Add QNX QCOMM command execution module #842

Merged
merged 1 commit into from Oct 4, 2012

Projects

None yet

4 participants

@bcoles
Contributor
bcoles commented Sep 30, 2012

Add QNX QCOMM command execution exploit module.

  • Unauthenticated
  • Remote root
  • Tested on:
    • QNX Neutrino 6.5
    • QNX Neutrino 6.5 SP1

GoodRanking because sometimes Metasploit doesn't catch the interactive shell. Sending the raw payload with netcat works 100% reliably. The shell is returned, as per the Payload sent successfully condition. I have no idea why this fails in Metasploit.

This module uses cmd_interactive as the usual bash reverse shell tricks don't work on QNX (no /dev/tcp or /dev/inet) and there's no python/perl/ruby/php/netcat/etc. There are a few alternatives however they're all terrible:

  • Use the upload feature (as opposed to run) to upload netcat.
  • Write a binary to file and execute it.
  • Add a user, then connect again with telnet.
  • Hard-code the payload as cmd/unix/generic.

QNX QCOMM command execution exploit

@sempervictus
Contributor

MSF may be sending the bind shell prematurely, when the receiving socket is not yet ready. You may try setting WfsDelay (10 or more?) to make the framework wait a bit longer before attempting the connection.

@wchen-r7
Contributor
wchen-r7 commented Oct 1, 2012

Might need to extend the delay in the module instead if that's the case.

@jlee-r7 jlee-r7 commented on the diff Oct 3, 2012
modules/exploits/unix/misc/qnx_qconn_exec.rb
+ ['URL', 'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos'],
+ ['URL', 'http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html'],
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => '',
+ 'DisableNops' => true,
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd_interact',
+ 'ConnectionType' => 'find',
+ },
+ },
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => 'none',
@jlee-r7
jlee-r7 Oct 3, 2012 Contributor

Doesn't make sense for this kind of module, remove.

@jlee-r7 jlee-r7 commented on the diff Oct 3, 2012
modules/exploits/unix/misc/qnx_qconn_exec.rb
@@ -0,0 +1,115 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = GoodRanking
@wchen-r7
Contributor
wchen-r7 commented Oct 4, 2012

I'll do something about this tonight.

@wchen-r7 wchen-r7 merged commit e2276bf into rapid7:master Oct 4, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment