Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'zlib'
7

8
class MetasploitModule < Msf::Auxiliary
9
  include Msf::Auxiliary::Ubiquiti
10
  include Msf::Exploit::Deprecated
11
  moved_from 'auxiliary/admin/ubiquiti/ubiquiti_config'
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Ubiquiti Configuration Importer',
18
        'Description' => %q{
19
          This module imports an Ubiquiti device configuration.
20
          The db file within the .unf backup is the data file for
21
          Unifi. This module can take either the db file or .unf.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => ['h00die'],
25
        'Notes' => {
26
          'Stability' => [CRASH_SAFE],
27
          'Reliability' => [],
28
          'SideEffects' => []
29
        }
30
      )
31
    )
32

33
    register_options(
34
      [
35
        OptPath.new('CONFIG', [true, 'Path to configuration to import']),
36
        Opt::RHOST(),
37
        Opt::RPORT(22)
38
      ]
39
    )
40
  end
41

42
  def i_file
43
    datastore['CONFIG'].to_s
44
  end
45

46
  def run
47
    unless ::File.exist?(i_file)
48
      fail_with Failure::BadConfig, "Unifi config file #{i_file} does not exist!"
49
    end
50
    # input_file could be a unf (encrypted zip), or the db file contained within.
51
    input_file = ::File.binread(i_file)
52

53
    if input_file.nil?
54
      fail_with Failure::BadConfig, "#{i_file} read at 0 bytes.  Either file is empty or error reading."
55
    end
56

57
    if i_file.end_with? '.unf'
58
      decrypted_data = decrypt_unf(input_file)
59
      if decrypted_data.nil? || decrypted_data.empty?
60
        fail_with Failure::Unknown, 'Unable to decrypt'
61
      end
62
      print_good('File DECRYPTED.  Still needs to be repaired')
63
      loot_path = Rex::Quickfile.new('decrypted_zip.zip')
64
      loot_path.write(decrypted_data)
65
      loot_path.close
66
      # ruby zip can't repair, we can try on command line but its not likely to succeed on all platforms
67
      # tested on kali
68
      repaired = repair_zip(loot_path.path)
69
      if repaired.nil?
70
        fail_with Failure::Unknown, "Repair failed on #{loot_path.path}"
71
      end
72
      loot_path = Rex::Quickfile.new('fixed_zip.zip')
73
      loot_path.write(repaired)
74
      loot_path.close
75
      print_good("File DECRYPTED and REPAIRED and saved to #{loot_path.path}.")
76
      config_db = extract_and_process_db(loot_path.path)
77
      if config_db.nil?
78
        fail_with Failure::Unknown, 'Unable to locate db.gz config database file'
79
      end
80
      print_status('Converting BSON to JSON.')
81
      unifi_config_db_json = bson_to_json(config_db)
82
      if unifi_config_db_json == {}
83
        fail_with Failure::Unknown, 'Error in file conversion from BSON to JSON.'
84
      end
85
      unifi_config_eater(datastore['RHOSTS'], datastore['RPORT'], unifi_config_db_json)
86
      print_good('Config import successful')
87
    end
88
  end
89
end
90

91