diff --git a/lib/metasploit/framework/login_scanner/ssh.rb b/lib/metasploit/framework/login_scanner/ssh.rb index 93f3744da7..85dd86de96 100644 --- a/lib/metasploit/framework/login_scanner/ssh.rb +++ b/lib/metasploit/framework/login_scanner/ssh.rb @@ -116,11 +116,18 @@ module Metasploit proof = ssh_socket.exec!("id\n").to_s if (proof =~ /id=/) proof << ssh_socket.exec!("uname -a\n").to_s - if (proof =~/JUNOS /) + if (proof =~ /JUNOS /) # We're in the SSH shell for a Juniper JunOS, we can pull the version from the cli # line 2 is hostname, 3 is model, 4 is the Base OS version proof = ssh_socket.exec!("cli show version\n").split("\n")[2..4].join(", ").to_s end + proof << ssh_socket.exec!("grep unifi.version /tmp/system.cfg\n").to_s + if (proof =~ /unifi.version/) + # The /tmp/*.cfg files don't give us device info, however the info command does + # we dont call it originally since it doesnt say unifi/ubiquiti in it and info + # is a linux command as well + proof << ssh_socket.exec!("grep board.name /etc/board.info\n").to_s + end else # Cisco IOS if proof =~ /Unknown command or computer name/ @@ -151,6 +158,8 @@ module Metasploit def get_platform(proof) case proof + when /unifi\.version/ #Ubiquiti Unifi. uname -a is left in, so we got to pull before Linux + 'unifi' when /Linux/ 'linux' when /Darwin/ diff --git a/lib/msf/core/module/platform.rb b/lib/msf/core/module/platform.rb index 98e9c1db53..1562fa4860 100644 --- a/lib/msf/core/module/platform.rb +++ b/lib/msf/core/module/platform.rb @@ -403,6 +403,14 @@ class Msf::Module::Platform Alias = "juniper" end + # + # Ubiquiti Unifi + # + class Unifi < Msf::Module::Platform + Rank = 100 + Alias = "unifi" + end + # # Solaris # diff --git a/lib/msf/core/payload/uuid.rb b/lib/msf/core/payload/uuid.rb index 9b33484361..ea88a75f29 100644 --- a/lib/msf/core/payload/uuid.rb +++ b/lib/msf/core/payload/uuid.rb @@ -75,6 +75,7 @@ class Msf::Payload::UUID 24 => 'r', 25 => 'apple_ios', 26 => 'juniper', + 27 => 'unifi', } # The raw length of the UUID structure