Posted on 38 Comments

Hacking Ubiquiti AirOS with Metasploit

Good Morning friends. AirOS is the firmware maintained by Ubiquiti Networks for its airMAX products which include routers and switches. This firmware is Linux based. This module exploits a file upload vulnerability existing in the firmware to install a new root user to /etc/passwd and an SSH key to /etc/dropbear/authorized_keys. So let’s see hacking Ubiquiti AirOS. Start Metasploit and load the exploit as shown below. Type command “show options” to see what options we need to set.

The only option we need to set is our target IP address. If you have followed my previous howto’s you already know how to find the vulnerable targets. Set the target IP address as shown below. This module does not support check. No problem. Type command “show payloads” to see the payloads we can use with this exploit. We normally have only one i.e interacting with the target’s shell. Set the payload.

Type “run”  to execute our exploit. We will get the command shell of our target as shown below.

Let’s check it. Type command “ls” to get contents of the present directory.

This is the passwd file of our target which has been overwritten by our exploit.

38 thoughts on “Hacking Ubiquiti AirOS with Metasploit

  1. please provide me Ubiquiti AirOS 5.6.2 link

    1. Anshu, you can get all downloads here https://www.ubnt.com/download/

  2. Hi, nice work!

    I want to enter in a Nanostation M900, i know the user but i dont know the password, is there anyway i can bruteforce it?

    Thanks!

  3. Hello, help please, after entering the run appear “segmentation fault” on exit metasploit.
    how to solve this problem? thanks

    1. @Shme, Is your system 32bit or 64 bit. Is your handler setup. You will normally get this error when you don’t have a handler setup. So restart Metasploit and try again. Inform me if the problem persists.

      1. @kanishka10 Hi !

        Thanks for the help me !!

        My system kali linux install vmware workstation 12.

        Linux kali 4.6.0-kali-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux.

        metasploit restart it did not help. the problem persists, run appear “segmentation fault” on exit metasploit.

        Thank you!

  4. I get:
    [*] Uploading /etc/passwd
    [*] Uploading /etc/dropbear/authorized_keys
    [*] Logging in as iebzzgkp
    [+] Logged in as iebzzgkp
    [*] Found shell.
    [*] Command shell session 6 opened (xxx.xxx.xxx.xxx:1033 -> xxx.xxx.xxx.xxx:22) at 2016-12-12 22:17:03 +0200

    [*] 172.30.3.229 – Command shell session 6 closed. Reason: Died from EOFError

    I tried many different targets but I get the same EOFError.

    1. @bomberb17, EOF error may occur due to many reasons. Can you just update your Metasploit and try once again.

  5. Does the default user reset?

    1. @Luiz Fernando, yes

  6. Where is the module . I cant load exploit ubiquito airos or i know.
    Where i download or how i can install it . Sorry for my english. Tks

    1. @Leonardo, update your Metasploit first.

  7. Segmentation fault..
    How i can solve this problem.
    and my username and password has been changed i cant login to my device right now

    1. @fadi, You can reset your device by pressing the reset button for 10-15 seconds.

  8. I am getting a error “Exploit completed. but no session was created”.

    Please help.

    Thank you !

    1. Hi Molecule. There are many reasons why this error occurs. They are the exploit does’nt work against your target, the exploit may be f- or a different version, the code of exploit may be wrong, the payload you use may not have an option to create an interactive session and the target configuration is wrong.Check which one you did wrong.

  9. I still cannot determine why I am getting segmentation fault when I run this. Why would it be in bad memory location? I am assuming that means the bug is available on this system I am testing on, but the location it is over writting is off for some reason. I have updated meta and also looked over the code, but with no success. I am using 64bit msf BTW.

    1. Did you check if the target version is indeed vulnerable before running the exploit?

  10. i am getting this

    : [*] Uploading /etc/passwd
    [*] Uploading /etc/dropbear/authorized_keys
    [*] Logging in as rwikvnzq
    [*] Exploit completed, but no session was created.

    1. The target version may not be vulnerable. Before running the exploit, check if it is vulnerable using the “check” command.

  11. Where can i download metasploit ?

    1. Zeezoo, Metasploit is installed by default in Kali Linux. But if you want to install it, it can be downloaded from the link given below.
      https://www.rapid7.com/products/metasploit/download/

  12. I am having this issue.Please tell me to solve this problem.

    ] Uploading /etc/passwd
    [*] Uploading /etc/dropbear/authorized_keys
    [*] Logging in as hljalwkx
    [-] Exploit failed: NameError uninitialized constant Net::SSH::CommandStream
    [*] Exploit completed, but no session was created.

    1. @ram, The target is not vulnerable.

  13. whe nit say loggedin as !!!!!!!!!! where is the passsword ? cant find it

    1. It seems the target is not vulnerable.

  14. is this exploit still good as of today i get the exploit started but no session was created do you have to set up multi/handler?

    1. Maybe the version used by your target is not vulnerable.

  15. Does this method still work?

    1. Depends on the version the target is using.

  16. I get

    Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (192.168.100.1:443).

    Is the firmware updated? Its an old NS2 *NO M*

    1. The target may not be vulnerable or a firewall is blocking your queries.

  17. I got this error. Maybe who can help.
    msf exploit(ubiquiti_airos_file_upload) > run

    [*] Uploading /etc/passwd
    [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (xxx.xxx.xxx.xxx:443).
    [*] Exploit completed, but no session was created.

    1. The target seems to invulnerable to this exploit.

  18. How can I set my own IP as a target?

    1. Renato, This question of yours is ambigious. What do you mean by own IP address. If you want to set the IP address of the machine from which you are hacking, you can set it as 127.0.0.1. If you are in a LAN and want to set your gateway as target IP, then do “ipconfig”(if it is a Windows system) or “ifconfig”(if it is a Linux system) and find out your system’s local IP first. Then change the last bit to “1” or “2”. Still this can be answered better if the question was bit clear.

  19. will it work on Firmware: XW.ar934x.v6.1.3.31939 air os

    1. I don’t think so.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.