From a0b1ca1767afc6d2a237fdc1b4478cb9f41d3930 Mon Sep 17 00:00:00 2001
From: h00die <michaeltcyr@gmail.com>
Date: Tue, 12 Mar 2019 20:35:32 -0400
Subject: [PATCH] detect unifi in ssh sessions

---
 lib/metasploit/framework/login_scanner/ssh.rb | 11 ++++++++++-
 lib/msf/core/module/platform.rb               |  8 ++++++++
 lib/msf/core/payload/uuid.rb                  |  1 +
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb
index 93f3744da741..85dd86de96d0 100644
--- a/lib/metasploit/framework/login_scanner/ssh.rb
+++ b/lib/metasploit/framework/login_scanner/ssh.rb
@@ -116,11 +116,18 @@ def gather_proof
               proof = ssh_socket.exec!("id\n").to_s
               if (proof =~ /id=/)
                 proof << ssh_socket.exec!("uname -a\n").to_s
-                if (proof =~/JUNOS /)
+                if (proof =~ /JUNOS /)
                   # We're in the SSH shell for a Juniper JunOS, we can pull the version from the cli
                   # line 2 is hostname, 3 is model, 4 is the Base OS version
                   proof = ssh_socket.exec!("cli show version\n").split("\n")[2..4].join(", ").to_s
                 end
+                proof << ssh_socket.exec!("grep unifi.version /tmp/system.cfg\n").to_s
+                if (proof =~ /unifi.version/)
+                  # The /tmp/*.cfg files don't give us device info, however the info command does
+                  # we dont call it originally since it doesnt say unifi/ubiquiti in it and info
+                  # is a linux command as well
+                  proof << ssh_socket.exec!("grep board.name /etc/board.info\n").to_s
+                end
               else
                 # Cisco IOS
                 if proof =~ /Unknown command or computer name/
@@ -151,6 +158,8 @@ def set_sane_defaults
 
         def get_platform(proof)
           case proof
+          when /unifi\.version/ #Ubiquiti Unifi.  uname -a is left in, so we got to pull before Linux
+            'unifi'
           when /Linux/
             'linux'
           when /Darwin/
diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb
index 98e9c1db532d..1562fa48603b 100644
--- a/lib/msf/core/module/platform.rb
+++ b/lib/msf/core/module/platform.rb
@@ -403,6 +403,14 @@ class Juniper < Msf::Module::Platform
     Alias = "juniper"
   end
 
+  #
+  # Ubiquiti Unifi
+  #
+  class Unifi < Msf::Module::Platform
+    Rank = 100
+    Alias = "unifi"
+  end
+
   #
   # Solaris
   #
diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb
index 9b3348436136..ea88a75f2934 100644
--- a/lib/msf/core/payload/uuid.rb
+++ b/lib/msf/core/payload/uuid.rb
@@ -75,6 +75,7 @@ class Msf::Payload::UUID
     24 => 'r',
     25 => 'apple_ios',
     26 => 'juniper',
+    27 => 'unifi',
   }
 
   # The raw length of the UUID structure