add module description to the binder_uaf module

2020-02-29 11:22:59 +08:00 · 2020-02-29 11:22:59 +08:00 · dd35086e75
parent 0693f17170
commit dd35086e75
1 changed files with 11 additions and 0 deletions
--- a/modules/exploits/android/local/binder_uaf.rb
+++ b/modules/exploits/android/local/binder_uaf.rb
@ -15,6 +15,16 @@ class MetasploitModule < Msf::Exploit::Local
    super( update_info( info, {
        'Name'          => "Android Binder Use-After-Free Exploit",
        'Description'   => %q{
+          This module exploits CVE-2019-2215, which is a use-after-free in Binder in the
+          Android kernel. The bug is a local privilege escalation vulnerability that
+          allows for a full compromise of a vulnerable device. If chained with a browser
+          renderer exploit, this bug could fully compromise a device through a malicious
+          website.
+          The freed memory is replaced with an iovec structure in order to leak a pointer
+          to the task_struct. Finally the bug is triggered again in order to overwrite
+          the addr_limit, making all memory (including kernel memory) accessible as part
+          of the user-space memory range in our process and allowing arbitrary reading
+          and writing of kernel memory.
        },
        'License'       => MSF_LICENSE,
        'Author'        => [
@ -26,6 +36,7 @@ class MetasploitModule < Msf::Exploit::Local
        'References'    => [
            [ 'CVE', '2019-2215' ],
            [ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1942' ],
+            [ 'URL', 'https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html' ],
            [ 'URL', 'https://hernan.de/blog/2019/10/15/tailoring-cve-2019-2215-to-achieve-root/' ],
            [ 'URL', 'https://github.com/grant-h/qu1ckr00t/blob/master/native/poc.c' ],
        ],