...show and set options...
msf exploit(put_user_vroot) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security